Skip navigation

Prevent Multiple Logons With GPOs


As a Microsoft Certified Trainer (MCT), I'm frequently asked about providing a solution that prevents a user from logging on to multiple PCs at the same time. There's a Microsoft solution to prevent multiple logons, but it's complicated. I found a simpler solution that uses logon and logoff scripts in Group Policy Objects (GPOs). Because GPOs can't be applied to Windows 9x or Windows NT, my solution works with only newer OSs (i.e., Windows Server 2003, Windows XP, and Windows 2000).

There are three steps in my solution:

  1. Create and share a folder on the domain controller (DC). For this example, I created a folder named Logons on a DC named Rafetpc. The share name should be the same as the folder name (in this case, Logons). The share permission must be Everyone, Change because users will write and delete files on the DC.
  2. Download and customize Login.bat, which Listing 1 shows, and Logout.bat, which Listing 2 shows. You can download these scripts from the Windows IT Pro Web site. Go to, enter 46952 in the InstantDoc ID text box, then click the hotlink. To customize these scripts, replace each instance of \\rafetpc\logons\ in the code at callout A in Listing 1 and at callout A in Listing 2 with an appropriate path.
  3. In the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, go to the organizational unit (OU) that contains those users for whom you don't want to allow multiple logons. Create a GPO for this OU. In this GPO, navigate to User Configuration, Windows Settings, Scripts (Logon/Logoff). In the details pane, double-click Logon. Click Add in the Logon Properties dialog box, then click Browse in the Add a Script dialog box. Select the Login.bat file and click OK. Repeat the process for the logoff script by double-clicking Logoff in the details pane, clicking Add, Browse, selecting the Logout.bat file, and clicking OK. That's all.

After performing these steps, whenever a user in the specified OU logs on, Login.bat will create two files in the folder on the DC. When the same user attempts to log on from another PC at the same time, Login.bat will check for the existence of these files. If the files are present, Login.bat will immediately log the user off from the second PC. When a user in the specified OU logs off from a PC, Logout.bat will delete the two files created by Login.bat so that the user can then log on to another machine.

Editor's Note:
Long-time reader and contributor Murat Yildirimoglu pointed out that the scripts used in the June 2007 article, "It's 10:00 P.M.: Do You Know Who's Logged On?", are similar to the scripts Murat published in this Reader to Reader.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.