- Restrict logon time for Active Directory users - Fri, Mar 3 2023
Restrict the logon time for a single user
Follow the steps below to configure the logon hours for a single Active Directory domain user.
- In Active Directory Users and Computers (ADUC), right-click the user account you want to configure the restriction on and select Properties.
- On the Properties page, click the Account tab and then the Logon Hours button.
The image below shows the Permitted or Denied hours. The Permitted color is depicted in Blue, while the Denied color is in White.
- Click the Logon Denied option and drag your cursor across the tiny boxes showing days and hours, or select each box individually and then click Logon Permitted. The image below shows Sunday through Saturday and 12:00 AM to 9:00 AM as the permitted logon hours for the network domain.
- Click the Logon Permitted option.
- Then drag the cursor to the period when you want the logon to be denied. After the selection, choose the Logon Denied option. For example, the image below shows Sunday through Saturday from 11:00 AM to 9:00 PM as the period that a user cannot log on to the domain.
Restrict logon time for user groups
Creating a logon for a group of users is simple. Follow these steps:
- Create an organizational unit (OU) and give it a unique name. Create or move all the users into this OU container.
- Press CTRL + A to select all the users in the OU.
- Right-click the highlighted users and select Properties.
- On the Properties page, click the Account tab, and select the Logon hours options. Click the Logon hours button.
The Logon Hours page opens. You can now restrict the logon hours for a group of users.
Disconnect users when their logon time expires
With the help of Group Policy, you can disconnect a user who is already logged on when their logon time expires. The following steps will show you how to configure the corresponding GPO and assign it to the OU that contains the users:
- Run gpmc.msc, right-click Group Policy Objects, and then click New to create a new GPO. Give the GPO a name. I used Logon_Restrictions in the example.
- Right-click the new GPO and then click Edit.
- Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
- In the policy pane, double-click Microsoft network server: Disconnect clients when logon hours expire.
- Click Security Policy Setting, select the Define this policy setting check box, select Enabled, and then click OK.
When this policy is active, a user will be disconnected when the logon hours expire.
Testing logon hours
If you try to log on to your Windows machine during the Logon Denied time, you will receive this notification:
Your account has time restrictions that prevent you from signing in at this time. Please try again later
Conclusion
Before you restrict logon time for the users in your organization, make sure that you have an official confirmation from management. It is also important to inform users about the logon time restriction before you enable the policy.