Problem:
When LogOnHours hours is set with Daylight Savings Time (DST) enabled, the LogOn hours calculation can go out of sync between DC and Connector.
Cause:
The connector does the calculation based on UTC (Universal Time Coordinate) time. But ADUC (Active Directory Users and Computers) sets the value of LogOnHours differently when Daylight Savings Time is ON and OFF. This can make AD logon hour checking and connector logon hour checking go out of sync.
Resolution:
This resolution is applicable to the connector version 20.4 and later.
If the LogOnHour is set while DST ON there are two options to correct the time difference:
Option 1: Create and set the following DWORD registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\CloudLogOnHour.DSTOffset

The connector will take the offset value and make the adjustment while calculating LogOnHour.
Option 2: Create and set the following DWORD registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Centrify\LogOnHour.CheckWithDCEnabled
With this setting, instead of calculating LogOn hours locally, the connector will make an inert logon call, with an incorrect password, to AD and check the error code for invalid logon hour. In this case, the Domain Controller, not the connector, is determining if the login is within the allotted time. The downside of this setting is that the login call with an incorrect password will be counted against the number of failed login attempts.