LimitLogin capabilities include:
- Limiting the number of logins per user from any machine in the domain, including Terminal Server sessions.
- Displaying the logins information of any user in the domain according to a specific criterion (e.g. all the logged-on sessions to a specific client machine or Domain Controller, or all the machines a certain user is currently logged on to).
- Easy management and configuration by integrating to the Active Directory MMC snap-ins.
- Ability to delete and log off user session remotely straight from the Active Directory Users and Computers MMC snap-in.
- Generating Login information reports in CSV (Excel) and XML formats.
Please keep in mind that this tool is Not Supported (similar to a resource kit or support tool).
This has been a feature that Novell has had for over a decade in its directory services implementation. With the introduction of Windows® Server 2003 Service Pack 1 the Windows® Server System Family base network operating system will now have this capability. Anyone whom has the Windows® Server 2003 Service Pack 1 bits has this feature today. This feature will not be back ported to the Windows® 2000 Server Family. Below describes how to enable this feature as well as background on what is does and documentation about it. Please spread the word to your customers as this is public information and ping me if you need assistance with explaining this, demoing, etc.
1. This tool for the time being is as is and thus has no PSS support as of this time. If there are any issues please direct them to me for the time being. So far a few dozen early adopters have been given this tool around the globe with no issues.
2. Please rename the attached tool to .exe. This tool enables access based directory enumeration on a share by setting the property. The syntax is:
markshareforABDE.exe <sharename> <0=off/1=on> (Optional: <servername>)
There are two options to run this tool. You can either run it on the server and skip the optional argument or run it on a remote machine and specify a server name.
3. If someone wants to write a tool themselves, he/she would need to use the NetShareSetInfo API (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/netsharesetinfo.asp). To enable ABDE, you need to set a flag that points to a SHARE_INFO_1005 structure (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netmgmt/netmgmt/share_info_1005_str.asp). The new flag to enable ABDE is #define SHI1005_FLAGS_ENFORCE_NAMESPACE_ACCESS 0x0800.
4. There will be a KB article that will come out at the same time as SP1 which describes the feature and how to enable it.
5. This feature is disabled by default and the only way to enable it is by this tool, writing an interface to enable it, or command line.
6. Explanation of how a Server Message Block (SMB) server enumerates a directory – Before the introduction of Access Based Directory Enumeration in Windows® Server 2003 Service Pack 1 when the contents of a directory on an SMB server were enumerated, the server handling the access request would display all directories that were shared on that server. When the end user selected a directory that he/she did not have access to he/she would get an error message stating that access was denied.
Access Based Directory Enumeration filters out directory entries that the requesting user does not have access to. To enable this feature a property needs to be set on the share that is exported from the server.
http://www.microsoft.com/downloads/details.aspx?FamilyID=04A563D9-78D9-4342-A485-B030AC442084&displaylang=en