Blocking Weekend Access to Computer

[biggandyy]

Hello,

I have a computer attached to a domain that is being accessed on the weekends without permission of the user of that machine.

I have been researching for a way to locally set the hours of access for all users (local and domain) for this machine.

The closest I have come is the Local Security Policy Deny Log On Locally but this is an all or nothing ON/OFF policy.

I want to be able to set Windows to not allow logons on the weekends. I do not have access to the Domain Controller so it must be a local policy solution.

I am also restricted from loading 3rd party software onto the machine to perform such a task.

Hope someone can help.

 

[Emerald]

I have a computer attached to a domain that is being accessed on the weekends without permission of the user of that machine.

does the user lock the machine when he leaves for the weekend?

The closest I have come is the Local Security Policy Deny Log On Locally but this is an all or nothing ON/OFF policy.

I want to be able to set Windows to not allow logons on the weekends. I do not have access to the Domain Controller so it must be a local policy solution.

you still need Admin rights to implement this policy

 

[biggandyy]

I have admin rights to the box but not to the domain. The machine is turned off on the weekends but that is not a problem for the unauthorized user; they have physical access to the box. All they need do is turn it on if it is off or cold boot it if an account is locked.

 

[Saga Lout]

Have I missed something or why does not simple password protection of all the User Accounts take care of this? You could disable the Guest account but no-one could do much harm in there anyway.

The System Administrator needs to be in on this for you to do much more than that but maybe he or she doesn't have a problem with what's happening.

 

[biggandyy]

This is a large university and the sysadmin stuff is decentralized so the help is little and far between. The users probably have accounts but successful logins are not recorded in the Event Viewer so not much info can be gained there. And since this is a semi public machine (in the main suite of a department office) there is all manner of profiles listed in C:\Documents and Settings\

 

[biggandyy]

Here is my workaround.

I wrote this quick logon script called weekend.bat

@ECHO OFF
CLS
SET DAY=%date:~0,3%
IF /I [%DAY%] == [Sat] GOTO :LOGOFF
IF /I [%DAY%] == [Sun] GOTO :LOGOFF
:END
ECHO NOT Logging off.
EXIT /b
:LOGOFF
ECHO Logons are not permitted on the weekends for this terminal.  Shutting down the system.
SHUTDOWN -s -f -t 00 -c "Weekend access attempted"

And added it to C:\WINDOWS\System32\GroupPolicy\User\Scripts\Logon and pointed the user logon script at it.

This appears to do the trick when I test it with the current day of the week instead of the weekend days.

 

[Emerald]

so will this also work if I go into the BIOS and change the date?

 

[biggandyy]

I don't know, does Windows get it's date info from the bios or from a server? The university has a time server, which takes precedence?

 

[biggandyy]

According to this ARTICLE LINK Windows pulls the time from the BIOS first. I can more easily set up a BIOS password on that box but as a system wide solution perhaps I can get the date from the time server in the script and check against that...

UPDATE: after checking a bit and changing the date on my test machine I have found that Windows does not like it when the BIOS date and the date from the last known sync with an authoritative time server are drastically different. It does not allow the user to log in and suggests to see the sysadmin.