Limitlogin is a logon management tool tailored by Microsoft for Windows Server 2003. It has powerful functions, including limiting the number of user logins in the domain, displaying the login information of any user in the domain by category, integrating with AMD (Active Directory MMC) for management configuration, and generating login information in CSV and XML formats, these functions are of little significance to ordinary users, but they have wide demands for commercial users, such as banks, libraries, and ISPs.
Download and install
Currently, Microsoft has not provided official sites. If you are interested, you can. The basic configuration of the software must be Windows XP +. NET Framework 1.1 or Windows Server 2003. Microsoft recommends Windows 2003 Domain Controller and has at least one Windows 2003 Domain Controller in the domain.
The Installation Process of limitlogin is complex and involves the following steps:
1. Install limitlogin Web Service
1. You need to customize the Web service name during installation. The default value is wslimitlogin. If you need to change the name, remember it as it will be used in Active Directory setup, you can also customize the port number to access the Web service.
2. Install limitlogin Active Directory
After the limitlogin web service starts running, you need to continue to install the Active Directory setup of limitlogin and run the downloaded limitloginadsetup. as shown in MSI, 2, there are three check boxes. If this is your first installation, select all.
(1) Prepare your Active Directory forest for limitlogin. This option will perform the following operations: update the configuration, add the limitlogin ad MMC control menu, and extend the forest schema, including the limitlogin class and attributes.
Here, you need to have schema administrator permissions, and a dialog box will appear, click "OK" to confirm, the system will create detailed logs under the \ % WINDIR % \ system32 \ and \ Program Files \ limitlogin \ directories. After completing this step, you can start to configure the domain to limitlogin.
(2) pepare your Active Directory domain for limitlogin. This option will perform the following operations: Create and configure llogin. vbs, llogoff. vbs, limitlogin. WSDL, and other files; create an application directory area for limitlogin.
In the "Domain setup" window shown in figure 3, we need to provide the following three parameters: the scripts share folder name, And the scripts and WSDL files are saved in the sharing area, all authenticated users will run under limitlogin and must be able to access the shared area. the IIS server name is the name of the IIS machine running limitlogin Web Service and the name of limitlogin web service, now you know the reason you need to remember!
As for the check box at the bottom of the window, it was originally configured for system installation. It is recommended to select it as needed. Next, we need to create the limitlogin application directory area. A dialog box is displayed. You can select the domain controller in the application directory area of limitlogin from the drop-down list box. After this step is completed successfully, the prompt for installing domain setup is displayed.
(3) install limitlogin ad MMC add-in tools on this machine. This option will only run at the end, mainly copying some files to the \ % WINDIR % directory. Here you can only run limitlogin from Active Directory MMC. In the future, if you want to run the limitlogin ad MMC additional tool, simply right-click a user, machine, or ou/iner and select "limitlogin tasks.
You can run limitloginadsetup. MSI is installed on the computer on which you want to use the ad MMC integration function, alternatively, you can use "/forestprep" and "/domainprep" in sequence in "\ Program Files \ limitlogin \ limitloginadsetup.exe.
Manual configuration and script
First, copy the "\ Program Files \ limitlogin \ scripts" folder to the shared folder specified in the "Domain setup" step, for example, \ servername \ share.
1. Configure the login and logoff scripts
(1) Enable Active Directory users and computers.
(2) Right-click the domain object to open the Properties window, switch to the Group Policy tab, and modify the default domain policy.
(3) Select "user configuration> Windows Settings> scripts", and add llogin to the script sharing path in the logon script. vbs; In the logoff script, add llogoff from the script sharing path. vbs.
2. Configure "Trust for delegation"
(1) Enable Active Directory users and computers.
(2) Right-click "Domain> computers" and choose "IIS Server Object". Open the Properties window and switch to the "delegation" tab.
(3) Select "trust this computer for delegation to specified services only" and "use Kerberos only ".
(4) Click the "add" button and select the name of the DC (domin Controller) computer to list available services. We need to select the LDAP service for the computer in the domain.
Alternatively, you can select the "trust this computer for delegation to any service" option to trust all services.
Set the limitlogin Client
To work in the limitlogin service, we need to run limitloginclientsetup. MSI on each domain member machine to install the client. Client installation includes:
(1) soap Runtime (Web service needs to be connected ).
(2) wtsapiax. dll (the session ID must be collected before being sent to the Web Service ).
(3366lloginsessions.exe (optional, used to display the list of previously logged-on users when the quota is exceeded ).
There are many ways to configure the limitlogin Client installation package, such as using SMS, login scripts, and group policies. A simple method is to run the Client installation in silent mode. At this time, you can run the following command line:CodeLimitloginclientsetup. MSI/Qn ", or can you refer to the http://msdn.microsoft.com/library/default.asp? Url =/library/en-US/Msi/Setup/command_line_options.asp.
Diagnosis and Maintenance
Limitlogin has a very important command lineProgram: Llogincmd.exe. This file can be found in the local "\ Program Files \ limitlogin" directory, including the following parameters:
/Diag or/D: displays the status information.
/Report or/R: generate a CSV file of logon information for the domain.
/Update or/u: Collects, checks, and compares user information in the domain to ensure that the user information is always up-to-date.
/clearlogins or/C: clears all logon information from the database.