AD logon hours

Finally got round to sorting out how to set logon hours in AD accounts.

# deny logon at all times
$user = [ADSI]"LDAP://cn=Joe Bloggs,ou=Test,dc=Manticore,dc=org"
[byte[]]$hours = @(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
$user.logonhours[0] = $hours
$user.setinfo()

Use [ADSI] to get a user account.  Create a byte array. The logon hours are stored as an array of 21 bytes, 3 bytes per day, 1 bit per hour. For each bit 0 means logon denied and 1 means can logon.  Setting all of the byte values to 0 denies logon 24×7 – probably easier just to disable the account!

## allow logon at all times
$user = [ADSI]"LDAP://cn=Joe Bloggs,ou=Test,dc=Manticore,dc=org"
[byte[]]$hours2 = @(255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255)
$user.logonhours[0] = $hours2
$user.setinfo()

setting all of the bytes to 255 ie all bits = 1 means can logon 27×7 which is the default.  if we want to restrict the users to logon during business hours only then use

## allow logon 8am – 6pm Monday to Friday
$user = [ADSI]"LDAP://cn=Joe Bloggs,ou=Test,dc=Manticore,dc=org"
[byte[]]$hours3 = @(0,0,0,0,255,3,0,255,3,0,255,3,0,255,3,0,255,3,0,0,0)
$user.logonhours[0] = $hours3
$user.setinfo()

Easiest way to derive the numbers is to use ADSIEdit !!!

 


Share this post :

 

Technorati Tags: ,
About these ads
This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

One Response to AD logon hours

  1. Jeff says:

    Richard, I know this may be a few years late, but this is what worked for me today (April 27th, 2012) with PowerGui.

    [byte[]]$hours = @(0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
    Set-Qaduser <> –ObjectAttributes @{logonhours = $hours}

    The code that you posted is what I used to get this answer. Hopefully it will help someone else too.

    Jeff

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s