Active Directory Attributes

Question

Hi All,

In Active Directory Users and Computers (ADUC), under the Account tab, we have the following options:

• Logon Hours
• Log On To

I would like to understand whether these settings(Logon Hours and Log on To) are stored as specific Active Directory attributes that can be managed through Attribute Editor, PowerShell, or LDAP.

We have an application and are exploring whether it can automate/control these settings directly using AD attributes.

Questions:

1. Which AD attributes correspond to: Logon Hours/ Log On To
2. Can these attributes be modified programmatically through LDAP/PowerShell?
3. Are there any limitations or special formatting requirements for these attributes?

Any guidance would be appreciated.

Answer 1

Yep - both settings in the ADUC Account tab map directly to Active Directory user attributes and can be managed programmatically through LDAP, PowerShell, ADSI, .NET, or other directory APIs.

“Logon Hours” corresponds to the logonHours attribute, which is stored as a 21-byte binary value (168 bits total), representing allowed/disallowed login times across a full week in UTC time. Each bit represents one hour of the week so 7 days × 24 hours = 168 bits = 21 bytes

The week starts on Sunday 00:00 UTC.

A bit value of 1 represents logon permitted, 0 is logon denied This attribute is not human-readable in Attribute Editor because it is stored as octet/binary data.

You can read it with PowerShell:

Get-ADUser jsmith -Properties logonHours | Select-Object -ExpandProperty logonHours

You can modify it programmatically:

Set-ADUser jsmith -Replace @{logonHours=$bytes}

Where $bytes is a 21-byte array. For example:

$bytes = New-Object byte[] 21
Set-ADUser jsmith -Replace @{logonHours=$bytes}

A fully open schedule is:

[byte[]](255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255)

One important limitation is timezone handling. AD stores logonHours in UTC, while ADUC displays and edits it in the local timezone of the administrator workstation. Your scripts/apps should correctly convert local business hours into UTC before writing the attribute.

“Log On To” corresponds to the userWorkstations attribute, which is a comma-separated string listing allowed workstation names, for example PC001,PC002,LAPTOP17

You can read it

Get-ADUser jsmith -Properties userWorkstations | Select-Object userWorkstations

You can modify it:

Set-ADUser jsmith -LogonWorkstations "PC001,PC002"

Or directly:

Set-ADUser jsmith -Replace @{userWorkstations="PC001,PC002"}

Through LDAP, both attributes are writable if the account performing the operation has sufficient permissions.

LDAP names:

• logonHours
• userWorkstations

Example LDAP modify semantics:

• logonHours expects binary/octet data
• userWorkstations expects a UTF-8 string

There are few limitations and behavior differences:

• logonHours enforcement depends on domain controller authentication and primarily affects interactive/domain logons.
• Existing authenticated sessions are not immediately terminated when hours expire.
• userWorkstations only applies to domain-joined Windows workstation logons and is enforced during authentication.
• userWorkstations has a practical length limit because the underlying AD attribute is limited to roughly 1024 characters.
• Computer names should generally be NetBIOS names, not FQDNs.

---

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin