Restrict scripts for repeated logon of accounts in the domain on different computers

In Microsoft's AD domain, any user account can log on to different clients. Sometimes, even the same account can log on to different computers at the same time. The Account Control Function "login to" provided by Microsoft AD can only control the logon of an account on one or more computers. However, it cannot control the repeated logon of all accounts in the entire domain.

Unless the administrator can patiently set the logon location for each account, and the logon computers of these accounts are fixed to death. So how can we limit the number of accounts that can only log on to one computer at a time, and the logon location is not limited?
Microsoft has a software called LimitLogon, but at least one Server needs to be used as the Web Server. The architecture needs to be extended. Creating an application partition will affect the recovery speed ). The client requires Dotnet 1.1 and a client software to support communication between SAOP and Web Server. These conditions are generally difficult for companies to accept. There is also a third-party software called UserLock, which is very powerful but paid.
The basic idea for implementing this function with scripts is as follows:
1. When a user logs on, check all logon records of the current user in the database. If the account information is not found, Allow logon and record the Logon account, client location, and time;
2. When another user logs on with the same account, the same check is performed. Because there are logged on information records, it indicates that the current Logon account is a duplicate logon, and login is prohibited;
3. When you log out or shut down, run the logout script to delete the login information in the database for the next login;
4. If the user's login information is not deleted normally during logout or shutdown due to network reasons or abnormal shutdown of the client, the next login will be affected. Therefore, during the login check, if the current Login Account and the client are consistent with the information in the database, it means that the same account is logged on to the same computer, and the login is still allowed, only updating the login time information in the database.
The original implementation method was to use a text file as a record of login information, but it was found that when there are many login users, due to the single-user operability of the text, multiple users cannot record login information at the same time, this causes a login delay. Therefore, you can use SQL Server or MSDE to record the login information. If you use an Access database, because Access is still a single user, you can use a Web browser to receive user login information similar to some websites ). However, it is easier to use MSDE for Web development.
Note:
1. First, find an SQL Server, create a database or use an existing database), and create a table adlogin. The table structure is as follows:
Create table adlogin
(Currentloginuser varchar (20 ),
Currentloginpc varchar (20 ),
Logintime datetime)
Remember the name of the server, database, and table, which must be used in the script.
2. Because the script is a user login/logout script, it runs with the account permission of the current login user, if SQL Server uses "Windows authentication only", the account must be able to access SQL Server and add or delete records in the preceding table. Therefore, you must change the security mode of SQL Server to hybrid mode, create an SQL logon ID and set the password.
Of course, you can set permissions in the database so that the account can only access the above table, rather than the entire database. This is especially important in SQL Server Security!
Remember the logon ID and password created in SQL Server. It also needs to be used in the script.

