Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to restrict scripts for repeated logins of accounts in a domain on different computers

2025-01-22 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

This article mainly shows you "how to restrict the script of repeated login of accounts in a domain on different computers". The content is simple and clear, and I hope it can help you solve your doubts. Let me lead you to study and learn the article "how to limit the script of repeated login of accounts in a domain on different computers".

In Microsoft's AD domain, any user account can log in on different clients, and sometimes even log in repeatedly on different computers at the same time for the same account. The "login" setting of the account control feature included in Microsoft AD can only control the login of an account on one (or more) computers, but it does not control the repeated login of all accounts in the entire domain.

Unless the administrator can patiently set the login location of each account, and the login computer of these accounts is fixed henceforth. So how to achieve the limit that the account can only log on to one computer at a time, and the login location is not limited?

Microsoft has a software called LimitLogon, but it needs at least one server as Web Server, and it needs to extend the architecture and create an application partition (which will affect recovery speed). The client requires Dotnet 1.1 and installs a client software to support SAOP and Web Server communications. These terms are generally difficult for the company to accept. There is also a third-party software called UserLock, very good and powerful, but for a fee.

Now to implement this function with scripts, the basic idea is as follows:

one. When the user logs in, check all the current user login records in the database, allow login if the account information is not available, and record the login account, client location and time

two. When another user logs in with the same account, the same check is performed, and login is prohibited because there is already a record of login information, indicating that the current login account is a duplicate login.

three. When the user logs out or shuts down, run the logout script to delete the login information in the database in preparation for the next login

four. If the login information of the user is not deleted normally during logout or shutdown due to network reasons or abnormal client shutdown, which affects the next login, so during the login check, if the current login account and client are consistent with the information in the database, it means that the same account is logged on on the same computer, and the login is still allowed, only to update the login time information in the database.

The original implementation method is to use a text file as the record of login information, but it is found that when there are more login users, multiple users can not record login information at the same time because of the single-user operation of text, resulting in login delay, so SQL Server (which can also be MSDE) is used to record login information. If you use an Access database, since Access is still a single user, you can use a Web at the front end to accept user login information (similar to some websites). But developing Web is not as easy as using MSDE, so I won't explain it here.

Description:

one. First, you need to find a SQL Server server, create a database (or use an existing database), and create a table adlogin in it. The table structure is as follows:

Create table adlogin

(currentloginuser varchar (20)

Currentloginpc varchar (20)

Logintime datetime)

Here you need to remember the names of the server, database, and table, which you need to use in the script.

two. Because the script is a user login / logout script, it is run with the account privileges of the currently logged-in user, if SQL Server uses "Windows authentication only" requires that the account be able to access SQL Server and add or remove records from the above table, you need to change the security mode of SQL Server to mixed mode and create a SQL login ID and set the password.

Of course, permissions can be set in the database so that the account can only access the above tables, not the entire database. This is particularly important in SQL Server security!

Remember the login ID and password created in SQL Server. It also needs to be used in scripts.

'* here is the login script * *

'restrict repeated login of the same account in the domain: user login script

The basic principle is to check the current login account and computer information in the database (created in advance) during the user login process

'login is allowed if there is no currently logged-in user and computer information; if a currently logged-in account already exists, it will not be logged in

'when the user logs out or shuts down, run the logout script to delete the information recorded at login from the database

The script is the login script

Author: Xu Zhen v-zhenxu@microsoft.com

'2008-3-11

On Error Resume Next

Const adOpenStatic = 3

Const adLockOptimistic = 3

Const adUseClient = 3

Const E_Recordset_Not_Found=&h800A0BCD

Set obj = WScript.CreateObject ("WScript.Shell")

Set WshNetwork = WScript.CreateObject ("WScript.Network")

Set objConnection = CreateObject ("ADODB.Connection")

Set objRecordSet = CreateObject ("ADODB.Recordset")

Get the currently logged-in user account and computer name

CurrentUserName=WshNetwork.UserName

CurrentPcName=WshNetwork.ComputerName

Connect to SQL Server and open the appropriate database

'Data Source=win2k3 specifies the SQL Server server name

'Trusted_Connection=no means to connect using SQL authentication, which is required

'Initial Catalog=Northwind specifies the database

'User ID=limiteduser;Password=pass01! specify the database connection account and password

ObjConnection.Open _

"Provider=SQLOLEDB;Data Source=win2k3;" & _

"Trusted_Connection=no;Initial Catalog=Northwind;" & _

"User ID assigned to users and passwordusers to pass01 users;"

ObjRecordset.CursorLocation = adUseClient

'get all the records in the adlogin table and pay attention to using the table name according to the actual situation

ObjRecordSet.Open "SELECT * FROM adlogin", _

ObjConnection, adOpenStatic, adLockOptimistic

IF err.number = E_Recordset_Not_Found Then

Wscript.Echo "no table!"

