Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 410
  • Last Modified:

Enable ability to change system clock on clinet pc, windows 2003 server domain

Im gonna try this agian I have asked this but never could get it to work.

I THOUGHT I wanted to remove the ability to allow users to change the date and time on their cliet PC's.  I removed the ability, but since then it has been nothing but issues and we just need to allow them to do this.

I FORGOT WHERE AND HOW I did this.

Server 2003 as a PDC in a domain
Client is XP PRO with SP2

Please list ANY AND ALL places, i.e. Policies on the server and policies on the cliente pc...
That could cause this to be disabled so I can fix it.

Im new to this so you may need to REMIND me how to get to where I need to go.

Thanks
0
mrchaos101
Asked:
mrchaos101
  • 8
  • 4
  • 3
  • +3
1 Solution
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
I guess my question is why?  Allowing users to change their times on their PC's can cause all kinds of problems in a Domain.  It is better to let those machines get accurate time from their authenticating DC, and then that from the PDC emulator, and then that from a reliable time source on the Internet.

If you wanted to ensure at each bootup they were synced, you could even add a net time command to the logon script.

OK here are some places to look.  You can check on your Domain Policy and your Domain Controller policy as well as any OU Policies you have defined.

If you actually removed the clock from the taskbar, go to User Configurations, Administrative Templates, Start Menu and Taskbar and it is under Remove Clock from the System Notification Area.

Computer Configuration, Windows Settings, System Services, Windows Time,  and edit Security in that object.
0
 
mrchaos101Author Commented:
They have need to BACK date invoices... only way to do this is is to change the clock on the pc.
0
 
mrchaos101Author Commented:
hmm   are you perhaps giving dirctiosn for server 2000?

2003 seems to be somwaht diff

Im in th GPO now.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
SoyYopCommented:
Check on Domain Policies. Create a temporary domain policy just for that. Enable the hability to change the time, and link and ENFORCE it on root.
That will effectively enable this policy on all the domain .

Now you can relax and use the Group Policy Managment Console to run a Group Policy Modeling or Group Policy Results on a standar user applied on his computer.

Expand it and look for conflicting options on time setting. Your new policy is overrading any other one, so will be the "Winner". Once found, edit the policy, and remove the link to your temporary time policy.

Test.
0
 
mrchaos101Author Commented:
I think I had disabled inharnt polocies.. will this still work?
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
What I posted above is for 2003.  I have a 2003 forest, domain and all WS are XP
0
 
SoyYopCommented:
It may, but only if the setting is on the policies, AND policies are not enforced. Have you done a "Block inheritance"? You may have a blue circle with an "!" inside where are blocked.

Have you tested? Reboot the client first, to refrsh changes (you can also use gpupdate /force and logoff/login)
0
 
mrchaos101Author Commented:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\


Change system time  Would this be the spot?

I have the admin pac so maybe that is why mine looks diff.

I went to change system time and put ADMINS and DOMAN USERS in it.

Logged on teh WS as a domain user and cannot change time.

Is htere a command to FORCE the WS to update the Polocies?  Perhaps this is why it didn't work?
0
 
SoyYopCommented:
gpupdate /force, but you have to logoff and login. Rebooting may also help, and waiting a while, if the DC is far away on your topology...

Moving out. See you tomorrow,

BTW, do you have the Group Policy Console installed? Group Policy Modeling or Group Policy Results gives you a lot of information, including were settings are applied or denied. Is not so difficult to use...


0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Yes, if you just changed the group policy, it will have to propogate.  By default it is like, 90 minutes.  Give the workstation a gpupdate /force.  Log off and back on and the policy should be updatedd
0
 
mrchaos101Author Commented:
OK..
If I go to Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\
change system time

And take all the groups out and mark it as UNDEFINED... by defalut this should allow my users to change their time right?



Is there any other setting that could cause this to NOT work?
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Yes, you are correct unless there is another policy further up the chain that disabled it.  Go to a workstation and give it the gpupdate /force and see if it works then.
0
 
mrchaos101Author Commented:
I updated the policy  no dice.

Is there any other place?  The only one up the chain the the default domain policy... but I have inheret turned off.
0
 
keenemarinCommented:
You have a PDC doing this?

How about stopping the Windows Time service on the server. Its called W32time, you can access it through the services option - but I would recommend getting the admin pack if you dont already have it.

Also, making sure that Group Policy - Default Domain Policy - Properties - Computer Configuration - Administrative Templates - System - Windows Time Service, and all its subcomponents are set to disabled. Do you have more than one Group Policy? if so, check the same location in all of them. Other than that, mrchaos101 really covered the other area to check for too.

Keene
0
 
mrchaos101Author Commented:
yes one box does it all it is a PDC
0
 
mrchaos101Author Commented:
The problem is...

If I log in under an Admin account on the client I can change system time fine.

If I log in as a domain user It sys I cannot change time do to restrictions on this computer.

I have only ONE policy. I copied the defalt to our OU and made all changes I needed to it.

Is there any other information I can give to get this figured out?
0
 
scomo1026Commented:

http://support.microsoft.com/?id=300022

According to this article, you must grant the Change system time user right, AND then add the following permissions on the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation registry key.
They say this is by design.  So...  On the client machine...

1.  Log in as administrator (or remotely mange the registry from your computer)
2.  Browse to the registry key above, right click on TimeZoneInformation and choose permissions
3.  Add your user or users and click on apply
4.  Select the advanced button
5.  Uncheck inherit permissions from the parent, and then when asked, select copy.
6.  Under permission entries, select the user you added in step 3 and select edit
7.  Under allow, the user needs
• Query Value
• Set Value
• Create Subkey
• Enumerate Subkey
• Notify
• Read Control
8.  Select apply these permissions to objects and then okay your way out
9.  Close regedit
10. Log off admin and log in as user to test.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 8
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now