August 3, 2009

LimitLogin: Step By Step

Filed under: Active Directory,Group Policy — Rahul Patel @ 8:30 pm

LimitLogin is an application that adds the ability to limit concurrent user logins in an Active Directory domain.
It can also keep track of all logins information in Active Directory domains.

LimitLogin capabilities include:

· Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions.

· Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to).

· Easy management and configuration by integrating to the Active Directory MMC snap-ins.

· Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in.

· Generating Login information reports in CSV (Excel) and XML formats.

LimitLogin grants System Administrators, Help Desk staff or any other IT-related personnel the ability to quickly query for any user logged on to the domain and view the machines they’re currently logged on to, while enabling the above list of features and management tasks to be performed on those user sessions.

Download the LimitLogin:http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe



1) IIS must be installed along with ASP.NET – This does not have to be on DC

2) Make sure the following Web Extension are set to Allowed in IIS Services:

ASP.NET v1.1.4322

3) Install “LimitLoginIISSetup.msi” on the IIS server

NOTE: SSL can be used but it should be configured before proceeding with second phase of install. However, the configuration can be modified latter to use SSL. Just edit the 3 HTTP entries at the bottom of the “LimitLogin.wsdl file” to use HTTPS instead

4) Add WSLimitLogin.asmx to the top of list in the Documents tab of the website.

NOTE: If you did not install IIS on a DC then you will have to configure the IIS Server to be “Trusted for Delegation”. See the section titled, “Manually configuring ‘Trust for Delegation’ in the “LimitLogin Active Directory Setup” portion of the LimitLogin.chm help file for directions on configuring this.

5) Verify “Integrated Windows Authentication” is set on the “Directory Security” tab of the website under “Authentication and Access Control”.

NOTE: Web site must Integrated authentication not anonymous.

6) Attempt to connect to http:///WSLimitLogin.

NOTE: Reinstall SP1 if IIS returns “Service unavailable” and generates DCOM and W3SVC errors in the System log

7) Create a hidden share on a server that will eventually house the llogon.vbs and llogoff.vbs scripts and make sure authenticated users has Read access to the NTFS and Share permissions.

NOTE: You can placed these files in Netlogon if you want to distribute the load amongst all DCs in the domain.



1) Logon to a Windows XP machine or a DC with Schema and Enterprise Admin rights and Install “LimitLoginADSetup.msi”

2) You will be presented with three boxes in the Setup Options:

Prepare your Active Directory Forest for LimitLogin
Prepare your Active Directory Domain for LimitLogin
Install LimitLogin AD MMC add-in tools on this machine

3) If you are going to run setup in phases extending the schema with the LimitLogin Classes and Attributes must be done first.

4) The scripts will be configured using the data you enter here:

– UNC path of the file share where the login scripts will go (\\domainname\Netlogon)
– Host name of the Web server
– Web Service Name (Default is WSLimitLogin)
* Optional SSL checkbox

5) You will be prompted to enter the host name of a Windows Server 2003 DC that will host the application partition that is dynamically created.

NOTE: Replicas of this application partition should be configured to avoid an outage if the one DC is offline.

6) The LimitLogin version of Active Directory Users and Computers MMC Snap-in will be installed.

7) You will get a pop-up telling you to copy the llogin.vbs, llogoff.vbs and limitlogin.wsdl files to your share. Copy the files at this time.


1) Client machines must have .NET Framework version 1.1.4322 or higher to install the client.

2) At this time Windows Firewall must be completely Disabled to have the logoff feature function.

3) Configure a Computer GPO that installs the “LimitLoginClientSetup.msi” client application to all targeted workstations.

NOTE: Directions on how to configure this are located in the LimitLogin.chm help file under the section titled, “Setting up clients for LimitLogin”.

FYI: In Step 8 of the help file you are directed to check the “Install Application at logon” option but this feature is not available. I left mine set as Assign and did not check “Install Application at logon” and installation worked fine. If you want to make use of the “Install Application at logon” feature you must click the “Assign” radio button (even though it is already selected) and the check box for “Install Application at Logon” will appear.

4) Configure a User policy that applies to all monitored users in a top-level OU. The Logon and Logoff scripts will point to the UNC of the llogon.vbs and llogoff.vbs respectively.

5) Import the “Limit Logon Computer Logoff Options.adm” file to the User GPO where the scripts are defined. An empty “LimitLogon Remote Logoff Options” node will appear.

NOTE: This ADM file is located in the same install folder where the scripts were created. Just copy this to %systemroot%\inf and edit the GPO.

6) To make the settings configurable in the GPO click View > Filtering and UNCHECK “Only show policy settings that can be fully managed”

7) See if this user’s logon script GPO has to be applied to computers as well as users by linking just to the OU where the users are and not computers.

Enable – “Logoff sessions remotely” and check the option “Attempt to remotely logoff the selected sessions”
Enable – “Prompt and confirm every remote session logoff” and check the option “Prompt and confirm every selected session before attempting Remote Logoff”
Enable – “Wait for remote logoff attempts to complete and report status” and check the option “Wait for remote logoff attempts to complete and report status”

8 ) On the OU where the users are going to be managed, right-click and select LimitLogin Tasks…. Click Configure and set the limit to 100 (the highest that will apply) or limit the user to a smaller number of logons if you wish. This must be done to activate the Remote Logoff functionality.


Blog at WordPress.com.