Limit concurrent logins in Active Directory across a Windows server based network
Limit concurrent logins and concurrent sessions to control and properly attribute access to a single user. Set restrictions by user, group, organizational unit, and session type.
)
)
)
The initial access point
UserLock can analyze in real-time, the sequence of user connections to determine which is a new point of entry to the network or a connection performed from an existing parent session.
)
Use case example 1
Deny simultaneous logins from different access points
Limit the number of initial access points to a single point of entry (per user, group or OU). Once connected, any access attempts that don’t stem from this point are automatically blocked.
Concurrent session control
Define the maximum number of concurrent sessions allowed (per user, group or OU), for each session type, all sessions, or a combination of several sessions.
Specifying '0' as the value will prevent the user from opening this type/types of session.
Use case example 2
Limit access to one concurrent workstation session
Read a step-by-step guide on how to set concurrent workstation session limits for a group of users.
Use case example 3
Audit simultaneous session history
Report on all domain users with simultaneous sessions opened within a given day.
Reduce friction for end users
With granular policies, you can find the right balance between security and end-user friction for your team.
Allow users to remotely logoff an existing session
If the total number of allowed sessions has been reached, users can remotely close a previous session from the new login attempt. This forces an immediate logoff on the previous session but can mean unsaved documents are lost.
Grant users only a single (unlocked) active session
Here a user can open as many interactive sessions as they want but only one can be active at a time. Direct access to previous sessions are protected through automatic locking.
Limit simultaneous logins and mitigate against credential misuse
Uncontrolled concurrent logins pose obvious security risks. Enforcing concurrent logon limits helps boost your security posture in several ways.
Stop careless behavior
Prevent password sharing, avoid shared workstations being left unlocked, and block the same user from logging on to multiple machines.
Stop unauthorized access
Ensure stolen passwords can't be used at the same time as the legitimate owner.
Attribute all access
Prove you can assign network access events to a unique user.
Ensure accountability
Hold users accountable for all actions to help discourage malicious user activity.
Concurrent logins for regulatory compliance
Preventing or limiting simultaneous logins is a common Information Systems requirement across major cybersecurity compliance standards and cyber insurance providers.
GDPR
Address GDPR compliance to keep personal data safe
HIPAA
Address HIPAA compliance to keep patient data safe
PCI DSS
Address PCI DSS compliance to keep sensitive cardholder data safe
Sarbanes Oxley’s
Comply with Sarbanes Oxley’s (SOX) security regulations
ISO 27001
Address network and information access for ISO 27001 compliance
NIST
Address NIST 800-53 and NIST 800-171 compliance to keep federal data safe
Read the case studyThe most important capability is the ability to prevent concurrent logins and credential sharing between the users.
Administrators can also instantly react to session activity, a huge value to the day-to-day operation. ”
Andreas N.Matheou
Infrastructure Team Head | Bank of Cyprus
Read the full case studyWith UserLock, we no longer have 30 students logged in with the same username at once.
We’ve not only eliminated concurrent logins but now also have the ability to accurately track down and discipline individuals for inappropriate activities. ”
Patrick McGlinchey
Technology Systems Specalist | Camden City School District
Read the full case studyUserLock is the only solution on the market that allows our organization to fulfill the CMS compliance requirements – a user is only able to log on to one workstation at a given time.
Technology Editor for Active Directory
Leading US Healthcare Insurance Provider
Go beyond AD group policy and logon scripts to limit concurrent logins
Native Windows tools don't allow a way to limit a given user account from logging on at one computer or device at a time. Many turn to AD group policy and logon scripts, but these solutions bring important limitations.
Group policy
Limiting concurrent logins through Active Directory Group Policy is unreliable because of how Windows architecture works. Each workstation or device tracks user logon sessions independently. While they communicate with the domain controller (DC) for initial authentication, the DC doesn't track or coordinate user session activity across devices. This means there's no centralized visibility or control, so it's easy for concurrent sessions to go undetected.
Logon scripts
Using Windows logon scripts to control simultaneous sessions comes with serious limitations. These scripts run locally and aren’t designed to track user sessions across multiple machines or enforce real-time restrictions. They can be bypassed, fail to execute consistently, and offer no central visibility or control. Relying on them to manage concurrent logins can pose a threat to your network security.
More context aware restrictions
Restrictions by number of simultaneous connections work alongside the other UserLock contextual access restrictions (session type, origin and time constraints) to best protect and secure Active Directory user access.
)
)
)
)
Time
Limit access to specific timeframes and set daily, weekly or monthly time quotas, maximum session times and idle session time.
)
)
Session type
Control workstation, terminal, Wi-Fi, VPN and IIS sessions to protect both interactive sessions and network access for remote and mobile users.
)
)
)
)
Origin
Limit access by location with controls at workstation, device, IP range, organizational unit (OU), department and country.
)
)
)
)
Force remote logoff after idle time
Watch how IT administrators can set an automatic forced logoff, on all locked or open machines, after a certain idle time with UserLock. This includes remote desktop sessions opened by the domain user.
Read)
)
)
)
Login logout time tracking for employees
Learn how UserLock makes it easy to manage and react to employees’ attendance, overtime thresholds, productivity and suspicious login logout times.
Read)
)
)
)
Remotely manage, respond and logoff Windows Session Events
UserLock allows administrators to easily track, manage and respond to Windows sessions remotely. Real time visibility and reaction to user activities, helps both optimize PC resources and save time.
Read