How to Set Logon Hours in Active Directory
This guide explains how to set logon hours for users in Active Directory using ADUC or PowerShell, including steps to restrict logon times and manage user access.
To set logon hours in Active Directory for a user, you can use the Active Directory Users and Computers (ADUC) console. Logon hours are used to restrict the times during which a user is allowed to log into their account. Here’s how you can configure it:
Method 1: Using Active Directory Users and Computers (ADUC)
- Open Active Directory Users and Computers:
- Press Windows Key + R, type
dsa.msc, and hit Enter. Alternatively, you can search for "Active Directory Users and Computers" in the Start menu.
- Press Windows Key + R, type
- Find the User Account:
- In the ADUC console, navigate to the Users container (or the organizational unit (OU) where the user account is stored).
- Right-click on the user account for which you want to set the logon hours and select Properties.
- Set Logon Hours:
- In the user properties window, go to the Account tab.
- Click on the Logon Hours button.
- A grid will appear with the days of the week listed along the top and hours of the day along the side.
- To allow logon during specific hours, click and drag over the grid to highlight the hours when the user can log on. Unhighlight hours to block access during those times.
- Click OK when you are done.
- Apply the Changes:
- Click OK in the user properties window to apply the changes.
Method 2: Using PowerShell
You can also use PowerShell to set logon hours for a user in Active Directory. Here’s a PowerShell script that allows you to specify the logon hours.
- Open PowerShell:
- Press Windows Key + X and choose Windows PowerShell (Admin).
- Set Logon Hours: You can use the
Set-ADUsercmdlet along with theLogonWorkstationsparameter to restrict logon hours. However, detailed time-specific restrictions like those in the GUI are more complex and not directly configurable via simple PowerShell commands. Typically, you'd use scripts or policies to enforce these.
Here's a basic script to set a user’s login workstation (though not exact hours):
Set-ADUser -Identity "username" -LogonWorkstations "workstation1,workstation2"
For more complex logon hour restrictions, group policies or third-party tools are often used to enforce this.
Limitations and Notes:
- Logon hours apply only when interactive logons (like logging into a computer or domain) are used.
- These settings won’t restrict access for non-interactive logons, such as through network shares or services.
- You must be a domain administrator to configure logon hours for users in Active Directory.
Frequently asked questions:
-
What are logon hours in Active Directory?
Logon hours in Active Directory specify the allowed times when a user can log into their account. You can set these restrictions using Active Directory Users and Computers (ADUC) or PowerShell.
-
How do I set logon hours in Active Directory?
To set logon hours, open ADUC, select the user account, go to the Account tab, click Logon Hours, and specify allowed hours on the grid. Click OK to apply.
-
Can I restrict logon hours using PowerShell?
PowerShell doesn’t natively support detailed logon hour restrictions like the ADUC GUI. However, you can use group policies or third-party tools for more complex restrictions.
-
Do logon hours restrict network or service logins?
No, logon hours only apply to interactive logons (like logging into a computer). They do not restrict non-interactive logons, such as network access or service logons.
-
Who can configure logon hours in Active Directory?
Domain administrators can configure logon hours for user accounts in Active Directory using either Active Directory Users and Computers (ADUC) or through Group Policies.