Script.Quit 1

End If

Query the currentloginuser field in the result set containing the record of the current login account

StrSearchCriteria = "currentloginuser ='" & CurrentUserName & ""

ObjRecordSet.Find strSearchCriteria

If there is no current user record in the result set, no one is currently using the account

'allow the user to log in and record the current user, computer, and login time in the database

If objRecordset.EOF Then

ObjRecordSet.AddNew

ObjRecordSet ("currentloginuser") = UCase (CurrentUserName)

ObjRecordSet ("currentloginpc") = UCase (CurrentPcName)

ObjRecordSet ("logintime") = now ()

ObjRecordSet.Update

If there is a record of the currently logged-in user in the result set, the account is already in use and will be dealt with in two cases

Else

Check the name of the currently logged-in computer again. If it is inconsistent with the computer records in the database, it means that you are logging in on different computers using the same account.

'display a prompt and force the user to log out

If UCase (objRecordset.Fields.Item ("currentloginpc")) UCase (CurrentPcName) Then

'There is a risk that when a warning message box pops up, if the user ignores the prompt and directly calls the task manager to kill the script host process

'you can bypass the login limit, so in order to eliminate this vulnerability, you can delete the part of the warning box shown in the following three lines.

This does not give the customer the opportunity to call the task manager unless the customer is the Flash

WScript.Echo "The user account" & objRecordset.Fields.Item ("currentloginuser") & "has login on" & _

ObjRecordset.Fields.Item ("currentloginpc") & _

"so you can't login using the same user account. Please call the administrator!"

Obj.Run "logoff"

If the name of the current login computer is the same as that in the database, it means that the same account is logged in on the same computer, allowing you to log in and update the login time of the database

This is mainly to prevent the abnormal shutdown of the computer from causing the information in the database not to be deleted properly, resulting in the user being unable to log in.

'so if the client shuts down abnormally, or because of the network, as long as the next login is still on the same computer, you can still log in, but the login time is updated

Else

ObjRecordSet ("logintime") = now ()

ObjRecordSet.Update

End If

End If

ObjRecordSet.Close

ObjConnection.Close

# P#

'* here is the logout script * *

'restrict repeated login of the same account in the domain: user logout script

The basic principle is to check the current login account and computer information in the database (created in advance) during the user login process

'login is allowed if there is no currently logged-in user and computer information; if a currently logged-in account already exists, it will not be logged in

'when the user logs out or shuts down, run the logout script to delete the information recorded at login from the database

The script is a logout script

Author: Xu Zhen v-zhenxu@microsoft.com

'2008-3-11

On Error Resume Next

Const adOpenStatic = 3

Const adLockOptimistic = 3

Const adUseClient = 3

Const E_Recordset_Not_Found=&h800A0BCD

Set objConnection = CreateObject ("ADODB.Connection")

Set objRecordSet = CreateObject ("ADODB.Recordset")

Set WshNetwork = WScript.CreateObject ("WScript.Network")

'get the currently logged in user account and computer name

CurrentUserName=WshNetwork.UserName

CurrentPcName=WshNetwork.ComputerName

'Connect to SQL Server and open the appropriate database

'Data Source=win2k3 specifies the SQL Server server name

'Trusted_Connection=no means to connect using SQL authentication, which is required

'Initial Catalog=Northwind specifies the database

'User ID=limiteduser;Password=pass01! specify the database connection account and password

ObjConnection.Open _

"Provider=SQLOLEDB;Data Source=win2k3;" & _

"Trusted_Connection=No;Initial Catalog=Northwind;" & _

"User ID assigned to users and passwordusers to pass01 users;"

ObjRecordset.CursorLocation = adUseClient

ObjRecordSet.Open "SELECT * FROM adlogin", _

ObjConnection, adOpenStatic, adLockOptimistic

IF err.number = E_Recordset_Not_Found Then

Wscript.Echo "no table!"

Script.Quit 1

End If

'query the currentloginuser field in the result set to contain the record of the current login account

StrSearchCriteria = "currentloginuser ='" & CurrentUserName & ""

ObjRecordSet.Find strSearchCriteria

'delete the user's login record

If UCase (objRecordset.Fields.Item ("currentloginpc")) = UCase (CurrentPcName) Then

ObjRecordset.Delete

End If

ObjRecordSet.Close

ObjConnection.Close

The above is all the contents of this article entitled "how to restrict the script for repeated logins of accounts in a domain on different computers". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report