Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-43801: LogOnHours is Incorrectly Determined During Daylight Savings Time

Privileged Access Service ,  

10 November,20 at 11:13 PM

When LogOnHours hours is set with Daylight Savings Time (DST) enabled, the LogOn hours calculation can go out of sync between DC and Connector.

The connector does the calculation based on UTC (Universal Time Coordinate) time. But ADUC (Active Directory Users and Computers) sets the value of LogOnHours differently when Daylight Savings Time is ON and OFF.  This can make AD logon hour checking and connector logon hour checking go out of sync.

This resolution is applicable to the connector version 20.4 and later.
If the LogOnHour is set while DST ON there are two options to correct the time difference:

Option 1: Create and set the following DWORD registry key:
User-added image
The connector will take the offset value and make the adjustment while calculating LogOnHour.


Option 2: Create and set the following DWORD registry key:

User-added image
With this setting, instead of calculating LogOn hours locally,  the connector will make an inert logon call, with an incorrect password, to AD and check the error code for invalid logon hour.   In this case, the Domain Controller, not the connector, is determining if the login is within the allotted time.  The downside of this setting is that the login call with an incorrect password will be counted against the number of failed login attempts.