In this article, I will show you how to Perform the Time of day restriction: How to Configure logon hours for users in Active Directory. Please see how to Resolve Account restrictions are preventing this user from signing in: User Account Password has expired. There are times you may want to restrict users’ access to the Active Directory for a few days or hours. Please see Video on how to Permit a Blocked File or App in Windows Security.

This is a security feature that can help to protect IT resources from unauthorized access and system administrators make use of this feature to improve their effectiveness on the job. Here is a YouTube Video discussing this topic.

This restriction can be achieved through the Group Policy if you need to configure it for more than one user, but in this guide, we will be using the AD interface just for a single user.

If you need more guides on Active Directory then you can read these: How to set an account expiration date in Active Directory, How to delegate control for Bitlocker recovery keys in Active Directory.

How to Configure logon hours for users

The first thing you should do is open the Active Directory Users and Computers in the Server Manager and navigate to the user account you want to configure the restriction on.

Next, right-click the user account you want to configure the restriction and select Properties

Here are some related guides: Enable Active Directory Recycle Bin: How to delete and restore objects using Active Directory Administrative Center, Domain Controller: How to install and configure Active Directory Domain Services on Windows Server 2022, and how to fix Error 1385: The user has not been granted the requested logon type at this time.

On the Properties page click the Account tab and Logon Hours.

The below window will appear showing the Permitted or Denied hours. The Permitted color is Blue and while the Denied color is White.

Click on the Logon Denied option. All you need to do is to drag your cursor on the boxes depicting days and hours. Or select each box individually and then click the Logon Permitted.

Please see How to permit (run) only certain apps in windows, learn about The different Windows Logon Types, What are the merits and demerits of Local System Account and Service Logon Accounts, how to fix The sign-in method you are trying to use not allowed: For more information, contact your network administrator, and how to remove Packages from a Linux.

Perform the Time of day Restriction

For example, the below image shows Sunday through Saturday and 12 AM to 2 PM as the period that a user can log on to the Server.

Click on the Logon Permitted option. All you need to do is to drag your cursor on the boxes depicting days and hours.

Or select each box individually and then click the Logon Denied. For example, the below image shows Sunday through Saturday from 6 AM to 4 PM. This is the period that a user can log on to the Server.

After Configuring the Logon Denied time and days. If you try to log in within this period you will definitely get the below message.

Also, see Active Directory Ports: Service and network port requirements for Windows, and AD Explorer from SysInternals: How to use Active Directory Explorer..

I hope you found this blog post Time of day restriction: How to Configure logon hours for users in Active Directory interesting and helpful. In case you have any questions do not hesitate to ask in the comment section.