Hello,

I am looking for a tool to help find all user accounts in our Active Directory that have restricted logonhours specified. We have an Active Directory of about 2000 users and we have been asked to audit and find all accounts that may not be allowed to logon over the weekends.

I tried using dsget/dsquery but it appears that the way the logon hours attribute works, one cannot actually query for it. Upon some experimenting I found that it is not enough to look for users who have the logonhours value specified because, even if a value is specified, the user could still be allowed unrestricted logon.

Basically, we found that (&(objectcategory=user)(objectclass=user)(!(logonhours=*))) is not sufficient because it does not take into account any suer accounts that have a value specified, and which is set to allow all hours for logon.

I have not had any luck with Powershell as well, and our corporate policies prevent us from using any VB script code found on the WWW (wild-wild-web) because we cannot run anything without code inspection and that takes time and effort.

If anyone knows of any tool that could help us correctly find users that have restricted logonhours set, i.e one that parses the actual value (if it exists) and bases its outputs on it, it would be sincerely appreciated.

Thank you.

Jimmy.