Windows hole 7 : No forcible logoff when allowed logon time expires

Using Active Directory functionality, a System Administrator can define that a user (let us call her Carol this time) is limited to only being able to work from 07:00 am to 05:00 pm.

What really happens if Carol logs on at about 01:00 and remains logged on past 05:00? Windows will not log her off of his workstation at this time, because there is no native control in Windows to perform that.

Group Policy Object

There is a setting (Local Policies > Security Options) though that might make you think that it would work that way: «Automatically logoff users when logon time expires.» But this setting only applies to file and print servers (SMB component).

Carol logs on at her workstation and accesses a file server. If she remains logged on and accessing this file server past 05:00 pm (provided she has no files open on that file server), when 05:00 pm rolls around, the file server will disconnect her and prevent her from reconnecting to the file server itself. But there is absolutely nothing in Windows that will log her off of her workstation where she is interactively logged on at the console.

This feature is nonetheless required for an Information System to comply with major regulatory constraints, including:

Outside of authorized timeframe(s) and/or when time is up, UserLock will really disconnect users with prior warning.

Share this page: