HOW TO: Limit User Logon Time in a Domain in Windows 2000 (318714)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
This article was previously published under Q318714

IN THIS TASK

SUMMARY

This step-by-step article describes how to restrict the hours and days that a user may log on to a Windows 2000 domain.

back to the top

Change Logon Times for a User Account

You can set logon hours for a user account by using one of the following methods:
  • Edit the user account properties from the Active Directory Users and Computers snap-in.
  • Edit the user account properties by using the net user command.
back to the top

Method 1: Using the Active Directory Users and Computers Snap-in

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click the container that contains the user account that you want.
  3. In the right pane, right-click the user account, and then click Properties.
  4. Click the Account tab, and then click Logon Hours.
  5. Select all available times, and then click Logon Denied.
  6. Select the times that you want to allow this user to log on to the domain, and then click Logon Permitted.

    A status line beneath the logon hours table displays the currently selected logon times. For example, Monday through Friday from 8 AM to 5 PM.
  7. When you are finished configuring logon hours, click OK, and then click OK in the user account Properties dialog box.
  8. Quit the Active Directory Users and Computers snap-in.
back to the top

Method 2: Using the Net User Command-line Statement

  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. Type net user username /times:logon_times (where username is the name of the user account, and where logon_times are the days and times that you want to allow access to the domain), and then press ENTER.

    Use the following information to help you use the /times switch:
    • Days can be spelled out (for example, Monday) or abbreviated (for example, M,T,W,Th,F,Sa,Su).
    • Hours can be in 12-hour notation (1PM or 1P.M.) or 24-hour notation (13:00).
    • A value of blank means that the user can never log on.
    • A value of all means that a user can always log on.
    • Use a hyphen (-)to mark a range of days or times. For example, to create a range from Monday through Friday, type either m-f, or monday-friday. To create a range of time from 8:00PM to 5:00PM, type either 8:00am-5:00pm, 8am-5pm, or 8:00-17:00.
    • Separate the day and time items with commas (for example, monday,8am-5pm).
    • Separate units of "day and time" with semicolons (for example, monday,8am-5pm;tuesday,8am-4pm;wednesday,8am-3pm).
    • Do not use spaces between the days or times.
back to the top

Examples

The following examples show how to change the logon times for a specific user account.
  • To allow a user with an account name of Bob to log on to the server from 8:00AM to 5:00PM Monday through Friday, type the following command, and then press ENTER:

    net user bob /times:monday-friday,8am-5pm

  • To restrict the same user account to logon hours of 8:00AM until 1:00PM on Monday and Friday, and from 8:00AM until 5:00PM on Tuesday through Thursday, type the following command, and then press ENTER:

    net user bob /times:monday,8:00AM-1:00PM;tuesday-thursday,8:00AM-5:00PM;friday,8:00AM-1:00PM

  • To repeat the previous command, but with abbreviated days and using a 24-hour notation, type the following command, and then press ENTER:

    net user bob /times:m,8:00-13:00;t-th,8:00-17:00;f,8:00-13:00

  • To allow the same user account logon privileges from Monday through Friday, 8:00AM to 12:00PM and 1:00PM to 5:00PM, type the following command, and then press ENTER:

    net user bob /times:m-f,8:00-12:00,13:00-17:00

back to the top

Change Logon Times for a Group of Users

You can use the net user command with the /times switch from the command-line or in a batch file to change logon times for a group of users in a domain. To do this, complete the following "Step 1: Create a User Account List" and the "Step 2: Edit Logon Hours by Using the Net User Command" sections of this article.

back to the top

Step 1: Create a User Account List

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, click the organizational unit, or Users folder that contains the user accounts that you want.
  3. On the Action menu, click Export List.
  4. In the Save As dialog box, type the file name that you want in the File name box.
  5. In the Save as type list, click Text (Comma Delimited)(*.csv), and then click Save.
  6. Edit the .csv file by using a text editor such as Notepad to remove entries to which you do not want to apply the logon restrictions. The user accounts are listed beneath a heading with one account on each line. The following is an example of a this file:

    Name, Type, Description,
Joe,User,,
Sally,User,Account created for Sally,
Betty,User,,
Bob,,

back to the top

Step 2: Edit Logon Hours by Using the Net User Command

Use the net user command to apply logon restrictions to the accounts in the .csv file that you created in Step 1: Create a User Account List.
  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. Type the following command, where file_name is the name of the .csv file that contains the exported user accounts, and where logon_times are the days and times that you want to allow access to the domain:

    for /F "skip=1 tokens=1 delims=," %i in (file_name.csv) do net user %i /times:logon_times

    The preceding command is one line. It has been wrapped for readability.

    NOTE: In the preceding command, there is a space between %i and /times.
back to the top

Examples

The following examples show how to change the logon times for the user accounts in a .csv file that is named Exportusers.csv.

NOTE: The following commands are one line. They have been wrapped for readability.
  • To allow the users to log on to the server from 8:00AM to 5:00PM Monday through Friday, type the following command, and then press ENTER:

    for /F "skip=1 tokens=1 delims=," %i in (exportusers.csv) do net user %i /times:monday-friday,8am-5pm

  • To allow the users to log on to the server from 8:00AM until 1:00PM on Monday and Friday, and from 8:00AM until 5:00PM on Tuesday through Thursday, type the following command, and then press ENTER:

    for /F "skip=1 tokens=1 delims=," %i in (exportusers.csv) do net user %i /times:m,8:00AM-1:00PM;t-th,8:00AM-5:00PM;f,8:00AM-1:00PM

You can use this command in a batch file. However, you must add an additional percent (%) character to each variable. The following example code illustrates this: 
for /F "skip=1 tokens=1 delims=," %%i in (exportusers.csv) do net user %%i /times:m,8:00AM-1:00PM;t-th,8:00AM-5:00PM;f,8:00AM-1:00PM
NOTE: In the preceding example, the command is one line. It has been wrapped for readability.

back to the top

Enforce Logon Time Restrictions Using Group Policy

You can use Group Policy to enforce the logon time restrictions that you apply.

back to the top

Step 1: Create a Group Policy Object

To create a Group Policy Object (GPO) with which to enforce client logon restrictions:
  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain, or the organizational unit that contains the domain controllers that you want, and then click Properties.
  3. Click the Group Policy tab, and then click New.
  4. Type the name that you want to call this policy (for example, Account logon restrictions), and then press ENTER.
  5. Click Properties, and then click the Security tab.
  6. Click to clear the Apply Group Policy check box for the security groups that you want to prevent from having this policy applied. Click to select the Apply Group Policy check box for the groups to which you want to apply this policy. When you are finished, click OK.
back to the top

Step 2: Enforce Logon Hours Restrictions

  1. Start the Active Directory Users and Computers snap-in. To do this, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. In the console tree, right-click your domain, or the organizational unit that contains the domain controller Group Policy Object (GPO) that you want to edit, and then click Properties.
  3. Click the Group Policy tab, select the group policy object that you want, and then click Edit.
  4. Under Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
  5. In the right pane of the Group Policy snap-in, double-click Automatically log off users when logon time expires.
  6. Click to select the Define this policy setting check box, click Enabled, and then click OK.
  7. Close the Group Policy snap-in, and then click OK.
back to the top

Troubleshooting

Group Policy changes are not immediately enforced. Group Policy background processing can take up to 5 minutes to be refreshed on domain controllers, and up to 120 minutes to be refreshed on client computers. To force background processing of Group Policy settings, use the Secedit.exe tool. To do this:
  1. Click Start, and then click Run.
  2. In the Open box, type cmd, and then click OK.
  3. Type secedit /refreshpolicy user_policy, and then press ENTER.
  4. Type secedit /refreshpolicy machine_policy, and then press ENTER.
  5. Type exit, and then press ENTER.
back to the top

REFERENCES

For additional information about Group Policy, visit the following Microsoft Web sites:

http://www.microsoft.com/windowsserver2003/technologies/management/grouppolicy/default.mspx

http://www.microsoft.com/windows2000/docs/grouppolwp.doc

To obtain additional help information for the net user command, start Windows 2000 Help, and then search for net user.

To obtain additional help information for the for command, type for /? at the command prompt.

back to the top
Modification Type:MajorLast Reviewed:2/9/2006
Keywords:kbenv kbHOWTOmaster KB318714 kbAudITPro
©2004 Microsoft Corporation. All rights reserved.