For this exercise, we are going to have to use the Active Directory module of PowerShell. You will need to execute this in a PowerShell session or ISE running on a Windows Server 2008 R2 server or a Windows 7 client with RSAT installed.
Import-Module ActiveDirectory
I have already set up a security group called Astronauts_GG. The members of this group are Neil Armstrong, Gus Grissom, Sally Ride, and David Wolf.
Out next step is to be able to enumerate all the members of this group. To do this, type:
Get-ADGroupMember –Identity Astronauts_GG
You will see each user object listed for each member of the group.
Specifying the logon hours is going to be a bit more complex. Let’s take a look at the logon hours for a user from Active Directory Users and Computers.
Right click a user account and select Properties
Click the Account tab.
Now click the Logon Hours… button. Below is an image of the logon hours graphic:
In order to use PowerShell to configure the logon hours, we need to break the each of the 7 days down into 3 blocks of 8 hours. We then need to divide each block into 8.
The above image represents the division of each day into 3 blocks of 8 hours. The numbers represent how we will address each block. Notice that the final block is labeled as '0’ and not ‘21’.
As for breaking down each block into 8 separate hours, we are going to have to turn to binary math. In this case each block is equal to one binary number. The set of 8 blocks is equal to 1 byte. In this scenario, the lowest order bit will be to the left. for example, let set the hours of block #1 to be 12AM, 4AM, 5AM and 7AM.
We can see here that if we want to assign this block the times of 12AM, 4AM, 5AM, and 7AM, we will need to add the numbers 1 + 16 + 32 + 128 = 177. The number 177 is what we will submit to block #1. Below is the code to do this. I have to credit the help file for the cmdlet Set-ADUser for the code. Take a look at example #6 in the help file got Set-ADUser..
$hours = New-Object byte[] 21
$hours[1] = 177
$ReplaceHashTable = New-Object HashTable
$ReplaceHashTable.Add(“logonHours”, $hours)
Set-ADUser “username"” –Replace $ReplaceHashTable
The original task was to set the logon hours by security group. Here is the code to do it.
$hours = New-Object byte[] 21
$hours[1] = 177
$ReplaceHashTable = New-Object HashTable
$ReplaceHashTable.Add(“logonHours”, $hours)
Get-ADGroupMember –Identity Astronauts_GG | Set-ADUser –Replace $ReplaceHashTable
Line 1 creates a variable holding a new object of the type byte. A byte is a computer term meaning 8 bits or a binary number that has 8 numerical places. It also creates an array of byte with 21 cells in the array.
Line 2 set the number we calculated, 177, into the first time set. We can add additional logon hours by adding extra lines. For example, we can add $hour[3] = 255. This will enable the user to log in from 4PM – 12AM on Sunday.
Line 3 creates a new object called a hash table. A hash table allows you to create a table that will be the values of a property.
Line 4 adds the hash table to the property logonHours
Line 5 first enumerates all the user objects who are members of the group Astronauts_GG. It then passes this output to the next command using the pipe ‘|’ character. Now the output becomes the input. We use the –Replace function to completely remove the current logon hours and replace them with the contents of $ReplaceHashTable.
The final Logon Hours table looks like this:
Import-Module ActiveDirectory
I have already set up a security group called Astronauts_GG. The members of this group are Neil Armstrong, Gus Grissom, Sally Ride, and David Wolf.
Out next step is to be able to enumerate all the members of this group. To do this, type:
Get-ADGroupMember –Identity Astronauts_GG
You will see each user object listed for each member of the group.
Specifying the logon hours is going to be a bit more complex. Let’s take a look at the logon hours for a user from Active Directory Users and Computers.
Right click a user account and select Properties
Click the Account tab.
Now click the Logon Hours… button. Below is an image of the logon hours graphic:
In order to use PowerShell to configure the logon hours, we need to break the each of the 7 days down into 3 blocks of 8 hours. We then need to divide each block into 8.
The above image represents the division of each day into 3 blocks of 8 hours. The numbers represent how we will address each block. Notice that the final block is labeled as '0’ and not ‘21’.
As for breaking down each block into 8 separate hours, we are going to have to turn to binary math. In this case each block is equal to one binary number. The set of 8 blocks is equal to 1 byte. In this scenario, the lowest order bit will be to the left. for example, let set the hours of block #1 to be 12AM, 4AM, 5AM and 7AM.
| Time | 12AM | 1 AM | 2 AM | 3 AM | 4 AM | 5 AM | 6 AM | 7AM |
| Set | ##### | ##### | ##### | ##### | ||||
| Binary | 1 | 2 | 4 | 8 | 16 | 32 | 64 | 128 |
| Add | 1 | 16 | 32 | 128 |
We can see here that if we want to assign this block the times of 12AM, 4AM, 5AM, and 7AM, we will need to add the numbers 1 + 16 + 32 + 128 = 177. The number 177 is what we will submit to block #1. Below is the code to do this. I have to credit the help file for the cmdlet Set-ADUser for the code. Take a look at example #6 in the help file got Set-ADUser..
$hours = New-Object byte[] 21
$hours[1] = 177
$ReplaceHashTable = New-Object HashTable
$ReplaceHashTable.Add(“logonHours”, $hours)
Set-ADUser “username"” –Replace $ReplaceHashTable
The original task was to set the logon hours by security group. Here is the code to do it.
$hours = New-Object byte[] 21
$hours[1] = 177
$ReplaceHashTable = New-Object HashTable
$ReplaceHashTable.Add(“logonHours”, $hours)
Get-ADGroupMember –Identity Astronauts_GG | Set-ADUser –Replace $ReplaceHashTable
Line 1 creates a variable holding a new object of the type byte. A byte is a computer term meaning 8 bits or a binary number that has 8 numerical places. It also creates an array of byte with 21 cells in the array.
Line 2 set the number we calculated, 177, into the first time set. We can add additional logon hours by adding extra lines. For example, we can add $hour[3] = 255. This will enable the user to log in from 4PM – 12AM on Sunday.
Line 3 creates a new object called a hash table. A hash table allows you to create a table that will be the values of a property.
Line 4 adds the hash table to the property logonHours
Line 5 first enumerates all the user objects who are members of the group Astronauts_GG. It then passes this output to the next command using the pipe ‘|’ character. Now the output becomes the input. We use the –Replace function to completely remove the current logon hours and replace them with the contents of $ReplaceHashTable.
The final Logon Hours table looks like this:
Comments