2

So this will probably be the opposite of what most people have asked. An Internet search certainly appears to support that.

I have AD users that have logon hour restrictions. I want these logon hour restrictions to also apply to network logons (specifically to OWA and ActiveSync).

So if a user is not allowed to logon after 7pm on Monday, and they have an ActiveSync session created at 6:30pm on Monday, at 7pm I need that ActiveSync session removed.

Unfortunately, testing this with a user has shown that they are very able to still send and receive email on the cell phone.

I need to know why this is not working and how to fix this.

The cell phone is an Android and the Exchange server is Exchange 2010.

Any ideas would be greatly appreciated.

Update 1: I have also enabled Network security: Force logoff when logon hours expire in Group Policy. Yes, I enabled it in the Default Domain Policy as directed by Microsoft. I ran gupdate /force on the DC and on the Exchange server. The user is still able to send and receive emails.

user5870571
  • 3,094
  • 2
  • 12
  • 35

2 Answers2

2

Logon hours restriction isn't going to work with ActiveSync for a number of reasons - the main one being that the client holds open an extended session for many hours and will only re-authenticate periodically. That session is only authenticated again when the time limit is up or the client reconnects.

If you are putting the same hours in place, then you could try a schedule IISRESET on the Exchange server. That will close all open sessions. However I have never tested if this will work with ActiveSync.

The one client who did this had two entry points for ActiveSync and one was literally stopped for the hours it wasn't available. There were obviously a few staff who needed 24x7 access and they came in via the second server.

Sembee
  • 2,884
  • 1
  • 8
  • 11
  • It isn't elegant but it is indeed exactly what I need it to do. If you do an IISRESET it will in fact drop all current connections and force ActiveSync clients to reauthenticate using the token. If the user account is not allowed to login at the time the IISRESET ends then the user account cannot access email. If you allow the user account the permission to login at that time, the token will authenticate with IIS and the user will receive email again. This means you do not need to rerun IISRESET for the user to be able to access their email again. – user5870571 Nov 23 '16 at 03:04
1

Network security: Force logoff when logon hours expire - This disconnects users from any shared folders they are connected to. It does not log them out of their workstation nor does it log them out of their mailbox (via OWA, Activesync or Outlook). I'm not aware of any way to accomplish this natively.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • I was grasping at straws with that. I really need to make sure that when the clock changes to a restricted our mail access on mobile devices stops. – user5870571 Nov 22 '16 at 04:03