Monday, October 30, 2017

Changing AD User Login Hours

Today I received a request to remove the login hour restrictions for all the users in our forest. After a little bit of research didn't have my curiosity satisfied so I decided to look into the specifics of this. First, the script is pretty simple - sometime in the organization's past, someone decided to set the login hours so people could not login between 02:00 and 04:00. We have a new system and since students are 24x7 we needed to remove these restrictions. I was asked to simply remove it so I'm querying all the enabled users and simply updating them.

 $Users = Get-ADUser -Filter {enabled -eq $true}  
 [byte[]]$LogonHours = @(255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255)  
 $Users | ForEach-Object {  
   Set-ADUser $_ -Replace @{logonhours = $LogonHours}  

As you can see the script isn't complex and simply does its job. My curiosity was with the LogonHours value and why was it so peculiar.

I opened ADSIEdit and looked at the field in question and it appears like this:
ADSI LogonHours Data
As you can see it's separated into 21-byte fields. Each field represents eight hours starting midnight Sunday morning. If the byte is set to 0 they are not able to log in for that hour, however, if it's set to 1 then the user has authority to log in. As an example, if you wanted no restrictions they would all be set to 255. If you wanted to enable 8am until 6pm (08:00 - 18:00) it would appear as "00 FF 02". This would allow them to log into the system until 17:59, however at 18:01 they would be unable to log in.

It took me a few seconds to figure out what was going on here and why it wasn't in a standard format, however, once I put it together it actually makes perfect sense. 

Hope this helped someone out. 

The same field in binary just so you can see:

logonHours in Binary
each bit represents an hour

Tuesday, June 13, 2017

Another Update & Rename… kinda…

I’ve moved again and am now in Higher Education. Recap the last many years would be:
  • Death Care Provider
  • Federal Government (DHS)
  • IBM Partner / Contractor
  • Own Business
  • High Education
Not a horrible career trajectory. There are a few things I’ve noticed in the industry recently and am hoping to write a few articles about them soon.
Currently at the university that currently sends me money on a regular bases we have no configuration or standards management. Literally everything we do is ad-hoc and non-repeatable. We are currently implementing new processes, standards and security. A lot of this will be completed using Chef and related components. We are implementing a new internal cloud infrastructure and looking to be as responsive to our internal customers as the public cloud providers (actually we would like to be better, just sayin’).

I have never had the inclination to learn Git, Ruby, JavaScript or Python however, they are all required skills I will need to acquire in the next few months while we transition to a more DevOps culture here. I'm looking to start posting additional code on GitHub and will be linking it here. 

Should be exciting!