Sign in with
Sign up | Sign in
Your question

Blocking Weekend Access to Computer

Last response: in Windows XP
Share
May 23, 2011 8:04:08 PM

Hello,

I have a computer attached to a domain that is being accessed on the weekends without permission of the user of that machine.

I have been researching for a way to locally set the hours of access for all users (local and domain) for this machine.

The closest I have come is the Local Security Policy Deny Log On Locally but this is an all or nothing ON/OFF policy.

I want to be able to set Windows to not allow logons on the weekends. I do not have access to the Domain Controller so it must be a local policy solution.

I am also restricted from loading 3rd party software onto the machine to perform such a task.

Hope someone can help.
a b 8 Security
May 23, 2011 11:46:42 PM

Quote:
I have a computer attached to a domain that is being accessed on the weekends without permission of the user of that machine.


does the user lock the machine when he leaves for the weekend?

Quote:
The closest I have come is the Local Security Policy Deny Log On Locally but this is an all or nothing ON/OFF policy.

I want to be able to set Windows to not allow logons on the weekends. I do not have access to the Domain Controller so it must be a local policy solution.


you still need Admin rights to implement this policy
m
0
l
May 24, 2011 1:39:31 PM

I have admin rights to the box but not to the domain. The machine is turned off on the weekends but that is not a problem for the unauthorized user; they have physical access to the box. All they need do is turn it on if it is off or cold boot it if an account is locked.

m
0
l
Related resources
a b 8 Security
May 24, 2011 1:44:44 PM


Have I missed something or why does not simple password protection of all the User Accounts take care of this? You could disable the Guest account but no-one could do much harm in there anyway.

The System Administrator needs to be in on this for you to do much more than that but maybe he or she doesn't have a problem with what's happening.


m
0
l
May 24, 2011 1:58:10 PM

This is a large university and the sysadmin stuff is decentralized so the help is little and far between. The users probably have accounts but successful logins are not recorded in the Event Viewer so not much info can be gained there. And since this is a semi public machine (in the main suite of a department office) there is all manner of profiles listed in C:\Documents and Settings\
m
0
l
May 24, 2011 3:08:52 PM

Here is my workaround.

I wrote this quick logon script called weekend.bat
  1. @ECHO OFF
  2. CLS
  3. SET DAY=%date:~0,3%
  4. IF /I [%DAY%] == [Sat] GOTO :LOGOFF
  5. IF /I [%DAY%] == [Sun] GOTO :LOGOFF
  6. :END
  7. ECHO NOT Logging off.
  8. EXIT /b
  9. :LOGOFF
  10. ECHO Logons are not permitted on the weekends for this terminal. Shutting down the system.
  11. SHUTDOWN -s -f -t 00 -c "Weekend access attempted"


And added it to C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon and pointed the user logon script at it.

This appears to do the trick when I test it with the current day of the week instead of the weekend days.
m
0
l
a b 8 Security
May 24, 2011 4:20:33 PM

so will this also work if I go into the BIOS and change the date?
m
0
l
May 24, 2011 5:27:56 PM

I don't know, does Windows get it's date info from the bios or from a server? The university has a time server, which takes precedence?
m
0
l
May 24, 2011 5:38:16 PM

According to this ARTICLE LINK Windows pulls the time from the BIOS first. I can more easily set up a BIOS password on that box but as a system wide solution perhaps I can get the date from the time server in the script and check against that...

UPDATE: after checking a bit and changing the date on my test machine I have found that Windows does not like it when the BIOS date and the date from the last known sync with an authoritative time server are drastically different. It does not allow the user to log in and suggests to see the sysadmin.
m
0
l
!