Active Directory Logon Hours Restrictions

I recently had to use the feature for restricting network accessibility by time of day. This is an age old security restriction on systems I’ve learned about since the dawn of my network support experience in the 90’s. But it was a feature that was never used on any of the networks I’ve managed. When I finally had to use the feature on Windows Server the simple interface had me stymied by a simple question “What time zone?” The nice display with the 24 hours a day columns and seven day a week rows begged the question. My management station is in Eastern Time, the server I’m making the change on is Mountain time, the user affected is Pacific time. There are Domain Controllers in four different time zones. So what time rules? Local machine of login? Domain controller doing that authentication? Domain controller or management station making the setting?

So Google is my friend but he let me down this time or I just didn’t know how to search. My trip to the Server 2003 documentation site for AD on Technet also yields no answer. So I document the results of my discoveries here for posterity.

So first make a restriction active on the test user account and try to login on my test computer. The Domain controller making the restriction is mountain time and the login is happening in eastern. This is also the domain controller that is authenticating the user. The time zone of the Domain controller applies. I then connect to Domain controllers in the other three time zones and look at the user account. They all adjust the hours display to match their own time zone. In other words, the display in ADUC reflects the time zone setting of the Domain Controller that you are connected to.

The feature is accessed in ADUC (Active Directory Users and Computers) on the user object Account Tab “Logon Hours Restrictions” option. By default all hours of all days are permitted. On this display you simple select day and hour time ranges and change from Logon Permitted to Logon Denied. The time zone of the Domain controller you are connected to applies to the setting.
Originally Posted July 03, 2009
Last Revised on November 20, 2010