Limit Active Directory
Concurrent LoginsAcross a Windows server based network

Limit the number of initial access points and concurrent sessions to control or prevent simultaneous logins from a single user. Set restrictions by user, group, organizational unit and session type. Ensure all access is attributed to an individual user.

Concurrent logins

The Initial Access Point

UserLock can analyze in real-time, the sequence of user connections to determine which is a new point of entry to the network or a connection performed from an existing parent session.

Initial Access Point

Use Case Example 1

Deny simultaneous logins from different access points

Limit the number of initial access points to a single point of entry (per user, group or OU). Once connected, any access attempts that don’t stem from this point are automatically blocked.

Watch video

Concurrent Session Control

Define the maximum number of concurrent sessions allowed (per user, group or OU), for each session type, all sessions or a combination of several sessions.

Workstation sessions

Terminal sessions

Interactive sessions

Wi-Fi & VPN sessions

IIS sessions

Specifying '0' as the value will prevent the user from opening this type/types of session.

Use Case Example 2

Limit to one Concurrent Workstation Session

Read a step-by-step guide on how to limit a group of users.

Limit to one Concurent Workstation Session

Use Case Example 3

Audit Concurrent Session History

Report on all domain users with simultaneous sessions opened within a given day.

Audit Concurrent History Session

Options to reduce any friction for your ends users

Administrator options exist to help strike a careful balance between security and end-user friction:

Allow users to remotely logoff an existing session

If the total number of allowed sessions has been reached, users can remotely close a previous session from the new login attempt. This forces an immediate logoff on the previous session but can mean unsaved documents are lost.

Grant users only a single (unlocked) active session

Here a user can open as many interactive sessions as they want but only one can be active at a time. Direct access to previous sessions are protected through automatic locking.

Reduce any friction

Limit simultaneous logins and mitigate against credential misuse

Uncontrolled concurrent logins pose obvious security risks. Preventing or limiting concurrent logins:

Stop careless behavior

such as password sharing, shared workstations left unlocked or same user login to multiple machines.

Stop stolen passwords

being used at the same time as the legitimate owner

Attribute all access

and network actions to a unique user

Ensure accountability

for all actions to help discourage malicious user activity.

Concurrent Logins For Regulatory Compliance

Preventing or limiting simultaneous logins is required for an Information System to comply with major regulatory constraints, including for example:

HIPAA

Address HIPAA compliance to keep patient data safe

PCI DSS

Address PCI DSS compliance to keep sensitive cardholder data safe

Sarbanes Oxley’s (SOX)

Comply with Sarbanes Oxley’s (SOX) security regulations

ISO 27001

Address network and information access for ISO 27001 compliance

NIST 800-53

Address NIST 800-53 compliance to keep federal data safe

And more

No Concurrent Login Control With Group Policy or Logon scripts

There is no way in Windows native functionality to limit a given user account from logging on at one computer or device at a time.

Group Policy

The reason stems from the architecture of Windows; there is no entity keeping track of all the places where a user is logged on as each workstation or device handles that individually. Workstations talk to the domain controller but the domain controller is only involved in the initial authentication.
Read more

Logon scripts

Solutions based on windows login scripts present serious drawbacks and limitations to suit IT infrastructure's security requirements. Allowing login script solutions to secure and control simultaneous sessions is a major threat to your network security.
Read more

More Context Aware Restrictions

Restrictions by number of simultaneous connections work alongside the other UserLock contextual access restrictions (session type, origin and time constraints) to best protect and secure Active Directory user access.

Session typeSession type

Session type

Control workstation, terminal, Wi-Fi, VPN and IIS sessions to protect both interactive sessions and network access for remote and mobile users.

Read more

Origin

Origin

Limit access by location with controls at workstation, device, IP range, organizational unit (OU), department, floor and building levels.

Read more

Time

Limit access to specific timeframes and set daily, weekly or monthly time quotas, maximum session times and idle session time.

Read more

Download UserLock

VersionSupported systems
Windows XP | Windows Server 2003 | Windows Vista | Windows Server 2008 | Windows 7 | Windows Server 2008 R2 | Windows 8 | Windows server 2012 | Windows 8.1 | Windows Server 2012 R2 | Windows 10 (64 bits computers included) | Windows Server 2016

Demo restriction : 30-day full version with no user limits

Scroll to top