Sign in with
Sign up | Sign in
Your question

Restrict logon hours

Tags:
Last response: in Windows 2000/NT
Share
November 8, 2004 5:34:06 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a problem with Logon Hours restrictions in Win2000 Server. I tried to
set these restrictions for some users on the domain controller, in GPO
"Automatically logoff users when logon time expires" is Enabled. When the
user is trying to logon during restrictid period, it works fine, but when the
user is already logged on, nothing happens. He can continue to work, connect
network drives .... Another strange thing is, that when I use "net accouns
/forcelogoff:10 /domain" command, it is replaced with 0 when the GPO is
applied. I cannot find, where to set this in GPO. Any suggestions?
Thank you.
Ivan

More about : restrict logon hours

Anonymous
November 8, 2004 1:35:32 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

On Mon, 8 Nov 2004 02:34:06 -0800, "Ivan" <Ivan@discussions.microsoft.com> wrote:

>I have a problem with Logon Hours restrictions in Win2000 Server. I tried to
>set these restrictions for some users on the domain controller, in GPO
>"Automatically logoff users when logon time expires" is Enabled. When the
>user is trying to logon during restrictid period, it works fine, but when the
>user is already logged on, nothing happens. He can continue to work, connect
>network drives .... Another strange thing is, that when I use "net accouns
>/forcelogoff:10 /domain" command, it is replaced with 0 when the GPO is
>applied. I cannot find, where to set this in GPO. Any suggestions?
>Thank you.
>Ivan

The policy name is wrong. It does not log users off, as you have discovered.


Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com
Anonymous
November 8, 2004 3:40:59 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,

Make sure you have followed the right instructions and also enforced the
group policy for restricting the log-on hours by following the instructions
in the Kb article given below:

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318714

or

SUMMARY
REFERENCES

SUMMARY
This step-by-step article describes how to restrict the hours and days that
a user may log on to a Windows 2000 domain.

back to the top
Change Logon Times for a User Account
You can set logon hours for a user account by using one of the following
methods: • Edit the user account properties from the Active Directory Users
and Computers snap-in.
• Edit the user account properties by using the net user command.
back to the top
Method 1: Using the Active Directory Users and Computers Snap-in
1. Start the Active Directory Users and Computers snap-in. To do this,
click Start, point to Programs, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. In the console tree, click the container that contains the user account
that you want.
3. In the right pane, right-click the user account, and then click
Properties.
4. Click the Account tab, and then click Logon Hours.
5. Select all available times, and then click Logon Denied.
6. Select the times that you want to allow this user to log on to the
domain, and then click Logon Permitted.

A status line beneath the logon hours table displays the currently selected
logon times. For example, Monday through Friday from 8 AM to 5 PM.
7. When you are finished configuring logon hours, click OK, and then click
OK in the user account Properties dialog box.
8. Quit the Active Directory Users and Computers snap-in.
back to the top
Method 2: Using the Net User Command-line Statement
1. Click Start, and then click Run.
2. In the Open box, type cmd, and then click OK.
3. Type net user username /times:logon_times (where username is the name of
the user account, and where logon_times are the days and times that you
want to allow access to the domain), and then press ENTER.

Use the following information to help you use the /times switch:• Days can
be spelled out (for example, Monday) or abbreviated (for example,
M,T,W,Th,F,Sa,Su).
• Hours can be in 12-hour notation (1PM or 1P.M.) or 24-hour notation
(13:00).
• A value of blank means that the user can never log on.
• A value of all means that a user can always log on.
• Use a hyphen (-)to mark a range of days or times. For example, to create
a range from Monday through Friday, type either m-f, or monday-friday. To
create a range of time from 8:00PM to 5:00PM, type either 8:00am-5:00pm,
8am-5pm, or 8:00-17:00.
• Separate the day and time items with commas (for example,
monday,8am-5pm).
• Separate units of "day and time" with semicolons (for example,
monday,8am-5pm;tuesday,8am-4pm;wednesday,8am-3pm).
• Do not use spaces between the days or times.

