AD user authentication & control

Hi,

Currently I have AD server 2003 std 32bit serving 1000 users. Would like to
know the best way to control and restrict every user to logon to AD from
their own designated workstation. In this way, I can prevent password
sharing where user can't logon using other's ID & pwd. 2ndly, how can I
limit the concurrent login per user per login(like those in Novell)


Thank you,
Frodo

"Frodo" <> wrote in message
news:%...
> Hi,
>
> Currently I have AD server 2003 std 32bit serving 1000 users. Would like
> to
> know the best way to control and restrict every user to logon to AD from
> their own designated workstation.

There is a multi-valued attribute that lists (up to 10, I think)
workstations to which the user is allowed to logon from.

That said, do you have a business case for applying this kind of
restriction, or is it just that you think it will improve security? Let's
say someone on the 15th floor left the office forgetting to print something
he wanted to review that evening. He's down on the main floor where his
friend is just logging off and offering to let him logon to do the printing,
only to find he cannot, but will have to spend an additional 10 minutes
going back upstairs to his own workstation.

What about the person whose workstation crashes?

IMHO, most of the activities you will be blocking are valid, and your users
will feel they are not trusted or valued if you place these restrictions on
them. Those invalid uses, well, the real miscreant will find some way to do
what they want.

And, on top of it all, you will be creating more administrative work for the
admins.

> In this way, I can prevent password
> sharing where user can't logon using other's ID & pwd.

IMHO, there is no known way in the universe to keep users from doing what we
tell them not to.

But why do they share passwords? Is it because of the nuisance of having
their passwords reset? Wouldn't it be better to consider improving the
service provided to your users?

> 2ndly, how can I
> limit the concurrent login per user per login(like those in Novell)

If each user can only logon at one workstation, what additional security
would you get from disallowing concurrent logons?

Anyway, this cannot be done reliably. AD does not know that you are logged
in, it just knows when you last logged in. And the second workstation where
you might start a second concurrent logon session does not know where else
you might be logged in. It cannot even know where else you have logged in.

/Al

I agree with Al on reason why not to do it.

This is how you would do this. Bring up the user Object. Go to the
Accounts Tab Click on the Log On To button. Add the NetBios name only. It
will not take IP address or FQDN.

Walter.

"Frodo" wrote:

> Hi,
>
> Currently I have AD server 2003 std 32bit serving 1000 users. Would like to
> know the best way to control and restrict every user to logon to AD from
> their own designated workstation. In this way, I can prevent password
> sharing where user can't logon using other's ID & pwd. 2ndly, how can I
> limit the concurrent login per user per login(like those in Novell)
>
>
> Thank you,
> Frodo
>
>
>
>

Hello Frodo,

If you really like to restrict your users that way and create yourself an
administrative workload, well then configure the "Log on to" under the user
accounts properties Accounts tab. Here you can specify the machine where
the account can logon to.

In my thoughts this is a way where YOU are working, so create company policies,
that the user has to accept, about password/account sharing and maybe some
more what you do not want to have. That is the way it should work, also if
the machine is broken the user has to stop working and can not use another
free machine, before YOU allow that to him. One of the big advantages of
a domain is that every user can use any workstation.

For the second part check out limitlogin:
http://technet.microsoft.com/en-us/m...spotlight.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> Currently I have AD server 2003 std 32bit serving 1000 users. Would
> like to know the best way to control and restrict every user to logon
> to AD from their own designated workstation. In this way, I can
> prevent password sharing where user can't logon using other's ID &
> pwd. 2ndly, how can I limit the concurrent login per user per
> login(like those in Novell)
>
> Thank you,
> Frod