Collaboration

Restrict logon access with this command

Do you need to make sure employees aren't cruising the Internet or using the network to browse inappropriate sites or copy proprietary data? What if you just want to control when your children can use the computer so they're not on the Internet without supervision? You can restrict the times that specified accounts can log on — and gain greater control of your machines and Internet usage in the process.

Restricting logon times and enforcing that restriction on a Windows domain is fairly easy using the Active Directory Users and Computers snap-in. However, if you have a small workgroup network or just a couple of home machines in your home, the process takes a few extra steps using the net user command.

To get started, you need to decide which accounts you're going to restrict. For a list of all the accounts on a machine, follow these steps:

  1. Go to Start | Run, type cmd, and click OK.
  2. Type net user, and press [Enter].

This displays a list of accounts on the machine. Here's an example of what it might look like:

Administrator     ASPNET        Dad

Junior Mom Sister

SUPPORT_123123

Using this list as an example, let's say we've decided to restrict access to the computer (and the Internet) for Junior and Sister.

Keeping the command prompt with the displayed accounts open, we'll start adding time restrictions for Junior. Let's say we've determined he should only have access to the computer from 8 A.M. to 8 P.M. Follow these steps:

  1. Go to Start | Run, type cmd, and click OK.
  2. Type net user Junior /time: M-Th,4pm-8pm;F-Su,8am-8pm.
  3. Press [Enter]; you should receive a message that the command completed successfully.

What if you want to set different restrictions for different users? For example, in our sample family, Sister is older, so we want to let her access the computer a little later. Type the following command, and press [Enter]:

net user Sister /time: M-Th,4pm-9pm;F-Su,8am-9pm

These two commands set account restrictions for weekday and weekend logon for both accounts. If you make a mistake for an account or want to start over, you can always clear the restriction with this command:

net user Sister /time:all
Note: The system limits time to one-hour increments, which means you can only restrict the user on the hour (e.g., 13:00 or 1pm, not 13:30 or 1:30pm). You can use the abbreviation for the day (i.e., M,T,W,Th,F,Sa,Su). In addition, keep in mind that these restrictions will not force a logoff — they only enforce logon time.

Final thoughts

Controlling access to the machines you own and the Internet you pay for is easy once you know how. If you haven't implemented this action (especially for your children), I suggest you do so today.

Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.

Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.

Editor's Picks

Free Newsletters, In your Inbox