back to the top
Examples
The following examples show how to change the logon times for a specific
user account. • To allow a user with an account name of Bob to log on to
the server from 8:00AM to 5:00PM Monday through Friday, type the following
command, and then press ENTER:
net user bob /times:monday-friday,8am-5pm
• To restrict the same user account to logon hours of 8:00AM until 1:00PM
on Monday and Friday, and from 8:00AM until 5:00PM on Tuesday through
Thursday, type the following command, and then press ENTER:
net user bob
/times:monday,8:00AM-1:00PM;tuesday-thursday,8:00AM-5:00PM;friday,8:00AM-1:0
0PM
• To repeat the previous command, but with abbreviated days and using a
24-hour notation, type the following command, and then press ENTER:
net user bob /times:m,8:00-13:00;t-th,8:00-17:00;f,8:00-13:00
• To allow the same user account logon privileges from Monday through
Friday, 8:00AM to 12:00PM and 1:00PM to 5:00PM, type the following command,
and then press ENTER:
net user bob /times:m-f,8:00-12:00,13:00-17:00
back to the top
Change Logon Times for a Group of Users
You can use the net user command with the /times switch from the
command-line or in a batch file to change logon times for a group of users
in a domain. To do this, complete the following "Step 1: Create a User
Account List" and the "Step 2: Edit Logon Hours by Using the Net User
Command" sections of this article.

back to the top
Step 1: Create a User Account List
1. Start the Active Directory Users and Computers snap-in. To do this,
click Start, point to Programs, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. In the console tree, click the organizational unit, or Users folder that
contains the user accounts that you want.
3. On the Action menu, click Export List.
4. In the Save As dialog box, type the file name that you want in the File
name box.
5. In the Save as type list, click Text (Comma Delimited)(*.csv), and then
click Save.
6. Edit the .csv file by using a text editor such as Notepad to remove
entries to which you do not want to apply the logon restrictions. The user
accounts are listed beneath a heading with one account on each line. The
following is an example of a this file:
Name, Type, Description,
Joe,User,,
Sally,User,Account created for Sally,
Betty,User,,
Bob,,


back to the top
Step 2: Edit Logon Hours by Using the Net User Command
Use the net user command to apply logon restrictions to the accounts in the
..csv file that you created in Step 1: Create a User Account List. 1. Click
Start, and then click Run.
2. In the Open box, type cmd, and then click OK.
3. Type the following command, where file_name is the name of the .csv file
that contains the exported user accounts, and where logon_times are the
days and times that you want to allow access to the domain:
for /F "skip=1 tokens=1 delims=," %i in (file_name.csv) do net user %i
/times:logon_times
The preceding command is one line. It has been wrapped for readability.

NOTE: In the preceding command, there is a space between %i and /times.
back to the top
Examples
The following examples show how to change the logon times for the user
accounts in a .csv file that is named Exportusers.csv.

NOTE: The following commands are one line. They have been wrapped for
readability. • To allow the users to log on to the server from 8:00AM to
5:00PM Monday through Friday, type the following command, and then press
ENTER:
for /F "skip=1 tokens=1 delims=," %i in (exportusers.csv) do net user %i
/times:monday-friday,8am-5pm
• To allow the users to log on to the server from 8:00AM until 1:00PM on
Monday and Friday, and from 8:00AM until 5:00PM on Tuesday through
Thursday, type the following command, and then press ENTER:
for /F "skip=1 tokens=1 delims=," %i in (exportusers.csv) do net user %i
/times:m,8:00AM-1:00PM;t-th,8:00AM-5:00PM;f,8:00AM-1:00PM
You can use this command in a batch file. However, you must add an
additional percent (%) character to each variable. The following example
code illustrates this: for /F "skip=1 tokens=1 delims=," %%i in
(exportusers.csv) do net user %%i
/times:m,8:00AM-1:00PM;t-th,8:00AM-5:00PM;f,8:00AM-1:00PM

NOTE: In the preceding example, the command is one line. It has been
wrapped for readability.

back to the top
Enforce Logon Time Restrictions Using Group Policy
You can use Group Policy to enforce the logon time restrictions that you
apply.

