If you find the need to add restrictions to a user in Active Directory, specifically LogonWorkstations and logonHours then the following script will serve as a template.
A few notes:
- We are using the ActiveDirectory module
- We are using a set list of workstations
- We are using a template approach for the logon hours
Import-Module ActiveDirectory -ErrorAction SilentlyContinueChecking our results shows that the logonHours were set exactly to what our template was.
# Define the list of workstations we want to allow access
$WorkStations = "Workstation1,Workstation2,Workstation3"
$WorkStations+= "Workstation4,Workstation5,Workstation6"
$WorkStations+= "Workstation7,Workstation8,Workstation9"
# Create the logonHours array
[array]$logonHours = (Get-ADUser test010 -Properties logonHours).logonHours
# Iterate over users and assign accordingly
foreach ($user in Get-Content C:\temp\users.txt) {
Get-ADUser -Identity $user | `
Set-ADUser -LogonWorkstations $Workstations -Add @{logonhours=$logonHours}
}
Enjoy!
2 comments:
Great post, quick question though: If I wanted to undo this change, to then give a list of users (.CSV) access to ALL workstations, is there a way to script that on a massive scale rather than manually configuring each user?
Thanks!
To remove computer(s) to LogonWorkstations:
Set-ADUser -Identity username -remove @{userWorkStations='computername'}
Post a Comment