Contact

admin

About Me · Send mail to the author(s) E-mail · Twitter

At GROSSWEBER we practice what we preach. We offer trainings for modern software technologies like Behavior Driven Development, Clean Code and Git. Our staff is fluent in a variety of languages, including English.

Feed Icon

Tags

Open Source Projects

Archives

Blogs of friends

Now playing [?]

Error retrieving information from external service.
Audioscrobbler/Last.fm

ClustrMap

How to Disallow Multiple Terminal Server Sessions Using a Logon Script

Posted in PowerShell at Thursday, June 29, 2006 8:02 PM W. Europe Daylight Time

Remote DesktopIf you're working with Microsoft's Terminal Services, you may know about the "Force single session" option. Essentially, turning this option on forces Terminal Services to allow just one session per user. If user Alice is logged on and another users authenticates as Alice, Alice's first session would be disconnected and taken over by "the other" Alice. Concurrent sessions of Alice and Bob are not affected, that's what Terminal Services are for.

The "Force single session" option is has it's right to exist, but what happens if it's turned off? Going back to the example above (Alice is already logged on while the second Alice is authenticating), this would result in two Alice sessions. Imagine a scenario where it's useful to allow certain users to have multiple concurrent sessions but disallow multiple sessions for others: Two administrators could to their job but ordinary users are forced to live in a single session.

It is not possible to achieve these semantics just by leveraging the built-in functionality of Terminal Services. However, you can use Group Policy logon scripts to check if a user is already logged on to another sessions. Here's an example of such a script I've written using Windows PowerShell.

#
# SingleSession.ps1
#
# Logon script for users with limited session count.
#
 
#
# Global settings.
#
 
# Array of users with limited session count.
$ScriptUsers = "user1", "user2", "user3"
# Maximum number of sessions for each user above.
$MaxSessions = 1
# Logoff executable.
$LogoffCommand = $env:systemroot + "\system32\logoff.exe"
 
 
# Trim the user name.
$CurrentUser = $env:username.Trim()
 
# Welcome message.
Write-Host "Welcome to this server," $CurrentUser
 
# Cancel if a user that's not contained in $ScriptUsers logs on.
if ($ScriptUsers -inotcontains $CurrentUser)
{
    Write-Host "You do not need to run this script."
    return
}
 
# Get the number of sessions the current user owns.
$WmiUserNameExpression = "*,Name=`"" + $CurrentUser + "`""
$Sessions = get-wmiobject Win32_LoggedOnUser | `
    select Antecedent | `
    where { $_.Antecedent -ilike $WmiUserNameExpression } | `
    measure-object
 
# Log off the user if $MaxSessions is exceeded.
if ($Sessions.Count -gt $MaxSessions)
{
    Write-Host "You are already logged on in another session."
 
    # Show a message box informing the user that he will be logged off.
    $MessageBox = New-Object -ComObject WScript.Shell
    $MessageBox.Popup( `
        "There's another user connected using account " + $CurrentUser + ". Please try to reconnect later.`n`nYour session will be ended now. This window will be closed auomatically after 60 seconds.", `
        # Close message box after 60 seconds.
        60, `
        "Account is being used", `
        # Error Icon.
        16)
 
    # Force logoff.
    &$LogoffCommand
}

You just need to set up the logon script using Group Policy.

  1. Enable multiple Terminal Services sessions using the Terminal Services Configuration snap-in (tscc.msc).
  2. Open the Group Policy Editor by running gpedit.msc.
  3. Assign the user logon script.
    Because the PowerShell file extension (ps1) is not linked to the PowerShell runtime, I wrote a little helper cmd file that simply starts the PowerShell script. Enter this cmd file in the Logon Scripts editor.
    rem SingleSession.cmd
    
    rem Starts SingleSession.ps1.
    
    @powershell.exe -noprofile -command SingleSession.ps1

Now, at each logon, the script checks if a user contained in $ScriptUsers logs on. If this is the case and the user already owns another session, a message box is displayed saying that he or she will be logged off. After a timeout of 60 seconds the message box closes and the session will be ended.

Basically, I rewrote the SingleSession script that existed as a cmd file for years in PowerShell because I think it's time to switch to the new well thought-out command line. PowerShellIDE, though beta-ish, has done a decent job supporting me during the short development process.

Saturday, July 01, 2006 1:20:53 PM (W. Europe Daylight Time, UTC+02:00)
Cool script,
combining WMI and COM
and using PowerShell with GP.

Greetings /\/\o\/\/
Saturday, August 30, 2008 8:47:54 PM (W. Europe Daylight Time, UTC+02:00)
i tried your script but it is not giving me any result ????
karan
Sunday, August 31, 2008 1:11:21 PM (W. Europe Daylight Time, UTC+02:00)
Karan, could you please provide a little more context?
Saturday, September 06, 2008 7:53:29 PM (W. Europe Daylight Time, UTC+02:00)
hi alexandra i created SingleSession.ps1 and SingleSession.cmd and put in the logon script folder of my win 2000 server......after that i tried both ...using logon script and putting the script name in user properties ....but nothing is happening
$ScriptUsers = "user1", "user2", "user3"
i changed this line with few of my usernames like '711','721','731' etc .....i use numeric name for my users ...they are actually register no of my POS nodes in stores....
now i open a rdp session with user 711....and tried second connection ...but instead of logging the first session out ....it simply open the 2 session for user 711....

i even tried Logoff program ...but since my username are numeric .....it is not working in my secnerio...

if you can help me out in this, i'll be very thankful to you

also let me know if we can chat ...on some messenger to tell you in detail. my email is karancapoor@gmail.com

thanx & regards
karan



karan
Saturday, September 06, 2008 7:54:10 PM (W. Europe Daylight Time, UTC+02:00)
i even force the changes made in gpedit ....
karan
Saturday, September 06, 2008 8:13:53 PM (W. Europe Daylight Time, UTC+02:00)
Karan, my name is Alexander!

AFAIK PowerShell, which is needed to make the script work, does not install on Windows 2000. Did you try running the script (powershell.exe -noprofile -command SingleSession.ps1) in a cmd.exe session to test if PS works before posting?
Sunday, September 07, 2008 5:38:22 PM (W. Europe Daylight Time, UTC+02:00)
no wil try it on monday ...if not what other option i have alexander .....
karan
Sunday, September 07, 2008 5:42:34 PM (W. Europe Daylight Time, UTC+02:00)
You could write something similar using plain old batch scripting or VBScript.
Monday, September 08, 2008 3:37:20 PM (W. Europe Daylight Time, UTC+02:00)
havent worked on VB scripts ...but will give it a try .....i would be glad and happy if you can give me the same in vbscript.
karan
Monday, September 08, 2008 3:48:44 PM (W. Europe Daylight Time, UTC+02:00)
can i just not install powershell on win 2000 server ????
karan
Tuesday, September 09, 2008 5:24:30 PM (W. Europe Daylight Time, UTC+02:00)
hi alexander...i went through the script and it is not what i want to deal ...actually it will ristrict the current session from logging into terminal server if the user is already present....i want something like ...if a user if present ...logoff that old session and then login this new one.
karan
Saturday, March 21, 2009 10:09:19 AM (W. Europe Standard Time, UTC+01:00)
Hi Alexander,
How would you write this Powershell script as a VBS?
All comments require the approval of the site owner before being displayed.
(will show your gravatar icon)
 
[Captcha]Enter the code shown (prevents robots):

Live Comment Preview