Anyway to make a time based firewall rule for the rdp port?

How many users are we talking? Based on what you've said, and my own assumptions, your best bet is probably just to disable the user accounts every evening and enable them every morning. I suggest this because it can be easily scripted with a batch file or powershell and can be automated by using the task scheduler.

Alternatively, you can block rdp from outside on the servers firewall, but then if you ever need to get in remotely then you're locked out too.

I would usually suggest active directory for domain management, but it's a huge chunk of software that is probably much more complex than you think it is.

But beyond all of that... It's not a good idea to have end users log onto servers at all. Limited access to a terminal server is pretty regular occurrence, but ideally you'd want users logging onto their own machines and not a server.

There are policies you need to put in place to set up for the printers.

with a schedule batch im sure - but i also need other users to be able to login on during the offer hours too


i know there's an option under active directory - user account > prop > account > log on hours
but we encountered a problem where none of the RDC user's local printer wouldn't print/wouldn't work after i installed the ADDS

i've searched about the policies and deployment but i notice they all relate to the server's local printer
but we pay to have our sever hosted over the internet and people from different locations log on to the server remotely

we use windows server 2012

Is there an easy and non-changing way to group these users together? Like, as an example, do you have a set of users that should only log in from 8-4 and another set that should only log in from 4-12? If so, I'd say to make some local groups on the server to separate these users. Then, have a scheduled task that adds/removes those groups to/from the remote desktop users group on the server.



In the context of "policies", the printers can be local or networked. However, to use Group Policy and group policy objects you'd need Active Directory up and running, a functional internal DNS system, and all objects (printers, users, groups, computers) have to be domain members for it to work together. It's not a simple install-and-done kind of process. It takes a lot of planning to get it right.

i guess doing a task would be my best option from what you have explained
thanks qord

can anyone help me on getting started on the batch/powershell script?
i only know so much xD... thanks

This post was edited by AlvinHu on Jun 5 2017 07:56pm

For background info, anything you can do from the command line (either dos or powershell) you can also do through a script. Any script you create can be run automatically through the task scheduler. With that in mind, here’s how I would do it. For organization purposes, I like to create a folder named “scripts” on the C:\ drive and put all my production scripts there, often in subfolders to further organize them. I'm unable to add any pictures to this right now, but I can later if you need.

So let’s assume you have a group named “daytime”. This group is the group of folks who you want to log in only from 9 to 5. To add this group to the RDP group via the CMD prompt, use:


To remove this group from the RDP group via the command line, use:

Note the quotation marks above. For any group with a space in the name, that is required.

To automate this, open notepad and paste the /add line. Click file, save as, in the file-type drop down box, pick all files, give it name like “daytime-add.bat” and save it to the C:\scripts folder.

To create a scheduled task to run this batch file, open task scheduler, click “action” near the top, “create basic task”, and the wizard opens. Give it a name, something intelligible so you remember what it is without having to look closer at it, and click next. Choose “daily” inside the “trigger” section and click next. Give it a start time and click next. Select “start a program” and click next. Click “browse” to navigate to your batch file, click next and verify everything is correct and then hit finish.

Once that’s done, the task will appear in the list of scheduled tasks. If you right-click the task, you can run it on demand to test it, disable it without deleting it, delete it, or edit it’s properties.

To remove that group from the rdp group, do that whole process over, but using the /delete line instead. The same goes for any other group you want to control this way, create a batch file with the other group name and the add or delete action, and make a scheduled task for it.

I highly recommend testing this with empty groups before just throwing it out there and assuming it’ll work. To do this, all you’d need to do is create two new local groups on the machine, edit the batch file to reflect the names of the test groups, and manually run it to see what happens. Once you know the batch file is good and will work, then work on getting it into scheduled tasks. You may have to open up the properties after creating it to make changes, like what username it’s supposed to run under.