General discussion


Logon Duration in Active Directory

By tumtum73 ·
I have several users at my organization that stay logged in constantly, they never logout even though we have told them to. The problem is that when their password expires after 90 days, they don't get prompted to change it. I want to be able to run a script of some type that would find the logon duration, and if it is over 76 days (14 days to change their password), spit out a report, or log them off or something. I know AD has a LastLogon attribute, but that would look the same if the person had logged on three weeks ago and logged off, or logged on and stayed logged on. Does anyone know of a way to calculate or display the Logon Duration in Active Directory?


This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by ch_thies In reply to Logon Duration in Active ...

I have been looking for this for a while, and I think this could help you.**02002.asp

Please let me know if that solves your problem

Collapse -

by tumtum73 In reply to

Thanks for the Article... I was so focused on finding the Logon duration, I didn't even think of looking at the password details.


Collapse -

by SeanL In reply to Logon Duration in Active ...

I had a similar problem with one or 2 users never logging out, resulting in in some errors on my backups (mainly the .pst files from outlook). I simply set a recurring task in the task scheduler that forcefully reboots their pc's each evening (just before my backups start). They are not allowed to be logged in overnight, so i just sent them all a warning that they might lose any unsaved worked when the reboot occurs... (had buy in from management to do this, and it has worked like a charm)

Collapse -

by tumtum73 In reply to

That is not an option, many folks work different shifts, allot of the Management work late, and someone is here 24x7. Besides I don't have a problem with them staying logged in, but to be SOX compliant they have to change their password every 90 days, and that is really my focus. Thanks.

Collapse -

by BFilmFan In reply to Logon Duration in Active ...

Why not set logon hours for the user accounts in Users and Computers?

Get management buy-in and set the hours they can and cannot be logged in. This would be a snap to set on those users that are just too busy to bother with logging off the network.

1. Open Active Directory Users and Computers.

2. In the console tree, click Users.

3. Right-click the user account, and then click Properties.

4. On the Account tab, click Logon Hours, and then set the permitted or denied logon hours for the user.

Collapse -

by tumtum73 In reply to

This seems like a unnecessary entry for the accounts. I don't want to limit the hours my staff can work, I want to ensure they logoff when their password expires. Thanks.

Collapse -

by tumtum73 In reply to Logon Duration in Active ...

This question was closed by the author

Related Discussions

Related Forums