3

I have a Windows Server 2012 server that allows remote desktop users (sessions are hosted on the server itself). I'm trying to enforce logon hours for these remote desktop users.

I have specified logon hours for a user and confirmed that they work--they aren't allowed to logon when logon hours are disabled. However, they are allowed to continue a session past their logon hours limit if they are already signed in (which is fine, this is the default behavior).

However, when I try to use the Set action to take when logon hours expire option (User Configuration/Administrative Templates/Windows Components/Windows Logon Options/Set action to take when logon hours expire), and set the behavior to "Logoff", nothing happens--the user can continue their session happily. I've tried applying this policy both for the user's group and for the local computer. I've run gpresult for the user and confirmed that the policy is apparently in place.

I also naively tried the "Force logoff when logon hours expire" option, but that apparently doesn't apply to interactive logins (confusing!).

Am I misapplying this setting, or do I need to take some other steps to get it to work? I'd be grateful for any input. Thanks!

EDIT

So, based on the comment from @RobM and other discussions online, it sounds like this policy doesn't really work (at least not as expected). Is there any official MS documentation for this policy (I looked around some online and couldn't find much), or are there any resources that might cover it?

Assuming this policy is not an option, one possible workaround would be a scheduled task to log users off when their logon hours expire. However, each users' hours may be different, so I cannot use a time-of-day trigger. Is there some "logon hours expired" event (e.g. in the event logs) that I could hook into to run the logoff task?

kardeiz
  • 185
  • 1
  • 1
  • 9
  • The only absolutely reliable way I know of making this work in the way you're asking for is using a 3rd party product. We use UserLock. – Rob Moir Feb 09 '14 at 14:11
  • @RobM, thanks for the comment. What is the `Set action to take when logon hours expire` policy supposed to do, if not perform an action when logon hours expire? – kardeiz Feb 13 '14 at 12:53
  • If I may ask what is your end goal with the user? Or to put it more bluntly, are you just wanting to make sure that the user cannot use the system past a certain time, or is there another reason you want their sessions closed (backups, app management, etc...) If it's the former then looking into the 'lock' or 'disconnect' options might be a good work around for you. Otherwise from what I have found (and as RobM pointed out) it appears that a logoff script or 3rd party software is really the only alternative. – David V Feb 20 '14 at 03:12

1 Answers1

0

A usable work around for this issue would be to combine settings from two GPOs. First in User Config\Admin Templates\Windows Components\Windows Logon Options, configure the "Set Action to take when logon hours expire" to disconnect. Then in User Config\Admin Templates\Windows Components\Remote Desktop Session\Session Time Limits configure the "Set time limit for disconnected sessions". But be aware the wording of this GPO reads as "...If you enable this policy setting, disconnected sessions are deleted from the server..." so be sure this is an action you're comfortable with if you choose this route.

Also as a point of interest, this GPO is under both computer and user configurations. If both are set the settings under the computer configuration will take precedent so I feel it would be a better option to use those under user (but choose which is more applicable to you.)

David V
  • 840
  • 1
  • 8
  • 15