RahulPatel–twikies…

August 3, 2009

LimitLogin: Step By Step

Filed under: Active Directory,Group Policy — Rahul Patel @ 8:30 pm

LimitLogin is an application that adds the ability to limit concurrent user logins in an Active Directory domain.
It can also keep track of all logins information in Active Directory domains.

LimitLogin capabilities include:

· Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions.

· Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to).

· Easy management and configuration by integrating to the Active Directory MMC snap-ins.

· Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in.

· Generating Login information reports in CSV (Excel) and XML formats.

LimitLogin grants System Administrators, Help Desk staff or any other IT-related personnel the ability to quickly query for any user logged on to the domain and view the machines they’re currently logged on to, while enabling the above list of features and management tasks to be performed on those user sessions.

Download the LimitLogin:http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/limitlogin.exe

Configuration:

PHASE 1:
=======

1) IIS must be installed along with ASP.NET – This does not have to be on DC

2) Make sure the following Web Extension are set to Allowed in IIS Services:

ASP.NET v1.1.4322

3) Install “LimitLoginIISSetup.msi” on the IIS server

NOTE: SSL can be used but it should be configured before proceeding with second phase of install. However, the configuration can be modified latter to use SSL. Just edit the 3 HTTP entries at the bottom of the “LimitLogin.wsdl file” to use HTTPS instead

4) Add WSLimitLogin.asmx to the top of list in the Documents tab of the website.

NOTE: If you did not install IIS on a DC then you will have to configure the IIS Server to be “Trusted for Delegation”. See the section titled, “Manually configuring ‘Trust for Delegation’ in the “LimitLogin Active Directory Setup” portion of the LimitLogin.chm help file for directions on configuring this.

5) Verify “Integrated Windows Authentication” is set on the “Directory Security” tab of the website under “Authentication and Access Control”.

NOTE: Web site must Integrated authentication not anonymous.

6) Attempt to connect to http:///WSLimitLogin.

NOTE: Reinstall SP1 if IIS returns “Service unavailable” and generates DCOM and W3SVC errors in the System log

7) Create a hidden share on a server that will eventually house the llogon.vbs and llogoff.vbs scripts and make sure authenticated users has Read access to the NTFS and Share permissions.

NOTE: You can placed these files in Netlogon if you want to distribute the load amongst all DCs in the domain.

PHASE 2:

=======

1) Logon to a Windows XP machine or a DC with Schema and Enterprise Admin rights and Install “LimitLoginADSetup.msi”

2) You will be presented with three boxes in the Setup Options:

Prepare your Active Directory Forest for LimitLogin
Prepare your Active Directory Domain for LimitLogin
Install LimitLogin AD MMC add-in tools on this machine

3) If you are going to run setup in phases extending the schema with the LimitLogin Classes and Attributes must be done first.

4) The scripts will be configured using the data you enter here:

– UNC path of the file share where the login scripts will go (\\domainname\Netlogon)
– Host name of the Web server
– Web Service Name (Default is WSLimitLogin)
* Optional SSL checkbox

5) You will be prompted to enter the host name of a Windows Server 2003 DC that will host the application partition that is dynamically created.

NOTE: Replicas of this application partition should be configured to avoid an outage if the one DC is offline.

6) The LimitLogin version of Active Directory Users and Computers MMC Snap-in will be installed.

7) You will get a pop-up telling you to copy the llogin.vbs, llogoff.vbs and limitlogin.wsdl files to your share. Copy the files at this time.

PHASE 3:
=======

1) Client machines must have .NET Framework version 1.1.4322 or higher to install the client.

2) At this time Windows Firewall must be completely Disabled to have the logoff feature function.

3) Configure a Computer GPO that installs the “LimitLoginClientSetup.msi” client application to all targeted workstations.

NOTE: Directions on how to configure this are located in the LimitLogin.chm help file under the section titled, “Setting up clients for LimitLogin”.

FYI: In Step 8 of the help file you are directed to check the “Install Application at logon” option but this feature is not available. I left mine set as Assign and did not check “Install Application at logon” and installation worked fine. If you want to make use of the “Install Application at logon” feature you must click the “Assign” radio button (even though it is already selected) and the check box for “Install Application at Logon” will appear.

