How can I lock out an account after a certain number of successful logins?

user-accounts active-directory securid

I have a remote-access VPN, which is authenticated against a RSA SecurID server, and also against Active Directory.

For complicated internal policy reasons, someone has made a request that we are able to suspend access after a set number of logins per user.

For example, user john.doe can log in 100 times, but after that, his account will be disabled in AD until manually reinstated.

I'm having a hard time figuring out how and where best to configure this.

Any ideas?


Solution 1:

Limiting Concurrent Logins

There is no built-in Microsoft method to limit concurrent user logins, sorry. However, third party tools have come to the rescue for this. If you're on Server 2003 (shame on you), then the free LimitLogin tool might work. If you're on 2008 R2 and above, then have a look at UserLock. It's not free, but does what you need. Lastly, if you are on a budget you MAY be able to script out something. There is an example here.

For example, you could create a Windows login script component that maps a drive to the user's home directory share. If it's unable to create the mapping, then error out and log off. On each user's home directory share, you would set the maximum number of connections to 1. When the user logs in once, all's well. However, doing so twice would generate a net use error level of 1. This error could be captured in the login script to redirect to the logoff command and exit.

Also moire script examples here, and here. Good luck!

Limiting Total Logins

If - as @JacobEvans suggested - you are looking at Total number of logins instead of concurrency, then you can check the AD attribute Logon-Count. The catch is, you'd have to sum the LogonCount from all DCs. I'd imagine you want to have a look here for how to count DCs and combine the script here here for how to count logons. An example. 

Set objUser = GetObject _

    (“LDAP://atl-dc-01/cn=ken myer, ou=Finance, dc=fabrikam, dc=com”)

Wscript.Echo objUser.LogonCount

If scripting isn't your thing then paid-for tools like ManageEngine or the Netwrix suite of tools DO have reports that list the number of times a user has logged in.

Related

Apapche + php-fpm + mysql too slow on powerful server
Why very slow / no directory caching with SSHFS?
Conditional ssl_verify_client in NGINX
Why is the Application event log getting cleared every night?
LSI Megaraid: Samsung 850 Pro SSD can't modify "disk cache policy"
Speed very slow when Resync Hard disk with mdadm
Blocking, filtering or reducing "tabloid" spam (emails that bypass Spam Assasin)?
Does any PCIe slot support NVMe SSD's automatically or do I need a specific M.2 slot?
Do Docker and VirtualBox play well together on Linux? [closed]
SSL_ERROR_NO_CYPHER_OVERLAP error with signed certifcate
Creating a two-node Hyper-V failover cluster with a SAN
Windows 2016 RRAS installation initialization hangs