Re: TS Logon Restriction by hours

You could try the freebie SecureRDP (http://www.2x.com/securerdp) and simply
prevent the user's home computers from connecting to the Terminal Server
(either all day, or during certain hours).

Regards,
Simon.

"Jeff Pitsch" <jeff@xxxxxxxxxxxxxxxxx> wrote in message
news:eW7o7O3RGHA.1780@xxxxxxxxxxxxxxxxxxxxxxx
I believe you would need a 3rd party product like Citrix Presentation
Server or do some fancy scripting.

Jeff Pitsch
Microsoft MVP - Terminal Services
http://www.sbcgatekeeper.com
Your Terminal Services Security Website

"TBakk" <newsgroups@xxxxxxxxxxxxxx> wrote in message
news:OsEIYRxRGHA.4740@xxxxxxxxxxxxxxxxxxxxxxx
Does anyone know a way of restricting a given 2003 domain account
so that it can only logon to a Windows 2000 Terminal Server during a
certain window of time, WITHOUT using the normal
'Logon Hours' restrictions for a domain account (as these would
prevent the account from logging into the network at all during this
time)?


We have some users in a branch office who use one of our Terminal
Servers at the head office over a WAN link during their normal
business hours. We would like to be able to prevent them from logging
into the Terminal Server from home without preventing them doing so
during the day. We can't use the normal 'Logon Hours' restrictions
for their accounts because they will sometimes work late at the office
and will need to be able to logon to their local network (which is
part of the head office domain) during off hours. We can't disable
Terminal Services between certain hours as other people from different
offices (and their homes) use the same Terminal Server at all times of
day/night... and for the same reasons we can't put IP address/subnet
restrictions in place to allow only certain networks to connect. If
it was possible to either set the logon hours on their domain accounts
just for Terminal Services seperately from the normal network login,
or restrict logons to a specified client host (similar to the 'Logon
To...' settings for a normal domain account) it would be perfect.


I'm beginning to think this can't be done without using third-party
tools... unless someone can think of some way to apply group policies
only during certain times of day, or similar...?


I could probably acheive this in a very messy way using logon scripts
and third-party tools to check whether the client is connecting via a
TS client, but would prefer not to.


Tony






.

Relevant Pages

  • Re: Terminal Server and Local Policy
    ... It is not a question of "user profiles" (you can have those on Windows 98 ... A Terminal Server can not "override" client ... icon to connect to the Terminal Server, they can not logon to the Terminal ... "Remote Desktop Users" group have the right to logon via Terminal Services. ...
    (microsoft.public.windows.server.general)
  • Re: Terminal Server User Setup
    ... if you have published terminal services to internet. ... >> I already setup the Terminal Server and all users can connect to TS ... users can logon to domain through VPN and then ...
    (microsoft.public.windows.server.sbs)
  • Re: Domain Users cant execute applications on SBServer
    ... execute the program on the Terminal Server. ... the domain user logon workstation have administrator permission ... Add the domain users group to Terminal Server local Administrators group: ...
    (microsoft.public.windows.server.sbs)
  • Re: IISRESET needed for clients to reestablish TS-connection
    ... I hope this might have been the login failures on our TS through TS Gateway. ... This event is generated when a logon session is destroyed. ... Our clients are able to reconnect to the Terminal Server after this ...
    (microsoft.public.windows.terminal_services)
  • WIN2K AD issue with Terminal Server 2003
    ... I added a Win2003 Terminal server to our Win2K AD network. ... permission to connect to a terminal server on the network. ... CLIENT PROVIDED LOGON settings. ...
    (microsoft.public.windows.server.active_directory)