Re: Disable multiple computers logon

Hi,

You are correct about users being able to modify the text file. In fact, for
years I used startup/logon/logoff/shutdown scripts to log activity. My logon
script appended username, computername, date/time, and IP address to a text
file. I used it for statistics like logons per day and per computer, and
which computers were used the most. Management wanted to use these logs to
flag inappropriate activity. I always cautioned that since the logon scripts
required me to give "Domain Users" read/write permission to the folder with
the text file, a malicious user could modify the logs. If we disciplined
someone, a smart lawyer could challenge us in court.

My network had many sites. To avoid writting to logs over the WAN, I had
separate logon scripts and text files for each site. In case it helps, a
sample VBScript logon script that logs username, computername, date, and IP
address is linked here:

http://www.rlmueller.net/Logon5.htm

The text file has one line per logon. The fields are separated by semicolons
so I can easily import into a spread***. In your case, I assume the logoff
script removes the line added by the logon script, so it must search for the
computerName and delete the line. I tested and found I could never raise a
concurrency conflict no matter how many users appended lines to the same
text file at the same time. Still, I added logic to try 3 times if an error
was raised attempting to append the line. A script to delete a line may have
more problems with this. Or perhaps the scheme you found has a separate file
for each PC, in which case the logon script has to read every file, which
could take awhile.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

"TomKing" <TomKing@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6DAF52FC-46FD-4DBF-8AC9-D113485B0D92@xxxxxxxxxxxxxxxx
>I found one from a Chinese website!!!
> http://www.5dmail.net/html/2003-11-10/20031110182503.htm
>
> Here is how he does. You need to create one logon script and one log off
> script. The logic is very simple. When user logon, put record into a file.
> When another user logon with the this username, it will check the file. If
> there is already a user logon as this user, the account will automatically
> logoff.
>
> There is one problem with this way. Since the logon script has to have
> write
> permission for the file, you have to assign "everyone" with modify
> permission
> to that folder. That means if a user find the share path, he/she will be
> able
> to change the log file. I am thinking create sub folders under the share
> folder may solve this problem. But anyway, it's a good way to fobid user
> to
> use other's account.
> "Richard Mueller" wrote:
>
>> TomKing wrote:
>>
>> >I want to disable the service that allows single username to logon
>> >multiple
>> > computers at the same time. Is it possible to use a script to disable
>> > this
>> > function? My network is Win2003 servers+WinXP+Win2000.
>>
>> I don't believe there is any way to do this, unless you find a third
>> party
>> tool. AD does not keep track of which computers a user has logged into,
>> or
>> even if they are currently logged in.
>>
>> --
>> Richard
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>>
>>
>>


.