Windows hole 5 : logon time restrictions by group

Windows does provide logon time restriction functionality on a user-by-user basis.

A System Administrator can go into a user's account and restrict him to only being able to log on at certain times of the day and days of the week. But there is no way to do it by group. The best thing that can be done in Windows is selecting multiple users at the same time but I am sure you see the reasons why that is still nowhere near as manageable or as practical to use as on a group-by-group basis, especially on large and very large networks.

Enforcing time restrictions is nonetheless part of Information System requirements for compliance with major regulatory constraints, including:

• Sarbanes-Oxley (section 409)
• LSF (French Financial Security Law – «surveillance» section)
• PCI («Surveillance» section)
• FISMA / NIST 800-53 / FIPS PUB 200 («Access control» domain)
• GLBA (Gramm-Leach-Bliley Act - («Access control» section)
• HIPAA (Health Insurance Portability and Accountability Act – «Medical data protection» domain)
• US Patriot Act («User monitoring and management» section)

UserLock allows defining working hours and/or maximum locked time and/or time quotas and/or maximum session time for protected users. Outside of this (these) timeframe(s) and/or when time is up, users will be disconnected with prior warning.