JSI Tip 0296 - A better way to prevent a user from logging on more than once.

Downloads
NTNAME.zip

BROWN Nick

NOTE: See How can I prevent users from logging on more than once, without using the Cconnect.exe Resource Kit Tool?

In tip 175, I described a method for preventing a user from logging on more than once. Now, thanks to Nick Brown, there is a better way.

Download NTNAME.ZIP. Here are excerpts from the NTNAME.DOC:

NTNAME - a program to enforce one-logon-per-user

NTNAME is a small utility which helps you build an NT network in which users can log on only once.

You will need to combine NTNAME with an automatic logoff program such as LOGOUT.EXE (see tip 184 ), and have a consistent approach to user logon scripts.

When you log on to NT, your PC adds a NetBIOS name consisting of your username, with Byte16=0x03. This name is used to send you broadcast messages; for example, when a print job completes.

NTNAME simply checks to see whether the given name (specified as a command line parameter, although I suppose it could have been extracted from the environment in %USERNAME%) is owned by the current PC. If so, it outputs nothing and returns errorlevel 0. If not, it outputs the name of the owning system to the standard output (so you can capture it in a file) and returns errorlevel 1.

If you get this errorlevel, it generally means that you are already logged in on another PC. It's then up to you to write a logon script to detect this and log the user off. On our site it looks something like this:

NTNAME %USERNAME% >%TEMP%\OTHERPC.TXT
if not errorlevel 1 goto logon_ok
for /f %%f in ('TYPE %TEMP%\OTHERPC.TXT') do @echo Already logged onto %%f %0\..\logout.exe
:logon_ok

You can make a prettier message with a scripting tool like KIXtart. Just remember that because you can't do system modal dialogs in NT, if you allow a wait for the user to read the message before starting the logoff, you allow the user time to find the process which is about to log them off, and kill it.

The main problem will be if you have multiple domains and workgroups on your LAN with different people creating usernames. In this case user SMITH in one domain can fail to logon because user SMITH in another domain in not logged off.

In this case you can try NTNAME2. This adds your NetBIOS name, with a Byte16 value which you can specify (default is 0xCE). If you use a different Byte16 value on each domain, or even if you just use NTNAME2 on your domain and don't bother on the others, you should avoid conflicts. However, this is slightly slower (you have to wait for the check to time out when adding the name), and you risk conflicts with other NetBIOS applications which might use your Byte16 value.

There are a couple of disadvantages to the approach in tip 175:

- If the home share's server is down, you can log on anyway (another BDC will take over). You might not want to stop people from working in this case.

- If another user accidentally connects to the home share, it will eat the only allowed connection. This can happen very easily, even with hidden share names. For example, if Fred and Joe share a PC, and use Outlook, and they don't have the master's degree in nuclear physics required to get the Outlook bar onto a network drive, they will share an Outlook bar. If Fred puts a shortcut to his home share on there, and Joe clicks on it, then Joe will connect to Fred's home share, even if the share-level protection is set up to deny him access, and the connection won't go away until Joe logs out!!! The network security is only applied after you have connected.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish