Time restrictions on RRAS VPN

Samuel F 21 Reputation points
2021-01-05T17:57:28.397+00:00

Hello, I have remote access to the company by VPN PPTP / SSTP in RRAS.

I have a requirement in the company that some users who are from home office will only be able to connect to the VPN from 7AM until 7PM.
Other users (managers, third parties) will continue to be granted 24x7 access.

So, I created two security groups in AD:
Restricted_VPN
Unrestricted_VPN
And I inserted the respective users in their groups;

So, I was going to configure NPS to allow users of the VPN_Restricted group to logon only at the requested time intervals and leave the VPN_Irrestricted users free.

But this solution only applies to the login time, correct? If a user member of Restricted_VPN connects at 6PM and stays connected until 10PM he will not be dropped from the VPN at 7PM, right?

Is there any way that at 7PM I can disconnect from the VPN only users who are members of the VPN_Restricted group, keeping the others connected?

Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
{count} votes

Accepted answer
  1. Anonymous
    2021-01-06T04:14:58.57+00:00

    Hi ,

    Maybe generate a CSV with GetADMemberGroup with the list of restricted users and then read line by line from this CSV to run in the disconnect command?

    Yes, you can. The example of the script or something along these lines:

    Get-ADGroupMember -Identity "Restricted_VPN" | ForEach-Object{  
        $name = 'YourDomain\' + $_.SamAccountName  
        Disconnect-VpnUser -UserName $name  
    }  
    

    Since I am not expert in scripting, if there are some errors in the script, you can have this asked in PowerShell forum for better answers. Open a new thread and add the tag of windows-server-PowerShell, PowerShell experts here will help you improve the script.

    Best Regards,

    Candy

    --------------------------------------------------------------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


1 additional answer

Sort by: Most helpful
  1. Samuel F 21 Reputation points
    2021-01-05T20:42:35.057+00:00

    I would not like to have all this work but it is a legal obligation, some users still in home office were pointing hours worked over and using vpn access logs as "evidence". Therefore, the company wants to prevent users from being connected to the network outside the agreed hours.

    So, regardless of whether users need to save files locally if the VPN goes down, I will need to create a mechanism to take down users who are part of the restricted group when the clock reaches 7PM.

    To disconnect the session from a single user I know the command to disconnect session from the VPN:

    Disconnect-VpnUser -UserName DOMAIN \ username

    But how would I do it in the script to filter only users from a certain group?

    Maybe generate a CSV with GetADMemberGroup with the list of restricted users and then read line by line from this CSV to run in the disconnect command?
    Would anyone have an example of a csv that does something like that?

    Thanks!

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.