VBScript logon, logoff, startup, and shutdown scripts to enforce one logon
session per user. Each user can only be logged into one computer at a time.
These scripts should be specified in a Group Policy. All clients should have
Windows 2000 or above. The logon and logoff
scripts should be specified in a GPO that applies to all users that will
have this restriction. The startup and shutdown scripts should be specified
in a GPO that applies to all computers.
The logon script checks for the existence of a flag file in a shared folder that is named after the user and has a value written in the file based on the name of a computer other than the local computer. If such a file is found, that means the user is still logged into the other computer. The user is alerted (the message indicates which computer they must log out of) and then the user is logged off. If such a file is not found, the logon script creates a flag file in the shared folder named after the user and writes a value based on the name of the local computer. The name of the flag file is a Base64 encoding of the user's GUID value in Active Directory, so it will not be easy to tell which file corresponds to which user. In addition, the name of the computer is Base64 encoded before being written to the flag file. The path for the shared folder is hard coded in all of the programs linked on this page.
The logoff script deletes any files in the shared folder named after the user with the name of the local computer encoded in the file. This will allow the user to log into a different computer. In case the user does not logoff before the computer is shutdown, a shutdown script reads all files in the shared folder and deletes any that have the encoded computer name written to the file. Similarly, a startup script does the same thing, in case the machine is turned off or loses power before the user can logoff or shutdown.
Logon7.txt <<-- Click here to view or download the logon script program
Logoff7.txt <<-- Click here to view or download the logoff script program
Startup7.txt <<-- Click here to view or download the startup script program
Shutdown7.txt <<-- Click here to view or download the shutdown script program
The shared folder specified in these programs should be on a dependable server that is expected to be
available at all times.
All of the programs linked above also specify an alternate shared location
to write an error message to a log file if the first shared folder is not
available. This alternate folder should be on another server. The four
programs append error messages to a file called Error.log.
All users will need to have permission to read, write, and delete files in the shared folder. You can grant permissions to the group "Domain Users". In addition, all computers will need permissions to read and delete files in the shared folder, since startup and shutdown scripts run with the permissions of the computer object. You can grant permissions to the groups "Domain Computers". If users can logon to Domain Controllers, also grant permissions to the group "Domain Controllers". The same permissions are required in the alternate location, so the scripts can write to the error log.
The VBScript program linked below prompts for the "pre-Windows 2000 logon" name of a user and displays the names of any computers the user is logged into. The program finds all flag files named after the user in the shared folder, then determines the names of the computers from the contents. The program will delete the flag file is the user agrees.
FindUser.txt <<-- Click here to view or download the program
A similar program below prompts for the NetBIOS name of a computer and
displays the name of the user (if any) that is logged into the computer.
Again, the program offers to delete the flag file.
FindComputer.txt <<-- Click here to view or download the program
There are situations where a flag file will not be deleted as expected when
the user logs off. For example, the server with the shared folder may not be
available. When this happens, the user may not be able to log into a
different computer. Whenever any of the four scripts linked above fails to connect to
the shared folder, they write an error message to a log file in the
alternate location. In particular, if the logoff script Logoff7.vbs fails to
delete the flag file in the shared folder, it writes information to the
error log. The program linked below reads the error log, and from the
information written by Logoff7.vbs in these situations, can determine which
flag files to delete from the shared folder.
FlagCleanup.txt <<-- Click here to view or download the program
This program reads the time when Logoff7.vbs failed to delete the flag file, the name of the computer, and the name of the flag file, from the error message. If there is a flag file in the shared folder with the same name and the same encoded computer name, but the flag file is dated earlier than the error message, the file is deleted. This cleans up many of the failure situations, but not all.