You can restrict logon times for Active Directory users for specific days or hours. This can be useful to enforce your corporate working hours policy, and it improves security because hackers won't be able to log on during times when nobody is supposed to be at the office.
Latest posts by Temitope Odemo (see all)

Restrict the logon time for a single user

Follow the steps below to configure the logon hours for a single Active Directory domain user.

  1. In Active Directory Users and Computers (ADUC), right-click the user account you want to configure the restriction on and select Properties.
  2. On the Properties page, click the Account tab and then the Logon Hours button.
    Editing AD user properties

    Editing AD user properties

    The image below shows the Permitted or Denied hours. The Permitted color is depicted in Blue, while the Denied color is in White.

  3. Click the Logon Denied option and drag your cursor across the tiny boxes showing days and hours, or select each box individually and then click Logon Permitted. The image below shows Sunday through Saturday and 12:00 AM to 9:00 AM as the permitted logon hours for the network domain.

    Permitted logon days and hours

    Permitted logon days and hours

  4. Click the Logon Permitted option.
  5. Then drag the cursor to the period when you want the logon to be denied. After the selection, choose the Logon Denied option. For example, the image below shows Sunday through Saturday from 11:00 AM to 9:00 PM as the period that a user cannot log on to the domain.

    Denied logon days and hours

    Denied logon days and hours

Restrict logon time for user groups

Creating a logon for a group of users is simple. Follow these steps:

  1. Create an organizational unit (OU) and give it a unique name. Create or move all the users into this OU container.

    Creating an Organizational Unit

    Creating an Organizational Unit

  2. Press CTRL + A to select all the users in the OU.
  3. Right-click the highlighted users and select Properties.

    Group member properties

    Group member properties

  4. On the Properties page, click the Account tab, and select the Logon hours options. Click the Logon hours button.
    Properties of multiple items

    Properties of multiple items

    The Logon Hours page opens. You can now restrict the logon hours for a group of users.

Disconnect users when their logon time expires

With the help of Group Policy, you can disconnect a user who is already logged on when their logon time expires. The following steps will show you how to configure the corresponding GPO and assign it to the OU that contains the users:

  1. Run gpmc.msc, right-click Group Policy Objects, and then click New to create a new GPO. Give the GPO a name. I used Logon_Restrictions in the example.

    Creating a new GPO

    Creating a new GPO

  2. Right-click the new GPO and then click Edit.

    Editing a GPO

    Editing a GPO

  3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
  4. In the policy pane, double-click Microsoft network server: Disconnect clients when logon hours expire.

    Changing the logon hours in the computer configuration GPO

    Changing the logon hours in the computer configuration GPO

  5. Click Security Policy Setting, select the Define this policy setting check box, select Enabled, and then click OK.

    Disconnecting cliensts when lgon hours expire

    Disconnecting cliensts when lgon hours expire

When this policy is active, a user will be disconnected when the logon hours expire.

Testing logon hours

If you try to log on to your Windows machine during the Logon Denied time, you will receive this notification:

Your account has time restrictions that prevent you from signing in at this time. Please try again later

User cant login because logon hours resitriction

User cant login because logon hours resitriction

Conclusion

Before you restrict logon time for the users in your organization, make sure that you have an official confirmation from management. It is also important to inform users about the logon time restriction before you enable the policy.

0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2023

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account