HOW TO: Limit User Logon Time in a Domain in Windows Server 2003

Article ID: 816666 - View products that this article applies to.
For a Microsoft Windows 2000 version of this article, see 318714
(http://support.microsoft.com/kb/318714/EN-US/ )
.
Expand all | Collapse all

On This Page

SUMMARY

This step-by-step article describes how to restrict the hours and days that a user may log on to a Windows Server 2003 domain.

Change Logon Times for a User Account

You can set logon hours for a user account by using one of the following methods:
  • Edit the user account properties from the Active Directory directory service Users and Computers snap-in.
  • Edit the user account properties by using the net user command.

Method 1: Using the Active Directory Users and Computers Snap-in

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click the container that contains the user account that you want.
  3. In the right pane, right-click the user account, and then click Properties.
  4. Click the Account tab, and then click Logon Hours.
  5. Click All to select all available times, and then click Logon Denied.
  6. Select the time blocks that you want to allow this user to log on to the domain, and then click Logon Permitted.

    A status line under the logon hours table displays the currently selected logon times. For example, Monday through Friday from 8 A.M. to 5 P.M..
  7. When you are finished configuring logon hours, click OK, and then click OK in the user account Properties dialog box.
  8. Quit the Active Directory Users and Computers snap-in.

Method 2: Using the Net User Command-line Statement

  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. Type net user username /time:logon_times (where username is the name of the user account, and where logon_times are the days and times that you want to allow access to the domain), and then press ENTER.

    Use the following information to help you use the /time switch:
    • Days can be spelled out (for example, Monday) or abbreviated (for example, M,T,W,Th,F,Sa,Su).
    • Hours can be in 12-hour notation (1PM or 1P.M.) or 24-hour notation (13:00).
    • A value of blank means that the user can never log on.
    • A value of all means that a user can always log on.
    • Use a hyphen (-) to mark a range of days or times. For example, to create a range from Monday through Friday, type either M-F, or monday-friday. To create a range of time from 8:00 P.M. to 5:00 P.M., type 8:00am-5:00pm, 8am-5pm, or 8:00-17:00.
    • Separate the day and time items with commas (for example, monday,8am-5pm).
    • Separate day and time units with semicolons (for example, monday,8am-5pm;tuesday,8am-4pm;wednesday,8am-3pm).
    • Do not use spaces between days or times.

Examples

The following examples show how to change the logon times for a specific user account.
  • To set John's logon time (8:00 A.M. to 5:00 P.M.) using 24-hour notation, type the following command, and then press ENTER:
    net user john /time:M-F,08:00-17:00
  • To set John's logon time (8:00 A.M. to 5:00 P.M.) using 12-hour notation, type the following command, and then press ENTER:
    net user john /time:M-F,8am-5pm
  • To specify logon hours of 4:00 A.M. until 5:00 P.M. on Monday, 1:00 P.M. until 3:00 P.M. on Tuesday, and 8:00 A.M. until 5:00 P.M. Wednesday through Friday for Mary, type the following command, and then press ENTER:
    net user mary /time:M,4am-5pm;T,1pm-3pm;W-F,8:00-17:00

Change Logon Times for a Group of Users

You can use the net user command with the /time switch from the command-line or in a batch file to change logon times for a group of users in a domain. To do this, complete the "Step 1: Create a User Account List" and the "Step 2: Edit Logon Hours by Using the Net User Command" sections of this article.

Step 1: Create a User Account List

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click the organizational unit, or Users folder that contains the user accounts that you want.
  3. On the Action menu, click Export List.
  4. In the Save As dialog box, type the file name that you want in the File name box.
  5. In the Save as type list, click Text (Comma Delimited)(*.csv), and then click Save.
  6. Edit the .csv file by using a text editor such as Notepad to remove entries where you do not want to apply the logon restrictions. The user accounts are listed under a heading with one account on each line. Also, you may have to edit the user names in this file so that they match the user account names that appear when you type Net User at a command prompt.

    The following is an example of a this file:
     Name, Type, Description, Joe,User,, Sally,User,Account created for Sally, Betty,User,, Bob,,

Step 2: Edit Logon Hours by Using the Net User Command

Use the net user command to apply logon restrictions to the accounts in the .csv file that you created in Step 1: Create a User Account List.
  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. Type the following command, where file_name is the name of the .csv file that contains the exported user accounts, and where logon_times are the days and times that you want to allow access to the domain:
    for/F "skip=1 tokens=1 delims=," %i in (file_name.csv) do net user %i /time:logon_times
    This command is one line. It has been wrapped for readability.

    Note In this command, there is a space between %i and /time.

Examples

The following examples show how to change the logon times for the user accounts in a .csv file that is named Exportusers.csv.

Note The following commands are one line. They have been wrapped for readability.
  • To allow the users to log on to the server from 8:00 A.M. to 5:00 P.M. Monday through Friday, type the following command, and then press ENTER:
    for/F "skip=1 tokens=1 delims=," %i in (exportusers.csv) do net user %i /time:monday-friday,8am-5pm
  • To allow the users to log on to the server from 8:00 A.M. until 1:00 P.M. on Monday and Friday, and from 8:00 A.M. until 5:00 P.M. on Tuesday through Thursday, type the following command, and then press ENTER:
    for/F "skip=1 tokens=1 delims=," %i in (exportusers.csv) do net user %i /time:m,8:00AM-1:00PM;t-th,8:00AM-5:00PM;f,8:00AM-1:00PM
You can use this command in a batch file. However, you must add an additional percent (%) character to each variable. The following example code illustrates this: 
 for/F "skip=1 tokens=1 delims=," %%i in (exportusers.csv) do net user %%i /time:m,8:00AM-1:00PM;t-th,8:00AM-5:00PM;f,8:00AM-1:00PM
Note In this example, the command is one line. It has been wrapped for readability.

Enforce Logon Time Restrictions Using Group Policy

You can use Group Policy to enforce the logon time restrictions that you apply.

Step 1: Create a Group Policy object

To create a Group Policy object (GPO) that you use to enforce client logon restrictions:
  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain or the organizational unit that contains the domain controllers that you want, and then click Properties.
  3. Click the Group Policy tab, and then click New.
  4. Type a name for this policy (for example, Account logon restrictions), and then press ENTER.
  5. Click Properties, and then click the Security tab.
  6. Click to clear the Apply Group Policy check box for the security groups that you want to prevent from having this policy applied. Click to select the Apply Group Policy check box for the groups that you want to have this policy applied. When you are finished, click OK.

Step 2: Enforce Logon Hours Restrictions

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain or the organizational unit that contains the domain controller GPO that you want to edit, and then click Properties.
  3. Click the Group Policy tab, select the GPO that you want, and then click Edit.
  4. Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
  5. In the right pane of the Group Policy snap-in, double-click Microsoft network server: Disconnect clients when logon hours expire.
  6. Click to select the Define this policy setting check box, click Enabled, and then click OK.
  7. Close the Group Policy snap-in, and then click OK.

Troubleshoot

Group Policy changes are not immediately enforced. Group Policy background processing can take up to 5 minutes to be refreshed on domain controllers, and up to 120 minutes to be refreshed on client computers. To force background processing of Group Policy settings, use the gpupdate command.

Notesecedit /refreshpolicy has been replaced with gpupdate. For more information about the gpupdate command, see Windows Server 2003 help. To do this, follow these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. Type gpupdate, and then press ENTER.
  4. Type exit, and then press ENTER.
Back to the top | Give Feedback

REFERENCES

To obtain additional help information for the net user command, start Windows Server 2003 Help, and then search for "net user".

For additional information about the for command, type for/? at the command prompt.

Back to the top | Give Feedback

Properties

Article ID: 816666 - Last Review: October 30, 2006 - Revision: 6.3
APPLIES TO
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Keywords: 
kbhowtomaster KB816666
Back to the top | Give Feedback

Give Feedback

 
Back to the topBack to the top