The following is the logon script ********************* *****************
'Restrict repeated login with account in the domain: user login script
'The basic principle is to check the current Logon account and computer information in the database creation process,
'The logon is permitted if there is no information about the currently logged on user or computer. If there is already an account currently logged on, no logon is allowed.
'When the user logs out or shuts down, the logout script is run to delete the information recorded during logon from the database.
'The script is a logon script.
'Author: Xu Zhen v-zhenxu@microsoft.com
'2017-3-11
On Error Resume Next
Const adOpenStatic = 3
Const adLockOptimistic = 3
Const adUseClient = 3
Const E_Recordset_Not_Found = & h800A0BCD
Set obj = WScript. CreateObject ("WScript. Shell ")
Set WshNetwork = WScript. CreateObject ("WScript. Network ")
Set objConnection = CreateObject ("ADODB. Connection ")
Set objRecordSet = CreateObject ("ADODB. Recordset ")
Obtain the user account and computer name currently logged on
CurrentUserName = WshNetwork. UserName
CurrentPcName = WshNetwork. ComputerName
Connect to SQL Server and open the corresponding database
'Data Source = win2k3 specify the name of the SQL Server
'Trusted _ Connection = no 'indicates that the SQL identity authentication is used for the Connection. This is required.
'Initial Catalog = Northwind specifies the database
'User ID = limiteduser; Password = pass01! Database connection account and password
ObjConnection. Open _
"Provider = SQLOLEDB; Data Source = win2k3 ;"&_
"Trusted_Connection = no; Initial Catalog = Northwind ;"&_
"User ID = limiteduser; Password = pass01 !; "
ObjRecordset. CursorLocation = adUseClient
'Get all records in the adlogin table. Use the table name according to the actual situation.
ObjRecordSet. Open "SELECT * FROM adlogin ",_
ObjConnection, adOpenStatic, adLockOptimistic
IF err. number = E_Recordset_Not_Found Then
Wscript. Echo "no table! "
Script. Quit 1
End If
Query the currentloginuser field in the result set that contains records of the current Logon account.
StrSearchCriteria = "currentloginuser = '" & CurrentUserName &"'"
ObjRecordSet. Find strSearchCriteria
'If there is no current user record in the result set, it indicates that no one is using this account currently,
'Allow the user to log on and record the current user, computer, and logon time in the database
If objRecordset. EOF Then
ObjRecordSet. AddNew
ObjRecordSet ("currentloginuser") = UCase (CurrentUserName)
ObjRecordSet ("currentloginpc") = UCase (CurrentPcName)
ObjRecordSet ("logintime") = now ()
ObjRecordSet. Update
'If there is a logon user record in the result set, it indicates that this account is already in use and can be processed in two cases.
Else
'Check the name of the currently logged on computer. If the name is inconsistent with the computer record in the database, it means that the same account is used to log on to different computers,
'Display the prompt information and force the user to log out
If UCase (objRecordset. Fields. Item ("currentloginpc") <> UCase (CurrentPcName) Then
'The risk exists here. When a warning box is displayed, if the user directly calls the task manager to kill the Script Host process regardless of the prompt,
'To prevent this vulnerability, you can delete the following three lines of warning boxes.
'In this way, you will not be given a chance to call the task manager, unless the customer is a flash
WScript. Echo "The user account" & objRecordset. Fields. Item ("currentloginuser") & "has login on "&_
ObjRecordset. Fields. Item ("currentloginpc ")&_
", So you can't login using the same user account. Please call the administrator! "
Obj. Run "logoff"
'If the name of the currently logged-on computer is the same as that in the database, it means that the same account is logged on to the same computer. You can log on and update the database logon time.
'The main purpose is to prevent abnormal shutdown of the computer and the information in the database from being deleted properly, so that the user cannot log on
'Therefore, if the client is shut down abnormally or due to network reasons, as long as the next login is still on the same computer, you can still log on, but the logon time is updated
Else
ObjRecordSet ("logintime") = now ()
ObjRecordSet. Update
End If
End If
ObjRecordSet. Close
ObjConnection. Close

# P #

* Below is the logout script *************** *******************

'Restrict repeated login with account in the domain: User logout script
'The basic principle is to check the current Logon account and computer information in the database creation process,
'The logon is permitted if there is no information about the currently logged on user or computer. If there is already an account currently logged on, no logon is allowed.
'When the user logs out or shuts down, the logout script is run to delete the information recorded during logon from the database.
'The script is a logout script.
'Author: Xu Zhen v-zhenxu@microsoft.com
'2017-3-11
On Error Resume Next
Const adOpenStatic = 3
Const adLockOptimistic = 3
Const adUseClient = 3
Const E_Recordset_Not_Found = & h800A0BCD

Set objConnection = CreateObject ("ADODB. Connection ")
Set objRecordSet = CreateObject ("ADODB. Recordset ")
Set WshNetwork = WScript. CreateObject ("WScript. Network ")
'Get the user account and computer name currently logged on
CurrentUserName = WshNetwork. UserName
CurrentPcName = WshNetwork. ComputerName
'Connect to SQL Server and open the corresponding database
'Data Source = win2k3 specify the name of the SQL Server
'Trusted _ Connection = no 'indicates that the SQL identity authentication is used for the Connection. This is required.
'Initial Catalog = Northwind specifies the database
'User ID = limiteduser; Password = pass01! Database connection account and password
ObjConnection. Open _
"Provider = SQLOLEDB; Data Source = win2k3 ;"&_
"Trusted_Connection = No; Initial Catalog = Northwind ;"&_
"User ID = limiteduser; Password = pass01 !; "
ObjRecordset. CursorLocation = adUseClient
ObjRecordSet. Open "SELECT * FROM adlogin ",_
ObjConnection, adOpenStatic, adLockOptimistic
IF err. number = E_Recordset_Not_Found Then
Wscript. Echo "no table! "
Script. Quit 1
End If
'Query the currentloginuser field in the result set that contains records of the current Logon account.
StrSearchCriteria = "currentloginuser = '" & CurrentUserName &"'"
ObjRecordSet. Find strSearchCriteria
'Delete the user's logon record
If UCase (objRecordset. Fields. Item ("currentloginpc") = UCase (CurrentPcName) Then
ObjRecordset. Delete
End If
ObjRecordSet. Close
ObjConnection. Close

1. Windows 7 UAC Vulnerability
2. Windows 7 built-in positioning service raises security concerns
3. In-depth exploration of new Windows 7 Operating System Technologies (1)