Microsoft KB Archive/260364

= How to Use a Network Share to Limit a User's Concurrent Connections in Windows 2000 =

Article ID: 260364

Article Last Modified on 9/11/2007

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server
 * Microsoft Small Business Server 2000 Standard Edition

-



This article was previously published under Q260364



IN THIS TASK

 * SUMMARY
 * More Information
 * Overview
 * Implement Concurrent Log On Restrictions
 * Limitations


 * REFERENCES



SUMMARY
This article describes how to use a network share to limit a user's concurrent connections. This method is intended for use with Microsoft Windows NT 4.0 and Windows 2000-based systems or later. This method has not been tested with Microsoft Windows 95 or Microsoft Windows 98-based systems.

Note Microsoft recommends that you use the Cconnect.exe tool that is available in the Windows 2000 Resource Kit to limit concurrent connections. For additional information about how to use Cconnect.exe, click the following article number to view the article in the Microsoft Knowledge Base:

237282 Limiting a User's Concurrent Connections in Windows 2000 and Windows NT 4.0

However, if you cannot use the Cconnect.exe method, use the network-share method described in this article (260364) to limit a user's concurrent connections.

back to the top



Overview
You can use a network share to limit a user's concurrent connections. In this way, you can limit a user to only one connection to a shared network folder and force a user to log off when the limit for concurrent connections is reached. To use this method, you need the following components:
 * An available shared folder for each user whose logons you want to limit.
 * A user logon script.
 * The Logoff.exe tool from the Windows 2000 Server Resource Kit.

back to the top

Implement Concurrent Logon Restrictions
To implement concurrent logon restrictions, follow these steps:  Create and share a folder on a server for each user who you want to apply log on restrictions to (if you are not using existing shares). To do so:  Start Windows Explorer. In the Folders list, click the folder where you want to create your new shared folder (for example, Documents and Settings). On the File menu, point to New, and then click Folder. Type a name for the folder, and then press ENTER. Right-click the new folder (or the folder that you want to share), and then click Sharing. Click Share this folder.</li> Under User limit, click Allow. In the Users dialog box, type the number of concurrent logon sessions that you want to limit the user to.</li></ol> </li> Create a logon script.

<ol style="list-style-type: lower-alpha;"> Use a text editor to create the following batch file:

<pre class="fixed_text">net use T: /delete net use T: \\<Servername>\ if exist T: goto end if not exist T: goto logout
 * logout

echo Y | logoff.exe
 * end

</li> Save the file with a .bat extension in the Netlogon share of the domain controller.</li> To restrict concurrent logons for specific user accounts, use this logon script or incorporate the script in an existing logon script.</li></ol>

Note This example uses drive T. You can substitute any drive letter for &quot;T.&quot; Also, if you specify the user's home folder, you can use the %USERNAME% environment variable instead of the share name.</li> Copy the Logoff.exe tool from the Windows 2000 Server Resource Kit, and then copy the logon script that you just created to the domain controller's Netlogon share.</li></ol>

When a user tries to connect to the restricted share, the user will be automatically logged off the computer.

back to the top

Limitations
The success of this method depends on the availability of the logon script, the availability of the share, and the user's inability to prevent or bypass the logon script. Therefore, there may be some instances where this method does not work as expected.
 * Do not use this method if business considerations require enforcement of concurrent logons. In these situations, use either the Cconnect.exe Windows 2000 Resource Kit tool or Smart Card logon to enforce the number of concurrent logons.
 * If users can cancel logon scripts, they can also circumvent the concurrent logon limitations. To prevent users from canceling a logon script before it completes, configure the clients to run the logon script synchronously, or to run the script in the background so that it is not visible to the user.
 * If the server that hosts the share cannot be reached, or if the logon script does not process, users may be able to avoid the restrictions that the share method is designed to impose.
 * Users may be able to gain access to network resources by using cached credentials (for example, on a portable computer). You can remove cached logon information; however, unless there is a strong concurrent connection enforcement policy, this is not a good idea because you may unintentionally prevent users from accessing network resources.

back to the top <div class="references_section">