WinSecWiki > Security Settings > Local Policies > Security Options > Network Security > Force log off when logon hours expire
Network security: Force log off when logon hours expire
OK, let’s get this straight once and for all. This setting will NOT log users off their workstations. It only applies to network logons to the this computer from other clients on the network. So, if you configure Bob’s account in Active Directory with logon hours restricting him to 9AM to 5PM, if Bob remains logged on after 5PM, and this setting is enabled, any Windows servers where he has an SMB connections such as to a shared folder he will be disconnected from those servers but he will remain logged into his workstation. There is no native feature in Windows will that will forcibly logoff an interactive logon session when the account’s logon hours expire. There are ISV solutions and various work-arounds such as scheduled shutdowns but nothing that does what you are actually looking for. By the way to enforce this policy at the time of logon for interactive logons you need to make sure you enable “Enforce user logon restrictions”.
Important: to enforce this policy on domain accounts you must enable it in the Default Domain Policy GPO for the domain, not in Default Domain Controllers Policy or other GPOs because Active Directory domain controllers only consider Default Domain Policy when determining the status of this setting. If you enable this setting on a workstation or member server it will only affect local SAM accounts on that computer.
In my experience, Windows does not terminate network logons with open files until the client closes the file.
Bottom line
If you use logon hour restrictions, enable this setting in the Default Domain Policy GPO for the domain.
Back to top