4) Configure a User policy that applies to all monitored users in a top-level OU. The Logon and Logoff scripts will point to the UNC of the llogon.vbs and llogoff.vbs respectively.

5) Import the “Limit Logon Computer Logoff Options.adm” file to the User GPO where the scripts are defined. An empty “LimitLogon Remote Logoff Options” node will appear.

NOTE: This ADM file is located in the same install folder where the scripts were created. Just copy this to %systemroot%\inf and edit the GPO.

6) To make the settings configurable in the GPO click View > Filtering and UNCHECK “Only show policy settings that can be fully managed”

7) See if this user’s logon script GPO has to be applied to computers as well as users by linking just to the OU where the users are and not computers.

Enable – “Logoff sessions remotely” and check the option “Attempt to remotely logoff the selected sessions”
Enable – “Prompt and confirm every remote session logoff” and check the option “Prompt and confirm every selected session before attempting Remote Logoff”
Enable – “Wait for remote logoff attempts to complete and report status” and check the option “Wait for remote logoff attempts to complete and report status”

8 ) On the OU where the users are going to be managed, right-click and select LimitLogin Tasks…. Click Configure and set the limit to 100 (the highest that will apply) or limit the user to a smaller number of logons if you wish. This must be done to activate the Remote Logoff functionality.

Advertisements

11 Comments »

  1. And after all this we have problem with SOAP…

    Look in Event viewr. Here are 4 errors:

    Soap error:Unspecified error
    Soap error: Sending the Soap message failed no recognizable response was
    received.

    Soap error: Unanticipated error during processing of this request

    Soap error: No matching authorizations scheme enable on connector.

    Comment by Vladimir — September 2, 2009 @ 1:26 am | Reply

  2. im getting following error after entering
    -the share for vbs fileThen I get an error message:
    -iis server name

    “The remote server returned an error: (401) Unauthorized”

    anybody there solved this???

    Comment by bicky — November 4, 2009 @ 7:38 pm | Reply

  3. Please help

    It seems everything is fine regarding insllation and configuration of LimitLogin in our domain. But When we check user properties on whcih we have configured no of login for the user. and getting following error (event id 8812)in the event viewer of the server where we have installed limitLogin. LogoffSession: got exception while trying to login user: ‘abc’ from computer:

    Please help if you have sorted out this problem

    Comment by Anshul Sharma — April 12, 2010 @ 1:38 pm | Reply

    • Anshul,

      Have you found a solution to this problem? I am experiencing the same issue after setting up LimitLogin.

      Thanks

      Paul

      Comment by Paul — June 1, 2010 @ 10:11 pm | Reply

  4. Hi,
    I can’t get any information from the client because when the client open his session i got and SOAP error and something about wsdl (by the way i can’t find limitlogin.wsdl)
    anyone can help me a little bit?

    Thanks

    Comment by Richard — May 18, 2010 @ 10:37 pm | Reply

  5. […] LimitLogin: Step By Step August 20095 comments 3 […]

    Pingback by 2010 in review « RahulPatel–twikies… — January 2, 2011 @ 2:20 pm | Reply

  6. Excellent post. I was checking continuously this blog and I am impressed!
    Extremely helpful information particularly the ultimate part 🙂 I
    deal with such information much. I was looking for this particular information for a long time.
    Thanks and best of luck.

    Comment by jaxov — July 1, 2013 @ 11:40 pm | Reply

  7. My partner and I stumbled over here by a different web page and thought I should check things out.

    I like what I see so i am just following you. Look forward
    to finding out about your web page repeatedly.

    Comment by Cairns Facebook Page — July 16, 2013 @ 11:36 am | Reply

  8. […] LimitLogin: Step By Step […]

    Pingback by Limitare le sessioni utenti concorrenti | DevAdmin — January 18, 2014 @ 12:52 am | Reply

  9. […] LimitLogin: Step By Step […]

    Pingback by Limitare le sessioni utenti concorrenti | DevAdmin Blog — January 29, 2014 @ 1:04 am | Reply

  10. Wow that was strange. I just wrote an extremely long comment but after I clicked submit my comment
    didn’t appear. Grrrr… well I’m not writing all that over again.
    Anyway, just wanted to say wonderful blog!

    Comment by reallifecam 2013 — May 30, 2014 @ 4:37 pm | Reply


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: