How To Restrict Active Directory User Login Duration & Computers In Windows Server 2008 Domain

Many companies employ temporary or part-time employees to supplement work load. Since these individuals have a minor stake in the organization, therefore, they also represent a possible security vulnerability. Even trusted employees in many organizations have led to exposing company secrets and stealing information.

A remedy to such a security void is normally to deploy end point security, use proxy servers and apply strict Domain policies. However, to allow an employee to be able to do his/her job properly, there can only be a limit to these restrictions. To ensure that a particular individual is unable to access company information unsupervised, Domain administrators are many a times asked to restrict the login duration of employees. Moreover, restricting a user to  a specified computer can also help in limiting their Active Directory profiles to their designated systems. In this post we will tell you how to restrict the login duration and system access by Domain users.

To get started open Active Directory Users And Computers from Start –> Administrative Tools –> Active Directory Users And Computers.

Active Directory Users And Computers


After that, select the user that you wish to apply a duration policy on and open user properties via the right click context menu.

In user properties, go to the Account tab and click Logon Hours.


This will open an interface where you can restrict user login days and time by highlighting the appropriate area and clicking on Logon Denied. Fore example, you may highlight Saturday and Sundays and click Logon Denied to restrict the user from logging in on these days of the week. Similarly, restricting after office hours such e.g. 6pm-8am will mean that the selected user will not be able to use his/her Domain profile to login during these hours. Click OK –> and then Apply –> OK to finish. The logon denied area is shown with a white color, unlike the logon permitted area (visible in blue).

In many offices the users are not given complete internet access to avoid choking the bandwidth and so that employees may focus more on work than on frivolous activities via the internet. However, the company library and cafeteria may contain systems with full internet access for employees to use during breaks. If someone was to find out the password of these user account(s), he/she might try to login with it on their station to gain complete internet access (which can also be used to transmit sensitive company information via the internet). Therefore, it is necessary to restrict such user accounts to a specified system. To do this, select the respective user’s properties (in Active Directory Users And Computers) and click Logon To (next to Logon Hours). Choose The Following Computers option and enter the computer name that you wish to restrict the user to, e.g. (library computer 1) and click Add. Click OK –> and then Apply –> OK to finish. You can also edit and remove users from the buttons from the Edit and Remove buttons.

Add Computers

Note: Make sure you never restrict the Domain Administrator account with such policies, as the last thing that you would like to tell you boss (when he asks you to perform a Domain related task), is that you are locked out yourself.