Restrict Active Directory
User Logon hours
& Force Logoff On a Windows Server Domain

Enforce logon hour restrictions, maximum session length and time quotas for all Active Directory users. Go beyond native controls and set by group, on different session types and force logoff when outside of authorized timeframes.

Start a free trial Book a Demo
Restrict Active Directory User Logon hours

Logon Time Restrictions Far beyond Native Windows Controls

UserLock makes it easy to manage the hours and days that any user, or group of users, may log on to a Windows Server domain; helping implement effective login controls that improve network security.

Logon Hour Restrictions

For a defined time period, set logon hours as either authorized or denied for different session types.

Use Case Example 1

For a group of users deny any interactive logon outside business hours

Watch Video Step by Step guide

Session Time Quotas

Authorize a maximum period of time (hours and minutes) a user is connected – per day, week or month - for different session types.

Use Case Example 2

For a group of users enforce 37 hours per week of workstation session usage.

Step by Step guide

Administrator options

Set by Group

Unlike native Windows, UserLock allows logon time restrictions to be set for any user, group of users or Organization Unit.

Set by Session Type

Configure the time frames for different types of session (workstation, terminal, Wi-Fi & VPN and/or IIS).

Set Maximum Session Length

When the time expires, the session will automatically logoff the user– with prior warning.

Set according to Machine’s Local Time Zone

Choose to apply time restrictions according to each client machine’s time instead of the UserLock server time.


Force Logoff When Logon Hours Expire

Using native controls, there is no way to force a user to log off an interactive logon session, when their hours expire.

But with UserLock, an administrator can choose to automatically logoff users outside of authorized timeframes, or when time is up.

A warning notification can be displayed to users before UserLock initiates the session logoff.

Logoff session Force logoff when logon hours expire

Force Logoff & Idle Session Time Limit

UserLock can also automatically logoff sessions after a specific idle time. This forced logoff helps protect shared workstations which are left open and pose obvious security and compliance risks.

Logoff every open session after an idle period of 20 minutes

Use Case Example 3

Logoff every open session by any member of a group after an idle period of 20 minutes.

Step by Step guide

Reporting on Logon Hours

Easy-to-read reports on the logon hours for all users on your network. Every connection event, across all session types are considered to build an accurate picture of the actual work hours.

With more and more organizations managing flexible working hours and remote users, it makes it easier for IT admins to see how much users are actively connected.

Working hours history Working hours by week Working hours by month

Get the UserLock Web App

Monitor and respond to network sessions quickly, easily, and from anywhere with the UserLock Web App.


New UserLock Web App

More Context Aware Restrictions

Restrictions by time constraints work alongside the other UserLock contextual access restrictions (session type, number of simultaneous connections and origin) to best protect and secure Active Directory user access.

Session typeSession type

Session type

Control workstation, terminal, Wi-Fi, VPN and IIS sessions to protect both interactive sessions and network access for remote and mobile users.

Read more

Simultaneous Connections

Simultaneous Connections

Limit the number of unique entry points and concurrent sessions to prevent simultaneous logins from a single identity.

Read more



Limit access by location with controls at workstation, device, IP range, organizational unit (OU),
department and country.

Read more


Request a personalized demo now

Discover how UserLock can help you meet your needs.

Secure Active Directory Credentials with Multi-Factor Authentication (MFA)

Read More