For this post i have come up with following scenario which will help to understand this properly.
• Sales and Marketing Department, Distribution & Shipping and IT Department, operating for 24 hours 7 days per week shift based operations and the other Departments are operating from 8.00a.m. To 4.00 p.m. 6 Days except Sunday.
• Financial & Account Department and Administration departments are operating 7.00 a.m. To 5.00 p.m. Monday to Friday, 5 working days.
Apart from given hours and days, users should not be able to log in to computers.
Well this is not something we can fully control by group policy. But part of it we can control using group policy. Before we go in to group policy lets set the log on hours restrictions to the sub domain users.
In the demonstration I will show how to restrict logins for staff under “sales.sprint.local” sub domain.
Under the sales.sprint.local Active Directory users and computers snap in I created new organization unit called “Staff”. I will add 2 users called demo1 and demo 2.
Users can add as following,
Right Click on the OU and select New > User
Then it will open up the wizard. In there need to fill relevant user details. And click on next to continue.
In next window need to define the password and other condition as require. Then click next to continue.
In next window it will give a confirmation and click on finish to complete the user add process.
To add the login restrictions to all these users, Select them all and then right click to select properties. You can do it for individual users as well if need.
In new window select the account tab.
Then Click on check box in front “Logon Hours” and click on Logon Hours button.
In next window I selected Sunday and restrict the logins for entire day.
Then Click “Ok” twice in open windows to apply the changes.
Now we have the restrictions in place. But we still need to enforce these logs on rules using group policy.
Enforce Logon Time Restrictions Using Group Policy
To do that we need to go back to “Group Policy Management” window. This group policy can created from child domain server also. But I have chosen the same window I used from primary domain controller. From the window select the domain “sales.sprint.local” and create new GPO with name “Log on Time Restrictions”.
Right Click on it and then select “Edit” to go in to policy editing window.
Then move to Computer configurations > Policies > Windows Settings > Security Settings > Local Policies > Security Options
In the right pane of the Group Policy snap-in, double-click Microsoft network server: Disconnect clients when logon hours expire.
Click to select the Define this policy setting check box, click Enabled, and then click OK.
This is done now, so using this GPO we can enforce to disconnect clients when login hour expired if there were active sessions running.