Prevent users from logging onto AD network during maintenance window

Hello, we have a maintenance windows coming up and I need to be sure that users are not able to log into the network during this time.  No matter how much notice, or how many reminders users are given about a maintenance window, users show up and log in during these times.

I'm curious what methods others use to prevent user logins during these times.

Thanks
WonkaWillyAsked:
Who is Participating?
 
Will SzymkowskiSenior Solution ArchitectCommented:
The easiest way to accomplish this would be to disconnect your network (core switches, vpn etc). However if you cannot do this and you want to do this from a software level you can do this within Active Directory.

You could blanket disable all accounts (just make sure you don't disable yours).
I would have to disagree with the statement above as this can be very dangerous for services accounts etc, and you will be completely disabling the account from any of the services that it currently has.

IMO your best option here would be to assign "Logon Hours Restrictions". This allows you to control the time and day when the users are authorized to logon to domain machines.

You can do this manually within the properties on the account itself. You can select multiple users and modify the settings at once.

This is also posisble using the Computer Restriction object as well within the account.

Below is a link to enable users "Logon restrictions" using powershell.
https://gallery.technet.microsoft.com/scriptcenter/fd6a340b-ed8b-4787-8d12-3c6fcb822104

Below are screenshots on how to do this from ADUC. (both logon hours and computer restrictions)
ss1.jpgss2.PNGss3.PNGss4.PNGss5.PNG
Will.
0
 
Harper McDonaldCommented:
Shut off VPN access during the maint. window.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
You could blanket disable all accounts (just make sure you don't disable yours).

Of course, I don't understand why this is even a concern for you.  What happens if they log on?  You could power down the switch(es) but they can still log on with cached credentials.

If you explain what you are concerned about (that logging on might do) perhaps we can give you better solutions... I've never been concerned with this on large networks over 1000 users or small ones of just 3 and many in between.
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
ktaczalaCommented:
See this article, Do it through GPO, will apply to all users.
http://www.rebeladmin.com/2014/06/use-of-group-policies-to-control-log-on-hours-to-the-network/

You didn't say what Windows version you have so there may be some differences.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Agreed - it could be dangerous... but I'm still trying to understand WHY?  When do you need to do this?  What's the logic?
0
 
WonkaWillyAuthor Commented:
Great suggestions!  
The primary reason for doing this is for software or hardware maintenance windows.   One recent maintenance window was for a SAN RAM/CPU upgrade where I obviously need the VM's up to test but since I need to update and restart the controllers multiple times, I'd prefer users weren't hitting it.  Turns out people still showed up and I got calls.

Two weeks ago I scheduled a Sunday maintenance window to upgrade our accounting software that, by its nature, required the accounting software and SQL database to be online.  The upgrade was a multi stage, aka time consuming, where the vendor advised against having users attempting to access the system.  Of course the accounting system doesn't have the ability itself to prevent users from logging in, and despite multiple notices, the CFO and manager of accounting showed up, unknown to me, and were in the software.

In either case, if there was a quick and easy way to "disable logins" for the occasional maintenance window, that'd be a nice to have.  I considered simply pulling the switch uplink ports, which I can do, but it sure would be easier to set a value somewhere and deny a login.  Maybe I'll look at what can be done via the login script....

Thanks for all the suggestions.
0
 
WonkaWillyAuthor Commented:
Additionally,
I should have mentioned that employees are allowed flexible schedules where they can come in and work anytime they like, seven days a week, which causes this conflict.

That's why I have to schedule these maintenance windows and ask users to stay away.

Thanks
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
As stated in my first post you can simply apply these permissions for a period of time and then remove them once maintenance is completed.

If you use the cmdlet in the link I provided you could also script this as well to turn this on and off quickly.

GUI and script options provided.

Will.
0
 
WonkaWillyAuthor Commented:
The "Logon Hours Restrictions" suggestions are a good idea but could be difficult to use with our flex hours schedules.  Of course I didn't mention that at the beginning.   Sorry.  And we're all in one building so there is no VPN to speak of.

Thanks
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
First (and it sounds like you do this) - ALWAYS put out notices that system maintenance will take place.

Second, WHENEVER POSSIBLE, perform maintenance off hours (there are reasons banks and other orgs perform these tasks from midnight to 6am on a Sunday morning.

For the accounting system and other database applications, put up the firewall and only enable access to specified systems.

Subnet the systems (in larger networks, the servers are in one network while the workstations are in another.  Pull the default gateway out of the server.  Nothing can get in or out of the subnet.  Someone needs access (accounting software folks - give them access to a VPN that can get them on the network (you can manually assign gateways for particular subnets) or give them access to an RDS server that they can connect from that's on the same network.

Another option would be a script that uses an "exceptions" file and disables all user accounts EXCEPT those in the file (such as your admins, service accounts, etc). But disabling accounts is, in my opinion, a bit like using a hammer to push in a thumbtack).  

At the end of the day, what you can do depends on what you have in place in terms of management systems.  Some managed switches may allow you to disable uplink ports for a while and do this remotely.  And subsequently re-enable.  The problem is your network could be advanced and complicated which could give you many options... or you could a cheap network with nothing managed and no advanced features and be stuck.  We don't know what you're using, what OS/Firmware versions, etc.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.