LimitLogin is a login management tool specially designed for Windows Server 2003. It is very powerful, including limiting the number of user logins in the domain, classifying the login information of any user in the domain, and integrating it into AMD (Active Directory MMC). Manage configuration and generate login information in CSV and XML format. These functions are not very meaningful for ordinary users, but have a wide range of needs for business users such as banks, libraries, and ISPs.
Download and install
Currently, Microsoft has not provided an official site, if you are interested, you can get it from http://download.microsoft.com/download/f/d/0/fd05def7 -68a1-4f71-8546-25c359cc0842/limitlogin.exe download, the latest version is 1.0. The basic configuration requirements for this software are Windows XP+.Net Framework 1.1 or Windows Server 2003. Microsoft's recommendation is Windows 2003 Domain Controller and there is at least one Windows 2003 Domain Controller in the domain.
LimitLogin installation process is very complex, divided into the following steps:
1. Install LimitLogin Web Service
As shown in Figure 1, the name of the Web Service needs to be customized during installation. The default is WSLimitLogin. If you need to change it, please be sure to remember it, because it will be used in Active Directory Setup. To this name, you can also customize the port number for accessing the Web Service here.
2. Install LimitLogin Active Directory
After the LimitLogin Web Service starts running, you need to continue to install LimitLogin's Active Directory Setup and run the downloaded LimitLoginADSetup.msi, as shown in Figure 2. Here are three checkboxes. You are installing for the first time, then please select all.
(1) Prepare your Active Directory Forest for LimitLogin. This option will do the following: update the configuration, join the LimitLogin AD MMC control menu; extend the Forest schema, including the LimitLogin class and properties.
here, you need to have permissions Schema Administrator, and then a dialog box appears, click the "OK" button to confirm, the system will be in \\% windir% \\ system32 \\ and \\ program files \\ Limitlogin \\ directory Create a detailed log below. After this step is complete, you can start configuring the domain to LimitLogin.
(2) Pepare your Active Directory Domain for LimitLogin. This option will perform the following operations: create and configure llogin.vbs, llogoff.vbs, limitlogin.wsdl and other files; create an application directory area for LimitLogin.
in "Domain Setup" window shown in Figure 3, we need to provide the following three parameters: Scripts Share Folder name, save the script and the shared area wsdl file, all authenticated users will run under Limitlogin, Must be able to access the shared area; IIS Server name, IIS machine name running LimitLogin Web Service; Name of LimitLogin Web Service, you know the reason you need to keep in mind before!
As for the check box at the bottom of the window, it was originally configured for the installation of the system. It is recommended to select it as well. Next, we need to create the LimitLogin application directory area. A dialog box will pop up. You can select the Domain Controller that needs to establish the LimitLogin application directory area in the drop-down list box. After successfully completing this step, it will display the installation of the Domain setup. The last tip.
(3) Install LimitLogin AD MMC add-in tools on this Machine. This option will only run at the end, mainly to copy some files to the \\%windir% directory, where you can only run LimitLogin machines from Active Directory MMC. Later, if you want to run the LimitLogin AD MMC add-on tool, simply select "LimitLogin Tasks" from a user, machine or OU/Container.
It should be noted that you can run LimitLoginADSetup.msi to choose to install on the computer you want to use AD MMC integration function, or you can use "\\program files\\limitlogin\\LimitLoginADSetup.exe" in turn. "/ForestPrep" and "/DomainPrep" are set.
Manual configuration and script
First, you need to copy the "\\Program Files\\LimitLogin\\Scripts" folder to the shared folder specified in the "Domain Setup" step, for example \\\\ Servername\\Share.
1. Steps for Configuring Login and Logoff Scripts
(1) Turn on Active Directory Users and Computers.
(2) Right-click domain object to open the properties window, switch to the Group Policy tab, and then modify the default policy Domain.
(3) Select "User Configuration → Windows Settings → Scripts", in Logon script, adding llogin.vbs shared path from the script; the script Logoff, adding llogoff.vbs shared path from the script.
2. Configure "Trust for Delegation"
(1) Open Active Directory Users and Computers.
(2) Right click on the IIS server object in "Domain→Computers", open the properties window and switch to the Delegation tab.
(3) Select "Trust this computer for delegation to specifIEd services only" and "Use Kerberos only".
(4) Click the "Add" button, select the name DC (Domin Controller) computer, obtain a list of available services, we need to select the LDAP service for computers on the domain.
Alternatively, you can trust all services by selecting the "Trust this computer for delegation to any service" option.
Setting the LimitLogin Client
In order to work under the LimitLogin service, we need to run LimitLoginClIEntSetup.msi on each domain member machine to install the client. The client installation includes:
(1) SOAP Runtime (requires connection to the Web Service).
(2) WTSApiAx.dll (before sending to the Web Service needs to collect Session ID).
(3) LLoginSessions.exe (optional, when exceeded the limit, to the list of users logged on before the show).
LimitLogin Client Configuration There are many ways to install the package, for example using SMS, login scripts, Group Policies the like, a relatively simple approach is to run the client installation in Silent mode, then the command can be run following code LimitLoginClIEntSetup.msi /qn", or you can refer to the http://msdn.microsoft.com/library/default.asp?url=/library/en-us/msi/setup/command_line_options.ASP page for introduction, here is not say
diagnosis and maintenance
LimitLogin there is a very important command-line program:. LLogincmd.exe, this file can be found in the local "\\ program files \\ LimitLogin" directory, including the following parameters :
/Diag or /d: Display status information.
/Report or /r: Generate a login CSV file report for the domain.
/Update or /u: Collect, verify, and compare user information on the domain to ensure it is always up to date.
/ClearLogins or /c: Clear all login information from the database.