I have a remote-access VPN, which is authenticated against a RSA SecurID server, and also against Active Directory.
For complicated internal policy reasons, someone has made a request that we are able to suspend access after a set number of logins per user.
For example, user john.doe can log in 100 times, but after that, his account will be disabled in AD until manually reinstated.
I'm having a hard time figuring out how and where best to configure this.
Any ideas?
Limiting Concurrent Logins
There is no built-in Microsoft method to limit concurrent user logins, sorry. However, third party tools have come to the rescue for this. If you're on Server 2003 (shame on you), then the free LimitLogin tool might work. If you're on 2008 R2 and above, then have a look at UserLock. It's not free, but does what you need. Lastly, if you are on a budget you MAY be able to script out something. There is an example here.
Also moire script examples here, and here. Good luck!
Limiting Total Logins
If - as @JacobEvans suggested - you are looking at Total number of logins instead of concurrency, then you can check the AD attribute Logon-Count. The catch is, you'd have to sum the LogonCount from all DCs. I'd imagine you want to have a look here for how to count DCs and combine the script here here for how to count logons. An example.
If scripting isn't your thing then paid-for tools like ManageEngine or the Netwrix suite of tools DO have reports that list the number of times a user has logged in.