So this will probably be the opposite of what most people have asked. An Internet search certainly appears to support that.
I have AD users that have logon hour restrictions. I want these logon hour restrictions to also apply to network logons (specifically to OWA and ActiveSync).
So if a user is not allowed to logon after 7pm on Monday, and they have an ActiveSync session created at 6:30pm on Monday, at 7pm I need that ActiveSync session removed.
Unfortunately, testing this with a user has shown that they are very able to still send and receive email on the cell phone.
I need to know why this is not working and how to fix this.
The cell phone is an Android and the Exchange server is Exchange 2010.
Any ideas would be greatly appreciated.
Update 1: I have also enabled Network security: Force logoff when logon hours expire in Group Policy. Yes, I enabled it in the Default Domain Policy as directed by Microsoft. I ran gupdate /force on the DC and on the Exchange server. The user is still able to send and receive emails.
Best Answer
Logon hours restriction isn't going to work with ActiveSync for a number of reasons - the main one being that the client holds open an extended session for many hours and will only re-authenticate periodically. That session is only authenticated again when the time limit is up or the client reconnects.
If you are putting the same hours in place, then you could try a schedule IISRESET on the Exchange server. That will close all open sessions. However I have never tested if this will work with ActiveSync.
The one client who did this had two entry points for ActiveSync and one was literally stopped for the hours it wasn't available. There were obviously a few staff who needed 24x7 access and they came in via the second server.