VBScript logon, logoff, startup, and shutdown scripts to enforce one logon session per user. Each user can only be logged into one computer at a time. These scripts should be specified in a Group Policy. All clients should have Windows 2000 or above. The logon and logoff scripts should be specified in a GPO that applies to all users that will have this restriction. The startup and shutdown scripts should be specified in a GPO that applies to all computers.

The logon script checks for the existence of a flag file in a shared folder that is named after the user and has a value written in the file based on the name of a computer other than the local computer. If such a file is found, that means the user is still logged into the other computer. The user is alerted (the message indicates which computer they must log out of) and then the user is logged off. If such a file is not found, the logon script creates a flag file in the shared folder named after the user and writes a value based on the name of the local computer. The name of the flag file is a Base64 encoding of the user's GUID value in Active Directory, so it will not be easy to tell which file corresponds to which user. In addition, the name of the computer is Base64 encoded before being written to the flag file. The path for the shared folder is hard coded in all of the programs linked on this page.

The logoff script deletes any files in the shared folder named after the user with the name of the local computer encoded in the file. This will allow the user to log into a different computer. In case the user does not logoff before the computer is shutdown, a shutdown script reads all files in the shared folder and deletes any that have the encoded computer name written to the file. Similarly, a startup script does the same thing, in case the machine is turned off or loses power before the user can logoff or shutdown.

Logon7.txt <<-- Click here to view or download the logon script program

Logoff7.txt <<-- Click here to view or download the logoff script program

Startup7.txt <<-- Click here to view or download the startup script program

Shutdown7.txt <<-- Click here to view or download the shutdown script program

The shared folder specified in these programs should be on a dependable server that is expected to be available at all times. All of the programs linked above also specify an alternate shared location to write an error message to a log file if the first shared folder is not available. This alternate folder should be on another server. The four programs append error messages to a file called Error.log.

All users will need to have permission to read, write, and delete files in the shared folder. You can grant permissions to the group "Domain Users". In addition, all computers will need permissions to read and delete files in the shared folder, since startup and shutdown scripts run with the permissions of the computer object. You can grant permissions to the groups "Domain Computers". If users can logon to Domain Controllers, also grant permissions to the group "Domain Controllers". The same permissions are required in the alternate location, so the scripts can write to the error log.

The VBScript program linked below prompts for the "pre-Windows 2000 logon" name of a user and displays the names of any computers the user is logged into. The program finds all flag files named after the user in the shared folder, then determines the names of the computers from the contents. The program will delete the flag file is the user agrees.

FindUser.txt <<-- Click here to view or download the program

A similar program below prompts for the NetBIOS name of a computer and displays the name of the user (if any) that is logged into the computer. Again, the program offers to delete the flag file.

FindComputer.txt <<-- Click here to view or download the program

There are situations where a flag file will not be deleted as expected when the user logs off. For example, the server with the shared folder may not be available. When this happens, the user may not be able to log into a different computer. Whenever any of the four scripts linked above fails to connect to the shared folder, they write an error message to a log file in the alternate location. In particular, if the logoff script Logoff7.vbs fails to delete the flag file in the shared folder, it writes information to the error log. The program linked below reads the error log, and from the information written by Logoff7.vbs in these situations, can determine which flag files to delete from the shared folder.

FlagCleanup.txt <<-- Click here to view or download the program

This program reads the time when Logoff7.vbs failed to delete the flag file, the name of the computer, and the name of the flag file, from the error message. If there is a flag file in the shared folder with the same name and the same encoded computer name, but the flag file is dated earlier than the error message, the file is deleted. This cleans up many of the failure situations, but not all.