Ooops. I gave out some duff information about limiting logons

  • Article

As Eileen has already said our team spent last week at the BETT show. My first "proper" IT job after leaving university was working for RM who are the biggest supplier of IT to education and I did a couple of BETT shows when I worked for them; it's the main UK IT-in-education show and it's huge - 30,000 visitors over 4 days. I never thought I'd be doing another one.

I find stand duty at shows tiring - I need a bit of a push to do it, Eileen volunteered the team ... Once I'm there it's interesting to meet a different set of customers to those who come to our events, doubly so when the customers are a market segment like education that I don't deal with much day-to-day. My days at RM taught me that IT managers in education have a unique set of challenges - not least of which is the IT is managed by people who are teachers first and IT people second. In business we're used to the user-per-PC model; in schools PCs are shared. So a couple of people asked me a question which I got wrong.

"Can we limit the number of workstations where a user is logged on". Now here's the problem. Windows logs users onto a machine.  It logs users onto file shares, web servers, RPC and terminal sessions. Domains allow a central pool of accounts to be used for those logons and granting permissions. And this hasn't really changed since OS/2 LAN Manager; we use Kerberos to do the job these days, but the idea remains the same. The service which authenticates you, and the service which you are using are different. So. You logon to your computer and it gets domain controller A to validate you; then you connect to a terminal server it it gets Domain controller B to validate you. The two Domain controllers don't share information, and they don't know when your session has ended. You can create a system which sets a central flag when someone logs on and clears it at log off, but this isn't helpful in a school - switching the machine off without logging out will prevent the next logon. You hear the cries of "Miss I can't log on" ... ah yes, something else for business IT managers to note. Your daft users break the system accidentally. In schools the smart users break it for sport.

So I had the bright idea. The SHUTDOWN command line utility has a "logout" option....  so why not write a batch file at logon ...  so the logon script has 2 lines

Call logoff%username%.bat
Echo   SHUTDOWN /m \\%computername% /L > logOff%username%.bat

Unfortunately the /L command won't log off a user on a remote machine. I don't think anything we provide [In the box] will solve this problem but I'm hoping someone will correct me.
Update 1: Thanks to Richard who pointed out in a comment below that we do have a resource kit tool to do this. I can't say how sessions which are not ended gracefully are handled (yet).

Update 2: Thanks to Steve for his comment. The sysinternals command should do the job as I first conceived it ... now someone needs to test it to see if a non-admin user can log themselves off a remote machine. It will fail to log off anyone else.