Applies to: Centrify DirectControl 5.2.3+ on all OS platform
Question: How to enforce "Logon Hours" setting on adclient?
Answer: Starting DirectControl 5.2.3, Centrify administrator can specify whether adclient will perform "Logon Hours" restriction check in addition to Active Directory.
Example usage: 1. Edit CentrifyDC.conf 2. adclient.logonhours.local.enforcement: This parameter specifies whether adclient will perform "Logon Hours" restriction check in addition to Active Directory. The default is true; otherwise only Active Directory will enforce the checking. Notice that Active Directory and all its client machines should have the same daylight saving time setting. 3. Restart the adclient to take effect. This configuration parameter determines whether the agent and Active Directory both check for user logon hour restrictions, or whether only Active Directory checks for logon hour restrictions. This parameter is useful in cases where users are in time zones that are different from the time zone that the agent is in.
When this parameter is set to true, the agent and Active Directory both check for local logon hour restrictions. If the agent and user are in different time zones, and one time zone recognizes Daylight Savings Time while the other does not, the user may not be able to logon during permissible hours.
When this parameter is set to false, only Active Directory checks for local hour restrictions, so there is no Daylight Savings Time conflict with the agent. Set this parameter to false if you have users that are not in the same time zone as the agent.