How to Set Logon Hours in Active Directory

This guide explains how to set logon hours for users in Active Directory using ADUC or PowerShell, including steps to restrict logon times and manage user access.

To set logon hours for a user in Active Directory, you can easily do this through the Active Directory Users and Computers (ADUC) console. Logon hours help you control when a user can access their account. Here’s a step-by-step guide on how to set it up:

Method 1: Using Active Directory Users and Computers (ADUC)

  1. Open Active Directory Users and Computers:
    • Press Windows Key + R, type in dsa.msc, and hit Enter. You can also find "Active Directory Users and Computers" by searching in the Start menu.
  2. Find the User Account:
    • In the ADUC console, head over to the Users container (or the organizational unit (OU) where the user account is located).
    • Right-click on the user account you want to modify and select Properties.
  3. Set Logon Hours:
    • In the user properties window, click on the Account tab.
    • Hit the Logon Hours button.
    • A grid will pop up showing the days of the week at the top and the hours of the day on the side.
    • To allow logon during certain hours, click and drag over the grid to highlight the hours when the user can log in. Unhighlight any hours to block access during those times.
    • Click OK when you’re finished.
  4. Apply the Changes:
    • Finally, click OK in the user properties window to save your changes.

Method 2: Using PowerShell

You can also set logon hours for a user in Active Directory using PowerShell. Here’s a simple PowerShell script that lets you specify logon hours.

  1. Open PowerShell:
    • Press Windows Key + X and select Windows PowerShell (Admin).
  2. Set Logon Hours:
    • You can use the Set-ADUser cmdlet along with the LogonWorkstations parameter to limit logon hours. However, setting specific time restrictions like you can in the GUI is a bit more complicated and usually requires scripts or policies

Here’s a basic script to set a user’s login workstation (though it won’t specify exact hours):

Set-ADUser -Identity "username" -LogonWorkstations "workstation1,workstation2"

When it comes to more intricate restrictions on logon hours, it's common to rely on group policies or third-party tools to make sure these rules are enforced.

Limitations and Notes:

  • Logon hours only come into play during interactive logons, like when you log into a computer or a domain.
  • These settings won’t limit access for non-interactive logons, such as those made through network shares or services.
  • To set up logon hours for users in Active Directory, you need to be a domain administrator.

Frequently asked questions: