General discussion

  • Creator
    Topic
  • #2174556

    Logon Duration in Active Directory

    Locked

    by tumtum73 ·

    I have several users at my organization that stay logged in constantly, they never logout even though we have told them to. The problem is that when their password expires after 90 days, they don’t get prompted to change it. I want to be able to run a script of some type that would find the logon duration, and if it is over 76 days (14 days to change their password), spit out a report, or log them off or something. I know AD has a LastLogon attribute, but that would look the same if the person had logged on three weeks ago and logged off, or logged on and stayed logged on. Does anyone know of a way to calculate or display the Logon Duration in Active Directory?

    Thanks,
    Steve

All Comments

  • Author
    Replies
    • #3174100

      Reply To: Logon Duration in Active Directory

      by ch_thies ·

      In reply to Logon Duration in Active Directory

      I have been looking for this for a while, and I think this could help you.

      http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnclinic/html/scripting09102002.asp

      Please let me know if that solves your problem

      • #3174934

        Reply To: Logon Duration in Active Directory

        by tumtum73 ·

        In reply to Reply To: Logon Duration in Active Directory

        Thanks for the Article… I was so focused on finding the Logon duration, I didn’t even think of looking at the password details.

        Thanks.

    • #3174040

      Reply To: Logon Duration in Active Directory

      by seanl ·

      In reply to Logon Duration in Active Directory

      I had a similar problem with one or 2 users never logging out, resulting in in some errors on my backups (mainly the .pst files from outlook). I simply set a recurring task in the task scheduler that forcefully reboots their pc’s each evening (just before my backups start). They are not allowed to be logged in overnight, so i just sent them all a warning that they might lose any unsaved worked when the reboot occurs… (had buy in from management to do this, and it has worked like a charm)

      • #3175238

        Reply To: Logon Duration in Active Directory

        by tumtum73 ·

        In reply to Reply To: Logon Duration in Active Directory

        That is not an option, many folks work different shifts, allot of the Management work late, and someone is here 24×7. Besides I don’t have a problem with them staying logged in, but to be SOX compliant they have to change their password every 90 days, and that is really my focus. Thanks.

    • #3174037

      Reply To: Logon Duration in Active Directory

      by bfilmfan ·

      In reply to Logon Duration in Active Directory

      Why not set logon hours for the user accounts in Users and Computers?

      Get management buy-in and set the hours they can and cannot be logged in. This would be a snap to set on those users that are just too busy to bother with logging off the network.

      1. Open Active Directory Users and Computers.

      2. In the console tree, click Users.

      3. Right-click the user account, and then click Properties.

      4. On the Account tab, click Logon Hours, and then set the permitted or denied logon hours for the user.

      • #3175237

        Reply To: Logon Duration in Active Directory

        by tumtum73 ·

        In reply to Reply To: Logon Duration in Active Directory

        This seems like a unnecessary entry for the accounts. I don’t want to limit the hours my staff can work, I want to ensure they logoff when their password expires. Thanks.

    • #3174933

      Reply To: Logon Duration in Active Directory

      by tumtum73 ·

      In reply to Logon Duration in Active Directory

      This question was closed by the author

Viewing 3 reply threads