If you restrict a user’s logon hours and force them to logoff when they are outside their logoff hours, (see url below)does this work by purging all the Kerberos tickets that have been issued to that user? https://technet.microsoft.com/en-us/library/Cc781861%28v=WS.10%29.aspx What happens if a user is connected from a home machine (non-domain joined) and accessing email using OWA? Has anyone implemented this? If so can you share your experience? Though I know about restricting logon hours, I have never actually implemented it. Thanks, Smita Carneiro, GCWN Active Directory Systems Engineer IT Security and Policy Ross Enterprise Center 3495 Kent Avenue, Suite 100 West Lafayette, IN 47906
question about logon hours
- 179 Views
- Last Post 16 August 2015
I am going to ask a couple of questions:- 1. I assume this is a control to mitigate against a security risk. If it isn’t then it shouldn’t be implemented.2. If it is a control against a risk, then the residual risk is that someone will be required to logon on outside their normal permitted hours, for example in a disaster recovery situation => has this been considered. I have only ever encountered this in a Netware environment and the problems it caused were horrendous as folks were always getting their hours changed …. Dave
While I haven’t personally implemented this, I recall that the force logoff policy doesn’t actually do what one would imagine/think, i.e. it doesn’t actually take a logged in console user session
and log them off. In reading the Explain tab in the Force logoff policy, it clarifies that it only applies to SMB connections.
As for the logon hours, I know that an ActiveSync session will not be cut immediately since ActiveSync will continue to work for a period of time even after an account is disabled. I suspect
that an active OWA session would not be immediately cut either, but I haven’t tested this.
It’s not about security risks, it was more a ‘can we implement this to prevent people who should not work more than 40 hours.’
I agree, it will cause even more issues.
Thanks for your input!
Thanks Akash! That is additional information that I will pass on.
I would say its totally unsuitable. They are “logon hours” not “forced logoff”. You can use policy to disconnect network sessions , so that will instantly make all documents un-available, if you have PST files on Network Shares it will probably corrupt them. I suspect that the network disconnect can be partially by-passed by using off-line folders. (May have to also un-plug the network cable) but it won’t force them to logoff. Third party tools are available to do this, but I guess you may also find folks start password sharing to get round this. The problem here is that you are trying to use technology to control behaviour, and this doesn’t often work well. Folks are really inventive when it comes to avoiding things. Dave
“The problem here is that you are trying to use technology to control behaviour, and this doesn’t often work well.”
I can confirm that OWA sessions don't immediately terminate after an
account is disabled.
If you need to ensure immediate cessation of connection via OWA, do an IISRESET.
This might also apply to other web connections.
Another approach is to move the mailbox to another store. This forces a connection break and prevents the need for an iisreset that will affect all users in the organization.