How to Set Logon Hours in Active Directory
This guide explains how to set logon hours for users in Active Directory using ADUC or PowerShell, including steps to restrict logon times and manage user access.
To set logon hours for a user in Active Directory, you can easily do this through the Active Directory Users and Computers (ADUC) console. Logon hours help you control when a user can access their account. Here’s a step-by-step guide on how to set it up:
Method 1: Using Active Directory Users and Computers (ADUC)
- Open Active Directory Users and Computers:
- Press Windows Key + R, type in dsa.msc, and hit Enter. You can also find "Active Directory Users and Computers" by searching in the Start menu.
- Find the User Account:
- In the ADUC console, head over to the Users container (or the organizational unit (OU) where the user account is located).
- Right-click on the user account you want to modify and select Properties.
- Set Logon Hours:
- In the user properties window, click on the Account tab.
- Hit the Logon Hours button.
- A grid will pop up showing the days of the week at the top and the hours of the day on the side.
- To allow logon during certain hours, click and drag over the grid to highlight the hours when the user can log in. Unhighlight any hours to block access during those times.
- Click OK when you’re finished.
- Apply the Changes:
- Finally, click OK in the user properties window to save your changes.
Method 2: Using PowerShell
You can also set logon hours for a user in Active Directory using PowerShell. Here’s a simple PowerShell script that lets you specify logon hours.
- Open PowerShell:
- Press Windows Key + X and select Windows PowerShell (Admin).
- Set Logon Hours:
- You can use the Set-ADUser cmdlet along with the LogonWorkstations parameter to limit logon hours. However, setting specific time restrictions like you can in the GUI is a bit more complicated and usually requires scripts or policies
Here’s a basic script to set a user’s login workstation (though it won’t specify exact hours):
Set-ADUser -Identity "username" -LogonWorkstations "workstation1,workstation2"
When it comes to more intricate restrictions on logon hours, it's common to rely on group policies or third-party tools to make sure these rules are enforced.
Limitations and Notes:
- Logon hours only come into play during interactive logons, like when you log into a computer or a domain.
- These settings won’t limit access for non-interactive logons, such as those made through network shares or services.
- To set up logon hours for users in Active Directory, you need to be a domain administrator.
Frequently asked questions:
-
What are logon hours in Active Directory?
Logon hours in Active Directory specify the allowed times when a user can log into their account. You can set these restrictions using Active Directory Users and Computers (ADUC) or PowerShell.
-
How do I set logon hours in Active Directory?
To set logon hours, open ADUC, select the user account, go to the Account tab, click Logon Hours, and specify allowed hours on the grid. Click OK to apply.
-
Can I restrict logon hours using PowerShell?
PowerShell doesn’t natively support detailed logon hour restrictions like the ADUC GUI. However, you can use group policies or third-party tools for more complex restrictions.
-
Do logon hours restrict network or service logins?
No, logon hours only apply to interactive logons (like logging into a computer). They do not restrict non-interactive logons, such as network access or service logons.
-
Who can configure logon hours in Active Directory?
Domain administrators can configure logon hours for user accounts in Active Directory using either Active Directory Users and Computers (ADUC) or through Group Policies.
