Monday, October 30, 2017

Changing AD User Login Hours

Today I received a request to remove the login hour restrictions for all the users in our forest. After a little bit of research didn't have my curiosity satisfied so I decided to look into the specifics of this. First, the script is pretty simple - sometime in the organization's past, someone decided to set the login hours so people could not login between 02:00 and 04:00. We have a new system and since students are 24x7 we needed to remove these restrictions. I was asked to simply remove it so I'm querying all the enabled users and simply updating them.

 $Users = Get-ADUser -Filter {enabled -eq $true}  
 [byte[]]$LogonHours = @(255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,255)  
   
 $Users | ForEach-Object {  
   Set-ADUser $_ -Replace @{logonhours = $LogonHours}  
 }  

As you can see the script isn't complex and simply does its job. My curiosity was with the LogonHours value and why was it so peculiar.

I opened ADSIEdit and looked at the field in question and it appears like this:
ADSI LogonHours Data
As you can see it's separated into 21-byte fields. Each field represents eight hours starting midnight Sunday morning. If the byte is set to 0 they are not able to log in for that hour, however, if it's set to 1 then the user has authority to log in. As an example, if you wanted no restrictions they would all be set to 255. If you wanted to enable 8am until 6pm (08:00 - 18:00) it would appear as "00 FF 02". This would allow them to log into the system until 17:59, however at 18:01 they would be unable to log in.

It took me a few seconds to figure out what was going on here and why it wasn't in a standard format, however, once I put it together it actually makes perfect sense. 

Hope this helped someone out. 



The same field in binary just so you can see:

logonHours in Binary
each bit represents an hour



No comments:

Post a Comment