4

How can I (in order of preference, descending):

  1. Disable file-server access to a specific share for a user or group based on the time of day.
  2. Disable file-server access entirely for a user or group based on the time of day
  3. Disable file-server access entirely (server-scope) based on the time of day. This is not at all related to Remote Desktop/RDP access.

For example, Bob is in the group WorkHours. The share "Documents" grants access to users in the group WorkHours. How do I deny access to all files in the share "Documents" from 7PM to midnight, every day, automatically?

warren
  • 17,829
  • 23
  • 82
  • 134
Charles Burns
  • 195
  • 3
  • 8

4 Answers4

6

There is no built-in functionality to do what you're talking about, per se. What you're looking for is a reasonable enough desire, but not something that Microsoft has implemented as a feature with the granularity you're looking for.

The "Logon Hours" functionality (located on the "Account" tab of the user's account properties in "Active Directory Users and Computers") will give you something like what you want, but it works by denying the right to authenticate to the domain and, as such, it doesn't have the granularity you're looking for.

You could attempt to dynamically change group memberships with scripts, but I suspect you'll accomplish little else than creating a lot of Active Directory replication traffic. I doubt you'll find that, with token caching taken into account, you can reliably deny and restore access at a specific time.

Edit:

I see some other answers talking about changing the file permissions rather than trying to alter group memberships. I also expect that you're going to see disappointing results from that method, too, if there are open files at the time that you change the permissions. (I'd hate to think what kind of hell this might play with Offline Files, too.)

Evan Anderson
  • 141,071
  • 19
  • 191
  • 328
4

You might consider scheduling Windows tasks to delete and recreate the file shares at the desired times. This may or may not be practical based on the number of shares and number of users or groups whose access you want to control. Whacking a share out from under a connection with open files runs the risk of file corruption if files are changing when the share is removed.

Fred
  • 396
  • 1
  • 1
3

There's no built-in functionality for doing this in Windows, but a scheduled script could change the share or NTFS permissions, thus allowing or denying access to specific users/groups. Have a look at cacls or icacls.

Massimo
  • 68,714
  • 56
  • 196
  • 319
  • Evan's answer is probably the most thorough and correct for an enterprise setting, so I marked it as correct. This is the closest to a solution in the context of my particular server (Evan's correct remarks about open and offline files do not apply in my case), so I upvoted this answer. Thanks! – Charles Burns Dec 22 '11 at 23:38
2

What the heck.. I'll throw this out as an answer now instead of waiting.

If it's Linux (Samba)...

Create a virtual server for this managed group in smb.conf. Assign it to a secondary interface (or sub-interface.) Manage that interface with iptables.

iptables -A INPUT -i eth0.1 -p tcp --dport 445 -m time --timestart 08:00 --timestop 17:00 --days Mon,Fri -j ACCEPT

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
  • 1
    Sorry, I just noticed the Windows Server tag. But, I'll leave this in case it helps any one else searching in the future or in case it gives you a solution by switching to Samba. – Aaron Copley Dec 21 '11 at 20:15