Limit Concurrent Logins on a Windows Server based Network

UserLock allows organizations to prevent or limit concurrent logins to a Microsoft Windows Server based Network, per user or user group and per session type (workstation, terminal, interactive, VPN/RAS or IIS). Limitations can be set in a granular way and can vary from one user to another or one group to another.


Windows Concurrent Sessions Control

With UserLock you will be able to define and enforce the maximum number of:

Concurrent workstations

where a user can be logged on

Terminal sessions

that a user can open

Simultaneous Wi-fi & VPN sessions

that a user can open

Simultaneous IIS sessions

that a user can open

Total of sessions

(of all kinds) that a user can open

Define a maximum limit for combinations of several kinds of sessions

You can for example set a custom limit to prevent the number of workstation sessions plus the number of Wi-fi & VPN sessions to being greater than one.

Administrators can also choose to either:

Allow users to remotely logoff an existing session

If the total number of allowed sessions has been reached, users can remotely close a previous session from the new login attempt. This forces an immediate logoff on the previous session but can mean unsaved documents are lost.

Grant users only a single (unlocked) active session

Distinguish between active and locked sessions. Here a user can open as many interactive sessions as they want but only one can be active at a time. With direct access to previous sessions protected through automatic locking, an administrator can increase the number of permitted user sessions whilst limiting or even preventing the number of concurrent logins allowed.

No Concurrent Login Control in Native Windows or Logon scripts

There is no way in Windows native functionality to limit a given user account from logging on at one computer or device at a time.

Native Windows

The reason stems from the architecture of Windows; there is no entity keeping track of all the places where a user is logged on as each workstation or device handles that individually. Workstations talk to the domain controller but the domain controller is only involved in the initial authentication.

Read more here

Logon scripts

Solutions based on windows login scripts present serious drawbacks and limitations to suit IT infrastructure’s security requirements. Allowing login script solutions to secure and control simultaneous sessions is a major threat to your network security.

Read more here

Compliance with major regulations

Preventing or limiting simultaneous logins is required for an Information System to comply with major regulatory constraints, including for example:

Preventing Concurrent Logins significantly increases Windows network security

There are very few legitimate reasons for a user to be connected to a network from several different workstations.

Uncontrolled concurrent logins to a Windows network remains a serious security flaw and significantly increases network vulnerability.

You should have the ability to determine in a very granular way what are the legitimate needs of simultaneous logins for each (group of) user(s) within your organization and efficiently enforce that decision.

Preventing or limiting concurrent logins:

  • stops rogue users from using valid credentials at the same time as their legitimate owner
  • stops users from sharing passwords as there is a consequence on their own access to the network.
  • ensures access to critical assets is attributed to individual employees.
  • offer security to a wireless network and the adoption of BYOD