Restrict Multiple Logins in Domain (AD)

I have always asked this question to my colleagues as to "How do i restrict Multiple Logins in an Active Directory Setup"

So here is the answer

Create a file when a user login and check for such file each time the login request is received  if file exists logoff, if file is not present Login and create the file. Its that simple

Below is the step by step process to achieve this using Group Policy

Assumptions:

  1. Windows 2003 AD is being used
  2. //<server>/logon is shared and write access is given to everyone

The Steps

Step 1) Create 2 batch files in C:\WINDOWS\SYSVOL\sysvol\domain.name\scripts\logon

File 1: login.bat

:: BEGIN CALLOUT A
If Exist \\server\logons\%username%.txt Goto notlogon
Echo %username% logged in from %computername% > \\server\logons\%username%.txt
Echo %username% logged in from %computername% > \\server\logons\%computername%.txt
:: END CALLOUT A
Goto end
:notlogon
Logoff
:end

File 2: logout.bat

:: BEGIN CALLOUT A
If Not Exist \\server\logons\%computername%.txt goto notlogon
Del \\server\logons\%username%.txt
Del \\server\logons\%computername%.txt
:: END CALLOUT A
Goto end
:notlogon
Logoff
:end

Step 2) Modify Group Policy

Edit the Group Policy related to the OU where you want to disable multiple logins, In Group Policy Object Editor locate to

User Configuration > Windows Settings > Scripts (Logon/Logoff)

Add the login.bat created earlier in Logon and logout.bat in Logoff

Adding Login Script on Group Policy

thats it now when you login a file would be created in //<server>/logon with the username and computername of the loggedin user and he/she will not be able to login to other computer and once he logoff these would be automatically deleted and the user will be allowed to login on any Client.

This was simple