How to Use a Network Share to Limit a User's Concurrent Connections in Windows 2000 (260364)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
  • Microsoft Small Business Server 2000
This article was previously published under Q260364

IN THIS TASK

SUMMARY

This article describes how to use a network share to limit a user's concurrent connections. This method is intended for use with Microsoft Windows NT 4.0 and Windows 2000-based systems or later. This method has not been tested with Microsoft Windows 95 or Microsoft Windows 98-based systems.

Note Microsoft recommends that you use the Cconnect.exe tool that is available in the Windows 2000 Resource Kit to limit concurrent connections. For additional information about how to use Cconnect.exe, click the following article number to view the article in the Microsoft Knowledge Base:

237282 Limiting a User's Concurrent Connections in Windows 2000 and Windows NT 4.0

However, if you cannot use the Cconnect.exe method, use the network-share method described in this article (260364) to limit a user's concurrent connections.

back to the top

MORE INFORMATION

Overview

You can use a network share to limit a user's concurrent connections. In this way, you can limit a user to only one connection to a shared network folder and force a user to log off when the limit for concurrent connections is reached. To use this method, you need the following components:
  • An available shared folder for each user whose logons you want to limit.
  • A user logon script.
  • The Logoff.exe tool from the Windows 2000 Server Resource Kit.
back to the top

Implement Concurrent Logon Restrictions


To implement concurrent logon restrictions, follow these steps:
  1. Create and share a folder on a server for each user who you want to apply log on restrictions to (if you are not using existing shares). To do so:
    1. Start Windows Explorer.
    2. In the Folders list, click the folder where you want to create your new shared folder (for example, Documents and Settings).
    3. On the File menu, point to New, and then click Folder. Type a name for the folder, and then press ENTER.
    4. Right-click the new folder (or the folder that you want to share), and then click Sharing.
    5. Click Share this folder.
    6. Under User limit, click Allow. In the Users dialog box, type the number of concurrent logon sessions that you want to limit the user to.
  2. Create a logon script.
    1. Use a text editor to create the following batch file: 

      net use T: /delete
net use T: \\<Servername>\<sharename>
if exist T: goto end
if not exist T: goto logout
:logout
echo Y | logoff.exe
:end

    2. Save the file with a .bat extension in the Netlogon share of the domain controller.
    3. To restrict concurrent logons for specific user accounts, use this logon script or incorporate the script in an existing logon script.
    Note This example uses drive T. You can substitute any drive letter for "T." Also, if you specify the user's home folder, you can use the %USERNAME% environment variable instead of the share name.
  3. Copy the Logoff.exe tool from the Windows 2000 Server Resource Kit, and then copy the logon script that you just created to the domain controller's Netlogon share.
When a user tries to connect to the restricted share, the user will be automatically logged off the computer.

back to the top

Limitations

The success of this method depends on the availability of the logon script, the availability of the share, and the user's inability to prevent or bypass the logon script. Therefore, there may be some instances where this method does not work as expected.
  • Do not use this method if business considerations require enforcement of concurrent logons. In these situations, use either the Cconnect.exe Windows 2000 Resource Kit tool or Smart Card logon to enforce the number of concurrent logons.
  • If users can cancel logon scripts, they can also circumvent the concurrent logon limitations. To prevent users from canceling a logon script before it completes, configure the clients to run the logon script synchronously, or to run the script in the background so that it is not visible to the user.
  • If the server that hosts the share cannot be reached, or if the logon script does not process, users may be able to avoid the restrictions that the share method is designed to impose.
  • Users may be able to gain access to network resources by using cached credentials (for example, on a portable computer). You can remove cached logon information; however, unless there is a strong concurrent connection enforcement policy, this is not a good idea because you may unintentionally prevent users from accessing network resources.
back to the top

REFERENCES

For more information about the Windows 2000 Resource Kit, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/default.mspx

For additional information about how to minimize the limitations of the network-share method, click the following article numbers to view the articles in the Microsoft Knowledge Base:

242092 How to: Use System Policies to Hide Specific Drives

176197 How to Hide the Logon Script Dialog Box on a Windows Client

For additional information about configuration procedures, click the following article number to view the article in the Microsoft Knowledge Base:

304970 Scripts May Not Run Before Windows Explorer Starts Even Though the "Run Logon Scripts Synchronously" Setting is Enabled

For additional information about how to reduce or remove a user's ability to cache logon information, click the following article number to view the article in the Microsoft Knowledge Base:

172931 Cached Logon Information

back to the top
Modification Type:MinorLast Reviewed:3/15/2006
Keywords:kbhowto KB260364
©2004 Microsoft Corporation. All rights reserved.