Windows Domain Questions

Discussion in 'Windows & Other OS Discussion & Support' started by coldfireuk, Jan 4, 2005.

  1. coldfireuk

    coldfireuk New Member

    Joined:
    Nov 10, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    0
    Hey guys, I've just finished setting up a domain at work but there are just two things that are driving me potty!

    1)I can't find the option anywhere to stop multiple-logins under the same account name, at the same time, on different machines. I want it so a single user can only be logged into one machine at a time.

    2)Is there a way that i can stop profiles being copied over locally at the beginning of a session, and then being copied back at the end of that session.? I'd rather have the profiles updated constantly whilst users are logged in to ensure data is as up-to-date as it can be.

    Any ideas or suggestions would be greatly appreciated.

    Thanks again,

    Chris
     
  2. PangingJr

    PangingJr Member

    Joined:
    Mar 14, 2003
    Messages:
    5,989
    Likes Received:
    56
    Trophy Points:
    0
    don't have any direct answer to your queries ATM,
    but for no.2 you can use a roaming profiles..
     
  3. MiDKnYtE

    MiDKnYtE Caffeine Machine

    Joined:
    Oct 11, 2004
    Messages:
    670
    Likes Received:
    0
    Trophy Points:
    0
    you didn't say which OS you are using. NT, 2000 or 2003? Guessing either 2000 or 2003.

    1) As far as I can tell, there is no policy that i see to prevent multiple account logins. I looked in both 2000 and 2003 GP. you might need to implement a key card, dongle key or biometrics for that.

    2) profiles are only update at login and logoff. I believe that is by design. otherwise, you would be adding a lot of traffic and congesting the network.
     
  4. HsuGotaQ

    HsuGotaQ Hydrogenated Dumbass

    Joined:
    May 12, 2002
    Messages:
    755
    Likes Received:
    0
    Trophy Points:
    0
    1. There is a registry key that forces single account logon and there should be one available in the Group Policy editor, but I'm not sure if it's because of an extra ADM file added to the list (search the Windows 2003 RDK and Admin Tool kits for ADM files to be imported to the group policy). Here's a solution that I used for a terminal server at work (a batch file launched during login). There is an alternative to 'qappsrv' that will display workstations, but once again my memory is not working tonight so you'll have to find it out. Here's the forced logon script (use the GPO that will make the interruption of logon scripts impossible) :

    Code:
       SetLocal
       Set LoginNum=0
       Set LoginCount=0
       Set SessNum=-1
       For /f "skip=2 delims=* " %%i in ('qappsrv *') do call :Next %%i
       
       Rem LoginNum will be less than or equal to 1 if the user is only logged in once.
       Rem This is good, and the script will then terminate
       If %LoginNum% LEQ 1 (EndLocal) && (Goto EoF)
       
       Rem LoginNum will be equal or greater than 2 if the user is logged in already
       
       Rem The user is logged in more than once...so find the session number of the other session
       For /f "skip=1 tokens=3" %%i in ('qwinsta %UserName% ^| find /v ">"') Do set SessNum=%%i
       
       Rem This should never happen, unless the person is on a different server...
       If %SessNum% EQU -1 (Call :Error 1) && (Goto EoF)
       
       Rem Check what OS we are running:
       Rem Windows 2000/2003 or NT?
       If Exist %SystemRoot%\System32\TSCon.exe (TSCon.exe %SessNum%) Else (Connect.exe %SessNum%)
       If %ERRORLEVEL% NEQ 0 (Call :Error 2) && (Goto EoF)
       EndLocal
       Logoff.exe
       Goto EoF
       
       :Error
       Rem This is bad, so warn the user, then log them off
     Msg %WinStationName% /W You are logged on at another server. You need to log out of there before you can log in again. (Error Code: %1)
       Logoff.exe
       EndLocal
       Goto EoF
       
       :Next
       Rem Checking the servers to see where the user is and update the count...
       For /f %%j in ('qwinsta /server:%1 ^| find /c /i " %UserName% "') do Set /A LoginNum=%LoginNum%+%%j
       Goto EoF
       
       :EoF
       
    2. MiDKnYtE is right about the synchronization of the profile. What I am wondering however is this, are your user configured with roaming or local accounts?

    Check in the Domain group policy (run gpedit.msc) and look under Computer Configuration --> Administrative Templates --> System --> User Profiles

    Good luck
     
  5. coldfireuk

    coldfireuk New Member

    Joined:
    Nov 10, 2003
    Messages:
    63
    Likes Received:
    0
    Trophy Points:
    0
    hey guys, sorry for the lack of replies! been swamped at work the last 2 weeks!!

    firstly, the accounts I have setup are roaming accounts. all profiles are stored on the server. These are synchronized each time a user logs on or off... if he or she has a lot of files then this process can take a VERY long time!!! I'll check over the GPO again tomorrow, but I'm pretty damn sure i turned off offline files etc, and sychronization of everything :(

    Thanks for the logon script HsuGotaQ, I'm going to put it to use tomorrow when I get in.

    Any other advice guys is most appreciated!!! Thanks for all your help so far!

    CF
     
  6. md5

    md5 New Member

    Joined:
    Dec 9, 2004
    Messages:
    854
    Likes Received:
    2
    Trophy Points:
    0
    For your first question, read here:
    http://www.giac.org/practical/GSEC/Gene_Burton_GSEC.pdf

    For your second... you could try and keep the users' profiles in a shared folder, where they will be constantly updated. However, as MiDKnYtE said, this will create extra unnecessary traffic
     

Share This Page

visited