As an MCT I’m frequently asked about providing a solution for the users’ logon from a single, but not from a specified compu

As an MCT I’m frequently asked about providing a solution for the users’ logon from a single, but not from a specified computer at a time. For example Olga may logon from a computer, but Olga will not be able to logon from a second computer at the same time.

There is a Microsoft solution for it but it is very complicated. I found a solution using logon and logoff scripts and logoff command, newbees in Win2K+.

While we had logon scripts (configured from the Profile tab of a user) in the earlier OSs, with Win2K and up we can use logon scripts and logoff scripts in Group Policy Objects (GPO) in AD. There is a limitation here. GPOs can only apply to the computers with new Oss (Win2K, WinXP and Win2K3); these policies can not be applied to Win9X or Windows NT machines. So my solution assumes that all the computers around use new OSs (a good reason for an upgrade).

First create and share a folder on the DC (you can choose another all-time-working machine too). The share permission must be minimum Everyone, Change (the users write and delete some files in there). Let the server be RAFETPC and folder LOGONS (and share name of the folder is also LOGONS).

Second go to the OU for whose users you want logon-from-a-single-computer. Create a GPO for this OU. At the User Configuration of the GPO, switch to the Windows Settings, Scripts section. There are two containers there: Logon and Logoff. Go to the Logon container, and click Browse button, insert the login.bat file to the box and specify it. Then, go to the Logoff container, click Browse button, insert the logout.bat file to the box and specify it. That’s all.

After doing the above procedure, whenever a user in the specified OU logs on two files will be created in the folder on the DC. When the same user attempts to logon from another computer at the same time he/she will be immediately logged off. When the user logs off from the first computer, two files created will be deleted so the user can logon from another computer.

Listing 1: Login.bat

f exist \\rafetpc\logons\%username%.txt goto notlogon

echo %username% logged in from %computername% > \\rafetpc\logons\%username%.txt

echo %username% logged in from %computername% > \\rafetpc\logons\%computername%.txt

goto end

:notlogon

logoff

:end

Listing 2: Logout.bat

if not exist \\rafetpc\logons\%computername%.txt goto notlogon

del \\rafetpc\logons\%username%.txt

del \\rafetpc\logons\%computername%.txt

goto end

:notlogon

logoff

:end