Restrict logon time for Active Directory users

• Author
• Recent Posts

Temitope Odemo

Temitope has over 10 years' experience as a system administrator and currently works as a QA Engineer. He focuses on software quality assurance, software testing, security, and network management.

Latest posts by Temitope Odemo (see all)

• Restrict logon time for Active Directory users - Fri, Mar 3 2023

Restrict the logon time for a single user

Follow the steps below to configure the logon hours for a single Active Directory domain user.

1. In Active Directory Users and Computers (ADUC), right-click the user account you want to configure the restriction on and select Properties.
2. On the Properties page, click the Account tab and then the Logon Hours button.
   

   Editing AD user properties

   The image below shows the Permitted or Denied hours. The Permitted color is depicted in Blue, while the Denied color is in White.

3. Click the Logon Denied option and drag your cursor across the tiny boxes showing days and hours, or select each box individually and then click Logon Permitted. The image below shows Sunday through Saturday and 12:00 AM to 9:00 AM as the permitted logon hours for the network domain.
   

   Permitted logon days and hours

4. Click the Logon Permitted option.
5. Then drag the cursor to the period when you want the logon to be denied. After the selection, choose the Logon Denied option. For example, the image below shows Sunday through Saturday from 11:00 AM to 9:00 PM as the period that a user cannot log on to the domain.
   

   Denied logon days and hours

Restrict logon time for user groups

Creating a logon for a group of users is simple. Follow these steps:

1. Create an organizational unit (OU) and give it a unique name. Create or move all the users into this OU container.
   

   Creating an Organizational Unit

2. Press CTRL + A to select all the users in the OU.
3. Right-click the highlighted users and select Properties.
   

   Group member properties

4. On the Properties page, click the Account tab, and select the Logon hours options. Click the Logon hours button.
   

   Properties of multiple items

   The Logon Hours page opens. You can now restrict the logon hours for a group of users.

Disconnect users when their logon time expires

With the help of Group Policy, you can disconnect a user who is already logged on when their logon time expires. The following steps will show you how to configure the corresponding GPO and assign it to the OU that contains the users:

1. Run gpmc.msc, right-click Group Policy Objects, and then click New to create a new GPO. Give the GPO a name. I used Logon_Restrictions in the example.
   

   Creating a new GPO

2. Right-click the new GPO and then click Edit.
   

   Editing a GPO

3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
4. In the policy pane, double-click Microsoft network server: Disconnect clients when logon hours expire.
   

   Changing the logon hours in the computer configuration GPO

5. Click Security Policy Setting, select the Define this policy setting check box, select Enabled, and then click OK.
   

   Disconnecting cliensts when lgon hours expire

When this policy is active, a user will be disconnected when the logon hours expire.

Testing logon hours

If you try to log on to your Windows machine during the Logon Denied time, you will receive this notification:

Your account has time restrictions that prevent you from signing in at this time. Please try again later

User cant login because logon hours resitriction

Conclusion

Before you restrict logon time for the users in your organization, make sure that you have an official confirmation from management. It is also important to inform users about the logon time restriction before you enable the policy.