Thursday, August 25, 2011

Setting user LogonWorkstations and LogonHours in Active Directory

If you find the need to add restrictions to a user in Active Directory, specifically LogonWorkstations and logonHours then the following script will serve as a template.

A few notes:
- We are using the ActiveDirectory module
- We are using a set list of workstations
- We are using a template approach for the logon hours

Import-Module ActiveDirectory -ErrorAction SilentlyContinue  

# Define the list of workstations we want to allow access
$WorkStations = "Workstation1,Workstation2,Workstation3"
$WorkStations+= "Workstation4,Workstation5,Workstation6"
$WorkStations+= "Workstation7,Workstation8,Workstation9"

# Create the logonHours array
[array]$logonHours = (Get-ADUser test010 -Properties logonHours).logonHours

# Iterate over users and assign accordingly
foreach ($user in Get-Content C:\temp\users.txt) {
Get-ADUser -Identity $user |
Set-ADUser -LogonWorkstations $Workstations -Add @{logonhours=$logonHours}
Checking our results shows that the logonHours were set exactly to what our template was.



Anonymous said...

Great post, quick question though: If I wanted to undo this change, to then give a list of users (.CSV) access to ALL workstations, is there a way to script that on a massive scale rather than manually configuring each user?


Antonio said...

To remove computer(s) to LogonWorkstations:
Set-ADUser -Identity username -remove @{userWorkStations='computername'}