Categories

AD logon hours

Finally got round to sorting out how to set logon hours in AD accounts.

# deny logon at all times
$user = [ADSI]"LDAP://cn=Joe Bloggs,ou=Test,dc=Manticore,dc=org"
[byte[]]$hours = @(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
$user.logonhours[0] = $hours
$user.setinfo()

Use [ADSI] to get a user account.  Create a byte array. The logon hours are stored as an array of 21 bytes, 3 bytes per day, 1 bit per hour. For each bit 0 means logon denied and 1 means can logon.  Setting all of the byte values to 0 denies logon 24x7 - probably easier just to disable the account!

## allow logon at all times
$user = [ADSI]"LDAP://cn=Joe Bloggs,ou=Test,dc=Manticore,dc=org"
[byte[]]$hours2 = @(255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255)
$user.logonhours[0] = $hours2
$user.setinfo()

setting all of the bytes to 255 ie all bits = 1 means can logon 27x7 which is the default.  if we want to restrict the users to logon during business hours only then use

## allow logon 8am - 6pm Monday to Friday
$user = [ADSI]"LDAP://cn=Joe Bloggs,ou=Test,dc=Manticore,dc=org"
[byte[]]$hours3 = @(0,0,0,0,255,3,0,255,3,0,255,3,0,255,3,0,255,3,0,0,0)
$user.logonhours[0] = $hours3
$user.setinfo()

Easiest way to derive the numbers is to use ADSIEdit !!!

 

Share this post :

 

Technorati Tags: ,

Leave a Reply