question about logon hours

  • 152 Views
  • Last Post 16 August 2015
SmitaCarneiro posted this 13 August 2015

If you restrict a user’s logon hours and force them to logoff when they are outside their logoff hours, (see url below)does this work by purging all the Kerberos tickets that have been issued to that user? https://technet.microsoft.com/en-us/library/Cc781861%28v=WS.10%29.aspx     What happens if a user is connected from a home machine (non-domain joined) and accessing email using OWA?     Has anyone implemented this? If so can you share your experience? Though I know about restricting logon hours, I have never actually implemented it.   Thanks,     Smita Carneiro, GCWN Active Directory Systems Engineer IT Security and Policy Ross Enterprise Center 3495 Kent Avenue, Suite 100 West Lafayette, IN 47906   DoD  

Order By: Standard | Newest | Votes
g4ugm posted this 13 August 2015

I am going to ask a couple of questions:- 1.       I assume this is a control to mitigate against a security risk. If it isn’t then it shouldn’t be implemented.2.       If it is a control against a risk, then the residual risk is that someone will be required to logon on outside their normal permitted hours, for example in a disaster recovery situation => has this been considered. I have only ever encountered this in a Netware environment and the problems it caused were horrendous as folks were always getting their hours changed …. Dave 

show

aakash posted this 14 August 2015

While I haven’t personally implemented this, I recall that the force logoff policy doesn’t actually do what one would imagine/think, i.e. it doesn’t actually take a logged in console user session

and log them off.  In reading the Explain tab in the Force logoff policy, it clarifies that it only applies to SMB connections.

 

As for the logon hours, I know that an ActiveSync session will not be cut immediately since ActiveSync will continue to work for a period of time even after an account is disabled.  I suspect

that an active OWA session would not be immediately cut either, but I haven’t tested this. 



 



-Aakash Shah



 

show

SmitaCarneiro posted this 14 August 2015

Dave,

 

It’s not about security risks, it was more a ‘can we implement this to prevent people who should not work more than 40 hours.’

 

I agree, it will cause even more issues.

 

Thanks for your input!

 

Smita

 

 

show

SmitaCarneiro posted this 14 August 2015

Thanks Akash! That is additional information that I will pass on.

 

Smita

 

show

g4ugm posted this 14 August 2015

I would say its totally unsuitable. They are “logon hours” not “forced logoff”. You can use policy to disconnect network sessions , so that will instantly make all documents un-available, if you have PST files on Network Shares it will probably corrupt them. I suspect that the network disconnect can be partially by-passed by using off-line folders. (May have to also un-plug the network cable) but it won’t force them to logoff. Third party tools are available to do this, but I guess you may also find folks start password sharing to get round this. The problem here is that you are trying to use technology to control behaviour, and this doesn’t often work well. Folks are really inventive when it comes to avoiding things.  Dave 

show

SmitaCarneiro posted this 14 August 2015

“The problem here is that you are trying to use technology to control behaviour, and this doesn’t often work well.”

 

Totally agree.



 

Thanks Dave!

show

kurtbuff posted this 14 August 2015

I can confirm that OWA sessions don't immediately terminate after an
account is disabled.

If you need to ensure immediate cessation of connection via OWA, do an IISRESET.

This might also apply to other web connections.

Kurt

show

aakash posted this 14 August 2015

Another approach is to move the mailbox to another store. This forces a connection break and prevents the need for an iisreset that will affect all users in the organization.

-Aakash Shah

show

ken posted this 16 August 2015

Moving mailbox store causing other issues, doesn't it? Like losing deleted item retention?

IISRESET will affect all users, but mobile devices and Outlook should just reconnect transparently.

That said, I wouldn't do this just to force users to not work more than a set number of hours. It's using the wrong tool for the job IMHO

show

aakash posted this 16 August 2015

Thanks for the comment about losing the deletion item retention - I had to look that up since I wasn’t aware of that. It appears that this used to be the case in Exchange server 2007 and prior, but this has been resolved in Exchange 2010 and newer:
2010: https://technet.microsoft.com/en-us/library/Ee364755(v=exchg.141).aspx#RIF
2013: https://technet.microsoft.com/en-us/library/Ee364755%28v=EXCHG.150%29.aspx#RIF

Agreed though that this wouldn’t be the right tool to use for preventing access afterhours. The move mailbox approach is a good option for situations like an employee termination.

-Aakash Shah

show

Close