5

I have a remote-access VPN, which is authenticated against a RSA SecurID server, and also against Active Directory.

For complicated internal policy reasons, someone has made a request that we are able to suspend access after a set number of logins per user.

For example, user john.doe can log in 100 times, but after that, his account will be disabled in AD until manually reinstated.

I'm having a hard time figuring out how and where best to configure this.

Any ideas?

Tom O'Connor
  • 27,480
  • 10
  • 73
  • 148
  • I would check if on active directory side this counts as a normal logon. In that case what about powershell / vbs? This is a path I'd go: http://blog.dabasinskas.net/count-number-of-users-who-logged-on-to-workstation-in-the-last-month-with-batch-script/ – Pitto Nov 24 '16 at 13:40
  • It will count as a normal logon, because it goes through a Citrix netscaler, and to a VDI instance, so the user has to login to the VDI desktop.. – Tom O'Connor Nov 24 '16 at 13:49
  • We need more informations, like the type of VPN you use (proprietary, open-source), the plateforms (Linux, Windows, embedded systems). Could be easy on Linux / OpenVPN / Pam using a probe on logs, but way harder on Microsoft Windows for example. – Koreth Nov 24 '16 at 13:49
  • It really shouldn't matter what VPN we use, as the authentication all takes place on Active Directory, but fwiw, it's a Citrix Netscaler, providing a SSL VPN connection to Citrix XenDesktop. – Tom O'Connor Nov 24 '16 at 14:39

1 Answers1

1

Limiting Concurrent Logins

There is no built-in Microsoft method to limit concurrent user logins, sorry. However, third party tools have come to the rescue for this. If you're on Server 2003 (shame on you), then the free LimitLogin tool might work. If you're on 2008 R2 and above, then have a look at UserLock. It's not free, but does what you need. Lastly, if you are on a budget you MAY be able to script out something. There is an example here.

For example, you could create a Windows login script component that maps a drive to the user's home directory share. If it's unable to create the mapping, then error out and log off. On each user's home directory share, you would set the maximum number of connections to 1. When the user logs in once, all's well. However, doing so twice would generate a net use error level of 1. This error could be captured in the login script to redirect to the logoff command and exit.

Also moire script examples here, and here. Good luck!

Limiting Total Logins

If - as @JacobEvans suggested - you are looking at Total number of logins instead of concurrency, then you can check the AD attribute Logon-Count. The catch is, you'd have to sum the LogonCount from all DCs. I'd imagine you want to have a look here for how to count DCs and combine the script here here for how to count logons. An example. 

Set objUser = GetObject _

    (“LDAP://atl-dc-01/cn=ken myer, ou=Finance, dc=fabrikam, dc=com”)

Wscript.Echo objUser.LogonCount

If scripting isn't your thing then paid-for tools like ManageEngine or the Netwrix suite of tools DO have reports that list the number of times a user has logged in.

Troy Witthoeft
  • 111
  • 4