Windows Domain Questions

coldfireuk · Jan 4, 2005, 10:19 AM

Hey guys, I've just finished setting up a domain at work but there are just two things that are driving me potty!

1)I can't find the option anywhere to stop multiple-logins under the same account name, at the same time, on different machines. I want it so a single user can only be logged into one machine at a time.

2)Is there a way that i can stop profiles being copied over locally at the beginning of a session, and then being copied back at the end of that session.? I'd rather have the profiles updated constantly whilst users are logged in to ensure data is as up-to-date as it can be.

Any ideas or suggestions would be greatly appreciated.

Thanks again,

Chris

PangingJr · Jan 4, 2005, 12:59 PM

don't have any direct answer to your queries ATM,
but for no.2 you can use a roaming profiles..

Quote:

Microsoft Windows XP: An Overview of Policies and Profiles
http://support.microsoft.com/?scid=h...Fwct012803.asp
A roaming user profile is a profile that is stored on a network server, so that it's available when a user logs on to any computer on the network. A local copy is created when the user logs on, and any changes are copied back to the server when the user logs off. This allows users to see the same desktop configuration when they log on to multiple computers.

MiDKnYtE · Jan 4, 2005, 05:45 PM

you didn't say which OS you are using. NT, 2000 or 2003? Guessing either 2000 or 2003.

1) As far as I can tell, there is no policy that i see to prevent multiple account logins. I looked in both 2000 and 2003 GP. you might need to implement a key card, dongle key or biometrics for that.

2) profiles are only update at login and logoff. I believe that is by design. otherwise, you would be adding a lot of traffic and congesting the network.

HsuGotaQ · Jan 13, 2005, 02:50 AM

1. There is a registry key that forces single account logon and there should be one available in the Group Policy editor, but I'm not sure if it's because of an extra ADM file added to the list (search the Windows 2003 RDK and Admin Tool kits for ADM files to be imported to the group policy). Here's a solution that I used for a terminal server at work (a batch file launched during login). There is an alternative to 'qappsrv' that will display workstations, but once again my memory is not working tonight so you'll have to find it out. Here's the forced logon script (use the GPO that will make the interruption of logon scripts impossible) :

Code:

   SetLocal
   Set LoginNum=0
   Set LoginCount=0
   Set SessNum=-1
   For /f "skip=2 delims=* " %%i in ('qappsrv *') do call :Next %%i
   
   Rem LoginNum will be less than or equal to 1 if the user is only logged in once.
   Rem This is good, and the script will then terminate
   If %LoginNum% LEQ 1 (EndLocal) && (Goto EoF)
   
   Rem LoginNum will be equal or greater than 2 if the user is logged in already
   
   Rem The user is logged in more than once...so find the session number of the other session
   For /f "skip=1 tokens=3" %%i in ('qwinsta %UserName% ^| find /v ">"') Do set SessNum=%%i
   
   Rem This should never happen, unless the person is on a different server...
   If %SessNum% EQU -1 (Call :Error 1) && (Goto EoF)
   
   Rem Check what OS we are running:
   Rem Windows 2000/2003 or NT?
   If Exist %SystemRoot%\System32\TSCon.exe (TSCon.exe %SessNum%) Else (Connect.exe %SessNum%)
   If %ERRORLEVEL% NEQ 0 (Call :Error 2) && (Goto EoF)
   EndLocal
   Logoff.exe
   Goto EoF
   
   :Error
   Rem This is bad, so warn the user, then log them off
 Msg %WinStationName% /W You are logged on at another server. You need to log out of there before you can log in again. (Error Code: %1)
   Logoff.exe
   EndLocal
   Goto EoF
   
   :Next
   Rem Checking the servers to see where the user is and update the count...
   For /f %%j in ('qwinsta /server:%1 ^| find /c /i " %UserName% "') do Set /A LoginNum=%LoginNum%+%%j
   Goto EoF
   
   :EoF

2. MiDKnYtE is right about the synchronization of the profile. What I am wondering however is this, are your user configured with roaming or local accounts?

Check in the Domain group policy (run gpedit.msc) and look under Computer Configuration --> Administrative Templates --> System --> User Profiles

Good luck

coldfireuk · Jan 13, 2005, 06:17 PM

hey guys, sorry for the lack of replies! been swamped at work the last 2 weeks!!

firstly, the accounts I have setup are roaming accounts. all profiles are stored on the server. These are synchronized each time a user logs on or off... if he or she has a lot of files then this process can take a VERY long time!!! I'll check over the GPO again tomorrow, but I'm pretty damn sure i turned off offline files etc, and sychronization of everything

Thanks for the logon script HsuGotaQ, I'm going to put it to use tomorrow when I get in.

Any other advice guys is most appreciated!!! Thanks for all your help so far!

CF

md5 · Jan 14, 2005, 08:30 AM

For your first question, read here:
http://www.giac.org/practical/GSEC/Gene_Burton_GSEC.pdf

For your second... you could try and keep the users' profiles in a shared folder, where they will be constantly updated. However, as MiDKnYtE said, this will create extra unnecessary traffic

Jan 4, 2005, 10:19 AM	#1
coldfireuk DriverHeaven Junior Member Join Date: Nov 2003 Posts: 63 Rep Power: 0	Windows Domain Questions Hey guys, I've just finished setting up a domain at work but there are just two things that are driving me potty! 1)I can't find the option anywhere to stop multiple-logins under the same account name, at the same time, on different machines. I want it so a single user can only be logged into one machine at a time. 2)Is there a way that i can stop profiles being copied over locally at the beginning of a session, and then being copied back at the end of that session.? I'd rather have the profiles updated constantly whilst users are logged in to ensure data is as up-to-date as it can be. Any ideas or suggestions would be greatly appreciated. Thanks again, Chris

Jan 4, 2005, 05:45 PM	#3
MiDKnYtE Caffeine Machine Join Date: Oct 2004 Location: Hell is empty. All the devils are here. Posts: 670 Rep Power: 0	you didn't say which OS you are using. NT, 2000 or 2003? Guessing either 2000 or 2003. 1) As far as I can tell, there is no policy that i see to prevent multiple account logins. I looked in both 2000 and 2003 GP. you might need to implement a key card, dongle key or biometrics for that. 2) profiles are only update at login and logoff. I believe that is by design. otherwise, you would be adding a lot of traffic and congesting the network.

Jan 13, 2005, 06:17 PM	Thread Starter #5
coldfireuk DriverHeaven Junior Member Join Date: Nov 2003 Posts: 63 Rep Power: 0	hey guys, sorry for the lack of replies! been swamped at work the last 2 weeks!! firstly, the accounts I have setup are roaming accounts. all profiles are stored on the server. These are synchronized each time a user logs on or off... if he or she has a lot of files then this process can take a VERY long time!!! I'll check over the GPO again tomorrow, but I'm pretty damn sure i turned off offline files etc, and sychronization of everything Thanks for the logon script HsuGotaQ, I'm going to put it to use tomorrow when I get in. Any other advice guys is most appreciated!!! Thanks for all your help so far! CF

Jan 14, 2005, 08:30 AM	#6
md5 DriverHeaven Senior Member Join Date: Dec 2004 Location: Inside DriverHeaven Posts: 856 Rep Power: 0	For your first question, read here: http://www.giac.org/practical/GSEC/Gene_Burton_GSEC.pdf For your second... you could try and keep the users' profiles in a shared folder, where they will be constantly updated. However, as MiDKnYtE said, this will create extra unnecessary traffic