back to the top
Step 1: Create a Group Policy Object
To create a Group Policy Object (GPO) with which to enforce client logon
restrictions: 1. Start the Active Directory Users and Computers snap-in. To
do this, click Start, point to Programs, point to Administrative Tools, and
then click Active Directory Users and Computers.
2. In the console tree, right-click your domain, or the organizational unit
that contains the domain controllers that you want, and then click
Properties.
3. Click the Group Policy tab, and then click New.
4. Type the name that you want to call this policy (for example, Account
logon restrictions), and then press ENTER.
5. Click Properties, and then click the Security tab.
6. Click to clear the Apply Group Policy check box for the security groups
that you want to prevent from having this policy applied. Click to select
the Apply Group Policy check box for the groups to which you want to apply
this policy. When you are finished, click OK.
back to the top
Step 2: Enforce Logon Hours Restrictions
1. Start the Active Directory Users and Computers snap-in. To do this,
click Start, point to Programs, point to Administrative Tools, and then
click Active Directory Users and Computers.
2. In the console tree, right-click your domain, or the organizational unit
that contains the domain controller Group Policy Object (GPO) that you want
to edit, and then click Properties.
3. Click the Group Policy tab, select the group policy object that you
want, and then click Edit.
4. Under Computer Configuration, expand Windows Settings, expand Security
Settings, expand Local Policies, and then click Security Options.
5. In the right pane of the Group Policy snap-in, double-click
Automatically log off users when logon time expires.
6. Click to select the Define this policy setting check box, click Enabled,
and then click OK.
7. Close the Group Policy snap-in, and then click OK.
back to the top
Troubleshooting
Group Policy changes are not immediately enforced. Group Policy background
processing can take up to 5 minutes to be refreshed on domain controllers,
and up to 120 minutes to be refreshed on client computers. To force
background processing of Group Policy settings, use the Secedit.exe tool.
To do this: 1. Click Start, and then click Run.
2. In the Open box, type cmd, and then click OK.
3. Type secedit /refreshpolicy user_policy, and then press ENTER.
4. Type secedit /refreshpolicy machine_policy, and then press ENTER.
5. Type exit, and then press ENTER.

Regards,

Vijay S

This posting is provided "AS IS" with no warranties, and confers no rights.
Related resources
November 8, 2004 3:41:00 PM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Hi,
Thank you for your quick response. Certainly I was reading the article below
before I was writing my question. The problem is, that I think I did
everything what is written there and the result is still poor. One example: I
am logged in to the domain, where I have two domain controllers (Win2000). In
logon script I am maping some shared folders on boths DC. From the server I
am opening one Microsoft Word file and Outlook is connecting Exchange
Mailbox. Time restriction should start at ie. 3PM. When this time comes, I
can still work with everything. When I close Outlook, I cannot start it
again, because of time restriction. But I can still browse network drives,
map another shared folders on the server ...
Another problem is, that I would like to set notification for users ie. 10
min before, but when I set it through net accounts /forcelogoff:10 /domain,
next time I apply the GPO, this value is back to 0 minutes.
Ivan




"S Vijay [MSFT]" wrote:

> Hi,
>
> Make sure you have followed the right instructions and also enforced the
> group policy for restricting the log-on hours by following the instructions
> in the Kb article given below:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318714
>
> or
>
.................
November 9, 2004 6:08:04 AM

Archived from groups: microsoft.public.win2000.group_policy (More info?)

Jerold,
thanks for the message, but to tell the truth, it does not help me so much.
I can see, that it does not log users off, but if you are saying, that the
name of the policy is wrong, it would be very helpfull to say, what is the
correct name of the policy. Anyway, I was making experiments with it an I
tried to set it in Domain Security Policy, Domain Controller Security Policy,
Local Security Policy, but the result is still the same (certainly after the
each change I was forcing an update with secedit ... command).
Ivan

"Jerold Schulman" wrote:

> On Mon, 8 Nov 2004 02:34:06 -0800, "Ivan" <Ivan@discussions.microsoft.com> wrote:
>
> >I have a problem with Logon Hours restrictions in Win2000 Server. I tried to
> >set these restrictions for some users on the domain controller, in GPO
> >"Automatically logoff users when logon time expires" is Enabled. When the
> >user is trying to logon during restrictid period, it works fine, but when the
> >user is already logged on, nothing happens. He can continue to work, connect
> >network drives .... Another strange thing is, that when I use "net accouns
> >/forcelogoff:10 /domain" command, it is replaced with 0 when the GPO is
> >applied. I cannot find, where to set this in GPO. Any suggestions?
> >Thank you.
> >Ivan
>
> The policy name is wrong. It does not log users off, as you have discovered.
>
>
> Jerold Schulman
> Windows: General MVP
> JSI, Inc.
> http://www.jsiinc.com
>
!