Limitlogin is a Microsoft dedicated login management tool specifically designed for Windows Server 2003, which is powerful, including limiting user logons in the domain, logging on to any user in the category display domain, integrating to AMD (Active Directory MMC) Managing configuration, generating CSV and XML-formatted login information is not very meaningful for ordinary users, but has a wide range of requirements for business users such as banks, libraries, and ISPs.
Download and install
At present, Microsoft has not provided the official site, if you are interested in, can from http://download.microsoft.com/download/f/d/0/fd05def7-68a1-4f71-8546-25c359cc0842/ Limitlogin.exe download, currently the latest version is 1.0. The basic configuration requirements for the software are Windows Xp+.net Framework 1.1 or Windows Server 2003, and Microsoft recommends Windows 2003 domain Controller, and there is at least one windows 2003 Domain Controller.
The Limitlogin installation process is complex and is divided into the following steps:
1. Install Limitlogin Web Service
You need to customize the name of the Web service when you install it, by default Wslimitlogin, and if you need to change it, be sure to keep it in mind because this name will be used in active Directory setup and you can customize access to the Web The port number of the service.
2. Install Limitlogin Active Directory
After the Limitlogin Web service starts running, you will also need to continue installing Limitlogin active Directory Setup, Run the download back Limitloginadsetup.msi, here are three check boxes, if you are the first time to install, then please select All.
(1) Prepare your Active Directory Forest for Limitlogin. This option will perform the following actions: Update the configuration, add the Limitlogin AD MMC Control menu, and extend the forest schema, including limitlogin classes and attributes.
Here, you need to have the permissions of the schema administrator, and then a dialog box will appear, click the OK button to confirm that the system will be in/%windir%/system32/and/program files/limitlogin/ Directory to create a detailed log, after this step is completed, you can start configuration domain to Limitlogin.
(2) Pepare your Active Directory Domain for Limitlogin. This option will do the following: Establish and configure files for Llogin.vbs, Llogoff.vbs, limitlogin.wsdl, and create an application directory area for Limitlogin.
In the Domain Setup window shown in Figure 3, we need to provide the following three parameters: Scripts Share folder name, shared area save script and WSDL file, all authenticated users will run under Limitlogin and must be able to access the shared area; Server name, the name of the IIS machine running with the Limitlogin Web service; Limitlogin the name of the Web service, you know why you need to remember it before!
As for the check box at the bottom of the window, which was originally configured for system installation, it is recommended to select it as well. Next, we need to create the Limitlogin application directory area, a dialog box pops up, and you can select the domain Controller in the Drop-down list box where you want to set up the Limitlogin application directory area, and after you successfully complete this step, you will see the installation domain The final hint for setup.
(3) Install limitlogin AD MMC add-in Tools on this machine. This option ends up running, primarily by copying files to the/%windir% directory, where you can only run Limitlogin machines from active Directory MMC. Later, if you want to run the Limitlogin AD MMC Add-on tool, simply select "Limitlogin Tasks" on a user, machine or Ou/container right click.
It should be explained that you can run Limitloginadsetup.msi choose to install on a computer that you want to use the Ad MMC Integration feature, or you can also/program files/limitlogin/ LimitLoginADSetup.exe "/forestprep" and "/domainprep" are set in turn.
Manual Configuration and scripting
First, you need to copy the "/program files/limitlogin/scripts" folder to the shared folder specified in Domain Setup, such as Servernameshare.
1. Steps to configure login and logoff scripts
(1) Open Active Directory Users and Computers.
(2) Right-click the domain object to open the Properties window, switch to the Group Policy tab page, and then modify the default Domain policy.
(3) Select "User configuration→windows settings→scripts" in turn, and in the logon script, join Llogin.vbs from the script share path, and in the logoff script, Join Llogoff.vbs from the script share path.
2. Configure "Trust for delegation"
(1) Open Active Directory Users and Computers.
(2) Right-click the IIS Server object in "Domain→computers" and switch to the Delegation tab after the Properties window is opened.
(3) Select "Trust this computer for delegation to specified services only" and "use Kerberos only".
(4) Click the "Add" button, select the name of the DC (Domin Controller) computer, list the available services, and we need to select the LDAP Service for the computer on the domain.
Alternatively, you can trust all of the services by selecting the "Trusted this computer for delegation to any service" option.
Setting up the Limitlogin client
In order to work under the Limitlogin service, we need to run Limitloginclientsetup.msi on each domain member machine to install the client. The installation of the client includes:
(1) SOAP Runtime (need to connect to Web Service).
(2) WTSApiAx.dll (The session ID needs to be collected before sending to the Web service).
(3) LLoginSessions.exe (optional, used to display the list of previously logged-on users when the limit is exceeded).
There are many ways to configure the Limitlogin client installation package, such as using SMS, login scripts, Group policies, and so on, which is a simpler way to run a client installation in silent mode. At this point you can run the following code LIMITLOGINCLIENTSETUP.MSI/QN at the command line, or you can refer to the Http://msdn.microsoft.com/library/default.asp?url=/library /en-us/msi/setup/command_line_options.asp the introduction of the page, here is not much to say.
Diagnostics and Maintenance
Limitlogin has a very important command-line program: LLogincmd.exe, this file is located in the local "/program files/limitlogin" directory, including the following parameters:
/diag or/d: Displays status information.
/report or/r: Generate login information for domain CSV file report.
/update or/u: Collects, verifies, and compares user information on a domain to ensure it is always up to date.
/clearlogins or/c: Clears all login information from the database.