?
Solved

Enable ability to change system clock on clinet pc, windows 2003 server domain

Posted on 2005-03-16
18
Medium Priority
?
407 Views
Last Modified: 2007-12-19
Im gonna try this agian I have asked this but never could get it to work.

I THOUGHT I wanted to remove the ability to allow users to change the date and time on their cliet PC's.  I removed the ability, but since then it has been nothing but issues and we just need to allow them to do this.

I FORGOT WHERE AND HOW I did this.

Server 2003 as a PDC in a domain
Client is XP PRO with SP2

Please list ANY AND ALL places, i.e. Policies on the server and policies on the cliente pc...
That could cause this to be disabled so I can fix it.

Im new to this so you may need to REMIND me how to get to where I need to go.

Thanks
0
Comment
Question by:mrchaos101
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 4
  • 3
  • +3
18 Comments
 
LVL 16

Expert Comment

by:samccarthy
ID: 13558003
I guess my question is why?  Allowing users to change their times on their PC's can cause all kinds of problems in a Domain.  It is better to let those machines get accurate time from their authenticating DC, and then that from the PDC emulator, and then that from a reliable time source on the Internet.

If you wanted to ensure at each bootup they were synced, you could even add a net time command to the logon script.

OK here are some places to look.  You can check on your Domain Policy and your Domain Controller policy as well as any OU Policies you have defined.

If you actually removed the clock from the taskbar, go to User Configurations, Administrative Templates, Start Menu and Taskbar and it is under Remove Clock from the System Notification Area.

Computer Configuration, Windows Settings, System Services, Windows Time,  and edit Security in that object.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13558031
They have need to BACK date invoices... only way to do this is is to change the clock on the pc.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13558096
hmm   are you perhaps giving dirctiosn for server 2000?

2003 seems to be somwaht diff

Im in th GPO now.
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 
LVL 7

Expert Comment

by:SoyYop
ID: 13558224
Check on Domain Policies. Create a temporary domain policy just for that. Enable the hability to change the time, and link and ENFORCE it on root.
That will effectively enable this policy on all the domain .

Now you can relax and use the Group Policy Managment Console to run a Group Policy Modeling or Group Policy Results on a standar user applied on his computer.

Expand it and look for conflicting options on time setting. Your new policy is overrading any other one, so will be the "Winner". Once found, edit the policy, and remove the link to your temporary time policy.

Test.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13558271
I think I had disabled inharnt polocies.. will this still work?
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13559183
What I posted above is for 2003.  I have a 2003 forest, domain and all WS are XP
0
 
LVL 7

Expert Comment

by:SoyYop
ID: 13559286
It may, but only if the setting is on the policies, AND policies are not enforced. Have you done a "Block inheritance"? You may have a blue circle with an "!" inside where are blocked.

Have you tested? Reboot the client first, to refrsh changes (you can also use gpupdate /force and logoff/login)
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13559352
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\


Change system time  Would this be the spot?

I have the admin pac so maybe that is why mine looks diff.

I went to change system time and put ADMINS and DOMAN USERS in it.

Logged on teh WS as a domain user and cannot change time.

Is htere a command to FORCE the WS to update the Polocies?  Perhaps this is why it didn't work?
0
 
LVL 7

Expert Comment

by:SoyYop
ID: 13559415
gpupdate /force, but you have to logoff and login. Rebooting may also help, and waiting a while, if the DC is far away on your topology...

Moving out. See you tomorrow,

BTW, do you have the Group Policy Console installed? Group Policy Modeling or Group Policy Results gives you a lot of information, including were settings are applied or denied. Is not so difficult to use...


0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13559495
Yes, if you just changed the group policy, it will have to propogate.  By default it is like, 90 minutes.  Give the workstation a gpupdate /force.  Log off and back on and the policy should be updatedd
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13559642
OK..
If I go to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
change system time

And take all the groups out and mark it as UNDEFINED... by defalut this should allow my users to change their time right?



Is there any other setting that could cause this to NOT work?
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13559882
Yes, you are correct unless there is another policy further up the chain that disabled it.  Go to a workstation and give it the gpupdate /force and see if it works then.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13591625
I updated the policy  no dice.

Is there any other place?  The only one up the chain the the default domain policy... but I have inheret turned off.
0
 
LVL 2

Expert Comment

by:keenemarin
ID: 13625341
You have a PDC doing this?

How about stopping the Windows Time service on the server. Its called W32time, you can access it through the services option - but I would recommend getting the admin pack if you dont already have it.

Also, making sure that Group Policy - Default Domain Policy - Properties - Computer Configuration - Administrative Templates - System - Windows Time Service, and all its subcomponents are set to disabled. Do you have more than one Group Policy? if so, check the same location in all of them. Other than that, mrchaos101 really covered the other area to check for too.

Keene
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13625420
yes one box does it all it is a PDC
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13644235
The problem is...

If I log in under an Admin account on the client I can change system time fine.

If I log in as a domain user It sys I cannot change time do to restrictions on this computer.

I have only ONE policy. I copied the defalt to our OU and made all changes I needed to it.

Is there any other information I can give to get this figured out?
0
 
LVL 3

Accepted Solution

by:
scomo1026 earned 2000 total points
ID: 13653450

http://support.microsoft.com/?id=300022

According to this article, you must grant the Change system time user right, AND then add the following permissions on the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation registry key.
They say this is by design.  So...  On the client machine...

1.  Log in as administrator (or remotely mange the registry from your computer)
2.  Browse to the registry key above, right click on TimeZoneInformation and choose permissions
3.  Add your user or users and click on apply
4.  Select the advanced button
5.  Uncheck inherit permissions from the parent, and then when asked, select copy.
6.  Under permission entries, select the user you added in step 3 and select edit
7.  Under allow, the user needs
• Query Value
• Set Value
• Create Subkey
• Enumerate Subkey
• Notify
• Read Control
8.  Select apply these permissions to objects and then okay your way out
9.  Close regedit
10. Log off admin and log in as user to test.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question