Limit concurrent logins
in Active Directory Across a Windows Server Based Network

Limit the number of initial access points and concurrent sessions to control or prevent simultaneous logins from a single user. Set restrictions by user, group, organizational unit and session type. Ensure all access is attributed to an individual user.

Start a free trial Book a Demo
Limit Active Directory Concurrent Logins

The Initial Access Point

UserLock can analyze in real-time, the sequence of user connections to determine which is a new point of entry to the network or a connection performed from an existing parent session.

Initial Access Point

Use Case Example 1

Deny simultaneous logins from different access points

Limit the number of initial access points to a single point of entry (per user, group or OU). Once connected, any access attempts that don’t stem from this point are automatically blocked.

Watch video

Concurrent Session Control

Define the maximum number of concurrent sessions allowed (per user, group or OU), for each session type, all sessions or a combination of several sessions.

Workstation sessions

Terminal sessions

Interactive sessions

Wi-Fi & VPN sessions

IIS sessions

Specifying '0' as the value will prevent the user from opening this type/types of session.

Use Case Example 2

Limit to one Concurrent Workstation Session

Read a step-by-step guide on how to limit a group of users.

Limit to one Concurent Workstation Session

Use Case Example 3

Audit Concurrent Session History

Report on all domain users with simultaneous sessions opened within a given day.

Audit Concurrent History Session

Options to reduce any friction for your ends users

Administrator options exist to help strike a careful balance between security and end-user friction:

Allow users to remotely logoff an existing session

If the total number of allowed sessions has been reached, users can remotely close a previous session from the new login attempt. This forces an immediate logoff on the previous session but can mean unsaved documents are lost.

Grant users only a single (unlocked) active session

Here a user can open as many interactive sessions as they want but only one can be active at a time. Direct access to previous sessions are protected through automatic locking.

Reduce any friction

Limit simultaneous logins and mitigate against credential misuse

Uncontrolled concurrent logins pose obvious security risks. Preventing or limiting concurrent logins:

Stop careless behavior

such as password sharing, shared workstations left unlocked or same user login to multiple machines.

Stop stolen passwords

being used at the same time as the legitimate owner

Attribute all access

and network actions to a unique user

Ensure accountability

for all actions to help discourage malicious user activity.

Concurrent Logins For Regulatory Compliance

Preventing or limiting simultaneous logins is required for an Information System to comply with major regulatory constraints, including for example:

GDPR

Address GDPR compliance
to keep personal data safe

HIPAA

Address HIPAA compliance
to keep patient data safe

PCI DSS

Address PCI DSS compliance to keep sensitive cardholder data safe

Sarbanes Oxley’s (SOX)

Comply with Sarbanes Oxley’s (SOX) security regulations

ISO 27001

Address network and information access for ISO 27001 compliance

NIST 800-53

Address NIST 800-53 compliance
to keep federal data safe

And more

"One of UserLock’s most important capabilities is the ability to prevent concurrent logins and credentials sharing between users."

"With UserLock, we no longer have 30 students logged in with the same username at once. We’ve not only eliminated concurrent logins but now also have the ability to accurately track down and discipline individuals for inappropriate activities."

"UserLock is the only solution on the market that allows our organization to fulfill the CMS compliance requirements – a user is only able to log on to one workstation at a given time."

Andreas N. Matheou
Head Infrastructure Team - Bank of Cyprus
Read the full case study

Patrick McGlinchey
Technology Systems Specalist - Camden City School District
Read the full case study

Technology Editor for Active Directory,
Leading US Healthcare Insurance Provider
Read the full case study

No Concurrent Login Control With Group Policy or Logon scripts

There is no way in Windows native functionality to limit a given user account from logging on at one computer or device at a time.

Group Policy

The reason stems from the architecture of Windows; there is no entity keeping track of all the places where a user is logged on as each workstation or device handles that individually. Workstations talk to the domain controller but the domain controller is only involved in the initial authentication.
Read more

Logon scripts

Solutions based on windows login scripts present serious drawbacks and limitations to suit IT infrastructure's security requirements. Allowing login script solutions to secure and control simultaneous sessions is a major threat to your network security.
Read more

Get the UserLock Web App

Monitor and respond to network sessions quickly, easily, and from anywhere with the UserLock Web App.

Discover

New UserLock Web App

More Context Aware Restrictions

Restrictions by number of simultaneous connections work alongside the other UserLock contextual access restrictions (session type, origin and time constraints) to best protect and secure Active Directory user access.

Session typeSession type

Session type

Control workstation, terminal, Wi-Fi, VPN and IIS sessions to protect both interactive sessions and network access for remote and mobile users.

Read more

Origin

Origin

Limit access by location with controls at workstation, device, IP range, organizational unit (OU),
department and country.

Read more

Time

Limit access to specific timeframes and set daily, weekly or monthly time quotas, maximum session times and idle session time.

Read more

UserLock

Request a personalized demo now

Discover how UserLock can help you meet your needs.

Demo

Secure Active Directory Credentials with Multi-Factor Authentication (MFA)

Read More