Assigning Logon Hours

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can assign logon hours as a means to ensure that employees are using computers only during specified hours. This setting applies both to interactive logon, in which a user unlocks a computer and has access to the local computer, and network logon, in which a user obtains credentials that allow him or her to access resources on the network.

Assigning logon hours is useful for organizations in which some users are less trustworthy than others or require supervision. For example, you might want to restrict logon hours when:

  • Logon hours are a condition for security certification, such as in a government network.

  • Your organization includes shift workers. In this case, allow shift workers to log on only during their scheduled hours.

  • Your organization includes temporary employees.

The logon schedule is enforced by the Kerberos Group Policy setting Enforce User Logon Restrictions, which is enabled by default in Windows Server 2003. Whether users are forced to log off when their logon hours expire is determined by the Automatically log off users setting.

By default, all domain users can log on at any time. You can use the following procedure to limit the logon hours of an individual domain user.

To restrict the logon hours of a domain user

  1. In Active Directory Users and Computers, right-click the user’s account.

  2. Click Properties, and click the Account tab.

  3. Click Logon Hours. In the Logon Hours dialog box, indicate the hours and/or days of the week in which you are restricting the user from logging on.

When you have set the logon hours for an individual, you can copy that account to apply the same settings to a new user in the same department.

To restrict the logon hours for multiple users in the same OU

  1. In Active Directory Users and Computers, select the user accounts, and then right-click any of the selected items.

  2. Use the Properties of Multiple Objects dialog box to alter the properties for all of the selected users.

When you restrict logon hours, you might also want to force users to log off after a certain point. If you apply this policy, users cannot log on to a new computer, but they can stay logged on even during restricted logon hours. To force users to log off when logon hours expire for their account, apply the Network security: Force logoff when logon hours expire policy.