TS Logon Restriction by hours

From: "TBakk" <newsgroups@xxxxxxxxxxxxxx>
Date: Mon, 13 Mar 2006 19:06:52 -0800

Does anyone know a way of restricting a given 2003 domain account
so that it can only logon to a Windows 2000 Terminal Server during a certain
window of time, WITHOUT using the normal
'Logon Hours' restrictions for a domain account (as these would
prevent the account from logging into the network at all during this
time)?

We have some users in a branch office who use one of our Terminal
Servers at the head office over a WAN link during their normal
business hours. We would like to be able to prevent them from logging
into the Terminal Server from home without preventing them doing so
during the day. We can't use the normal 'Logon Hours' restrictions
for their accounts because they will sometimes work late at the office
and will need to be able to logon to their local network (which is
part of the head office domain) during off hours. We can't disable
Terminal Services between certain hours as other people from different
offices (and their homes) use the same Terminal Server at all times of
day/night... and for the same reasons we can't put IP address/subnet
restrictions in place to allow only certain networks to connect. If
it was possible to either set the logon hours on their domain accounts
just for Terminal Services seperately from the normal network login,
or restrict logons to a specified client host (similar to the 'Logon
To...' settings for a normal domain account) it would be perfect.

I'm beginning to think this can't be done without using third-party
tools... unless someone can think of some way to apply group policies
only during certain times of day, or similar...?

I could probably acheive this in a very messy way using logon scripts
and third-party tools to check whether the client is connecting via a
TS client, but would prefer not to.

Tony

.

Follow-Ups:
- Re: TS Logon Restriction by hours
  - From: Jeff Pitsch

Prev by Date: Re: csrss.exe unable to locate DLL - Can't connect with Terminal Services
Next by Date: File Transfer?
Previous by thread: Re: csrss.exe unable to locate DLL - Can't connect with Terminal Services
Next by thread: Re: TS Logon Restriction by hours
Index(es):
- Date
- Thread

Relevant Pages

Logon interactively with domain account to disconnected DC ?
... General question. ... What instances should you be able to logon interactively to a domain ... controller while its network cable is unplugged using a domain account ... Why should you be able to logon to a DC with a domain account while its ...
(microsoft.public.win2000.active_directory)
Re: TS Logon Restriction by hours
... prevent the user's home computers from connecting to the Terminal Server ... 'Logon Hours' restrictions for a domain account (as these would ... prevent the account from logging into the network at all during this ...
(microsoft.public.windows.terminal_services)
WIN2K AD issue with Terminal Server 2003
... I added a Win2003 Terminal server to our Win2K AD network. ... permission to connect to a terminal server on the network. ... CLIENT PROVIDED LOGON settings. ...
(microsoft.public.windows.server.active_directory)
Re: What is a local logon?
... > Logon locally is a user right as well as Logon over the Network and they ... resources through that web server. ... Integrated CAN BE "network" if you use a domain account. ...
(microsoft.public.windows.server.security)
Re: Require Password Change for Users With Laptops Not Joined to Domai
... The users will have to logon to a computer that is connected to the domain to change their password. ... You can setup a terminal server where they can remotely login to change their password...Is there any reason why their computers a not joined to the domain? ... they will get a popup message requiring them to change their ... they access a network share, ...
(microsoft.public.windows.server.general)