Time restrictions on RRAS VPN

Question

Time restrictions on RRAS VPN

Samuel F 21

Hello, I have remote access to the company by VPN PPTP / SSTP in RRAS.

I have a requirement in the company that some users who are from home office will only be able to connect to the VPN from 7AM until 7PM.
Other users (managers, third parties) will continue to be granted 24x7 access.

So, I created two security groups in AD:
Restricted_VPN
Unrestricted_VPN
And I inserted the respective users in their groups;

So, I was going to configure NPS to allow users of the VPN_Restricted group to logon only at the requested time intervals and leave the VPN_Irrestricted users free.

But this solution only applies to the login time, correct? If a user member of Restricted_VPN connects at 6PM and stays connected until 10PM he will not be dropped from the VPN at 7PM, right?

Is there any way that at 7PM I can disconnect from the VPN only users who are members of the VPN_Restricted group, keeping the others connected?

Gary Nebbett 6,216 Reputation points

2021-01-05T20:05:39.403+00:00
Hello @Samuel F ,

I am fairly sure that that is the case - the time restrictions are only checked at the time of connection.

One could perhaps develop a script or program that forcibly disconnects the Restricted_VPN group, but I would strongly advise against this. Users who were editing documents at the time of the disconnection would have a choice of:

Saving the choices elsewhere and remembering to copy them back "later".

Abandoning the changes.

Just allowing their device to sleep/hibernate and then saving the changes when the VPN can be established again.

Perhaps other options that don't immediately occur to me.

This feels like the equivalent of sending site security to each office to physically eject workers who have stayed too long :-(

I would be surprised if legal requirements on working time could not be satisfied by making the requirements clear to employees and blocking new access after the cut-off time.

Gary
Samuel F 21 Reputation points

2021-01-05T20:43:43.547+00:00

I would not like to have all this work but it is a legal obligation, some users still in home office were pointing hours worked over and using vpn access logs as "evidence". Therefore, the company wants to prevent users from being connected to the network outside the agreed hours.

So, regardless of whether users need to save files locally if the VPN goes down, I will need to create a mechanism to take down users who are part of the restricted group when the clock reaches 7PM.

To disconnect the session from a single user I know the command to disconnect session from the VPN:

Disconnect-VpnUser -UserName DOMAIN \ username

But how would I do it in the script to filter only users from a certain group?

Maybe generate a CSV with GetADMemberGroup with the list of restricted users and then read line by line from this CSV to run in the disconnect command?
Would anyone have an example of a csv that does something like that?

Thanks!

Accepted answer

1 additional answer

Your answer

Gary Nebbett 6,216 Reputation points

2021-01-05T20:05:39.403+00:00

Hello @Samuel F ,

I am fairly sure that that is the case - the time restrictions are only checked at the time of connection.

One could perhaps develop a script or program that forcibly disconnects the Restricted_VPN group, but I would strongly advise against this. Users who were editing documents at the time of the disconnection would have a choice of:

Saving the choices elsewhere and remembering to copy them back "later".

Abandoning the changes.

Just allowing their device to sleep/hibernate and then saving the changes when the VPN can be established again.

Perhaps other options that don't immediately occur to me.

This feels like the equivalent of sending site security to each office to physically eject workers who have stayed too long :-(

I would be surprised if legal requirements on working time could not be satisfied by making the requirements clear to employees and blocking new access after the cut-off time.

Gary
Samuel F 21 Reputation points

2021-01-05T20:43:43.547+00:00

I would not like to have all this work but it is a legal obligation, some users still in home office were pointing hours worked over and using vpn access logs as "evidence". Therefore, the company wants to prevent users from being connected to the network outside the agreed hours.

So, regardless of whether users need to save files locally if the VPN goes down, I will need to create a mechanism to take down users who are part of the restricted group when the clock reaches 7PM.

To disconnect the session from a single user I know the command to disconnect session from the VPN:

Disconnect-VpnUser -UserName DOMAIN \ username

But how would I do it in the script to filter only users from a certain group?

Maybe generate a CSV with GetADMemberGroup with the list of restricted users and then read line by line from this CSV to run in the disconnect command?
Would anyone have an example of a csv that does something like that?

Thanks!

Answer 1

Hi ,

Maybe generate a CSV with GetADMemberGroup with the list of restricted users and then read line by line from this CSV to run in the disconnect command?

Yes, you can. The example of the script or something along these lines:

Get-ADGroupMember -Identity "Restricted_VPN" | ForEach-Object{  
    $name = 'YourDomain\' + $_.SamAccountName  
    Disconnect-VpnUser -UserName $name  
}

Since I am not expert in scripting, if there are some errors in the script, you can have this asked in PowerShell forum for better answers. Open a new thread and add the tag of windows-server-PowerShell, PowerShell experts here will help you improve the script.

Best Regards,

Candy

--------------------------------------------------------------

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Samuel F 21 Reputation points

2021-01-06T12:29:09.977+00:00

This worked for me.
I just needed to install the powershell AD module on the RRAS server and the script worked for the purpose I need.

Thank you very much
Anonymous

2021-01-07T00:23:21.6+00:00

You are welcome. Have a nice day! :)

Answer 2

I would not like to have all this work but it is a legal obligation, some users still in home office were pointing hours worked over and using vpn access logs as "evidence". Therefore, the company wants to prevent users from being connected to the network outside the agreed hours.

So, regardless of whether users need to save files locally if the VPN goes down, I will need to create a mechanism to take down users who are part of the restricted group when the clock reaches 7PM.

To disconnect the session from a single user I know the command to disconnect session from the VPN:

Disconnect-VpnUser -UserName DOMAIN \ username

But how would I do it in the script to filter only users from a certain group?

Maybe generate a CSV with GetADMemberGroup with the list of restricted users and then read line by line from this CSV to run in the disconnect command?
Would anyone have an example of a csv that does something like that?

Thanks!

Share via

Time restrictions on RRAS VPN

1 additional answer

Your answer