?
Solved

System Clock in domain setting

Posted on 2005-03-28
22
Medium Priority
?
387 Views
Last Modified: 2009-12-16


Well I am running into a brick wall.  I am offering the  500pts in this POINTER thread along with the 500pts in the thread I need help wiht.   That is 1000 pts to the person that can spend some time and help me figure this out.

IM NEW to admin side of things.

Please look at this thread and post there.

http://www.experts-exchange.com/Networking/Q_21353134.html
0
Comment
Question by:mrchaos101
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 9
22 Comments
 
LVL 3

Expert Comment

by:scomo1026
ID: 13644867
I have reviewed the other thread, and am seeing some inaccurate information.  When dealing with group policies that affect the computer configuration (like the system time setting), after doing the gpupdate /force, then computer has to be rebooted, not just logged off and back on.

Next, I will get right to different locations this can done...
1.  go to admin tools and then select "Domain Security Policy".  Expand local polocies, then highlight "user Rights Assignments".  In the right pane you will see "Change the system time"
2.  go to admin tools and then select "Domain Controller Security Policy".  Expand local polocies, then highlight "user Rights Assignments".  In the right pane you will see "Change the system time"
3.  Next go to start then run and type mmc then enter.  Go to file and select add/remove snap in.  Select add at the bottom, then scroll down to Group Policy Object Editor, highlight it and then choose add.  You now be asked which gpo you want to add.  Please post all gpo's listed.  The reason I had you open it this way was so that we could see all the gpo's in a single list.  You post said you only have one, but I am double checking.  Select your one gpo and then finish.  Expand computer configuration, Windows Settings, Security settings, Local Polocies, Highlight user rights assignments then in the right pane will be your Change system time setting.
4.  You can also log onto the local computer as an administrator and follow the instructions from step 3 above, when you pick the gpo you want to open, just leave the default of local policy there and select finish.  Then drill down to the settinga nd you can verify what the computer is actually using as it's settings.

I am here for the long haul, and will help you work through this.
0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13644894
So if you do find the setting you changed, the proper steps will be to

1.  Make the change to add "domain users" are allowed to cahnge the system time.
2.  run gpupdate /force on the domain controller
3.  reboot a machine
4.  log on as a regular user and test changing the system time.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13645576

Ok I seem to be some what confused ast to waht you are describing on number 3 an what I am seeing with the mmc.

I have the admin pack installed and short cuts on my desk top for Group Policy Managment, Active dictory users and comptuers, etc...

As for number 2.,  I did make the change there  (though I thought I had before).  I did the gpudate /force on the clinet pc and rebooted it.

I logged in as a doman usier and dbl clicked the clock

"The operation has been cancelled due to restrictions in effect on this computer.  Please contactk your system administrator."

Thanks for helping me.
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 
LVL 3

Expert Comment

by:scomo1026
ID: 13645717
The reason I wanted you do do number 3 the way I described above (step by step) was so that I could see if there were any other policies that we might be over looking.  In step three, when I stated you will be asked which gpo you want add, I forgot to say hit the browse button.

In number 4, please follow the steps from three, but on a local user machine so that we can verify what the settings are on the local machine of a user having the issue.

I know working with the GPO's and security policies is frustrating because they are located all over the place, but we will get through it...
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13645755
I is there a way to export my settings to txt or HTML and emial to you would that help or be an option?
0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13645845
Unfortunatly, no, you can only export unuseful lists when exporting the areas we need to look.  Can you please look on the local machine and tell me what the settings are for the "change system Time".  This will help greatly.
0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13645932
This won't solve our problem, but it might ahve some useful info in it...

http://support.microsoft.com/?id=300022
0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13645982
Looks like your not the only one...  Check out problem #2.  Lots of good info...

http://esj.com/Security/article.aspx?EditorialsID=1257
0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13646188
Here is how it all works, and how the GPO pull from the domain security policy and in what order they are applied.  There is some great information in here.  I think I read in your other post that you changed something back to undefined, and according to this article, that won't work.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_gpssp_how.asp

My suggestion is to...
1.  Open GPO editor via your admin pack shortcut.
2.  right click on the OU, or highest level OU that contains all of your computer accounts (except for servers) and create a new GPO calling it system time
3.  make your change to the change system time (add domain users, domain admis, etc)
4.  Make sure the group policy is enabled, and linked to the specific OU
5.  Run gpupdate /force
6.  Reboot a machine
7.  Log on as a user and test

Please remember that this setting in a GPO has to applied to computer account OU's and not to user accounts OU's.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13646551
OK let me give you some more info here:

Group Policy Managment

INSIDE Grop Policy Objects

Altek Default Policy  (this is the one I use for my domain users)
Default Domain Controllers Policy (we dont use)
Default Domain Policy (we dont use)
New Group Policy Object (was used for testing at one time but not linked to any thing)


Under altek.local\ Altek Accounts  I have 2 Objects

Computers  (has blue circle with white !)
And Users  (has blue circle with white !)

The only Policy UP the chaing is the default domain policy in the root... but i have the inhernt turned off  thus the blue circle with the white!

In both the Computers and Users objects I have the  the Altek Defautl Policy linked.

The comand prompt was removed from the domain users when they log in a clint so ,... at the moment, I cannot run mmc or any thing from a command line or start.

Looking at my Altek Default Policy,  It shows that  Authenticated Users adn Domain Users of ALTEK\Domain Users  are linked to it.

When I edit this policy,  Computer Configuration\Windows Settings\Local Policies\User Rights Assigmnets\

Chance the system Time  is set to  ALTEK\Domain Users, Authenticated Users

Just for grins I made sure the same settings were made for Change the system time up hte chain int eh Default Domain Policie.

Logged into the clinet pc as an admin.  Ran gpupdate /force  then clicked start shutdown, restart.

I will try loggin in as a domain user and post back.  
If this doesn't work then I will try to re allow the start window and settings to see what is going on.


0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13646623
the gpupdate /force has to be done from the server, not the client.  You can log on as the admin and go to the admin tools and then open local security policy to see what the local settings are.  Please remember, these are computer setting, and not user settings.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13646709
Bah... and the reboot the client so the client gets the update right?

Perhaps this is where my problmes are.. I have been gjupdate /force on the clilnet and rebooting clinet.
0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13646789
Yes, please read steps I posted in my second post.  This might very well have been the problem.  The policy will update automatically every 90 minutes, but if you are constantly making changes, the PC's would not be getting the correct policy.

Hopefully, this will work, but if not we still ahve more avenues to try.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13646896
blah... no dice.

I did put hte run command back in the start menu..

I ran the MMC as you had asked.

When I clicked brows it showed teh Altek Default Policy.

I asume this means that it is loading the poclicy when computer logs on to domain.

WHen I try to run the snap in futher.. ti says I dont have permsision....  let me know if we go further for this part...I dont want to undo alot of the stuff I have done to lock peopel down.


So recap,  The settings for Altek Default seem to be corect.  The policy is enabled. That same polcy is linked to the computers and the users objects.

I am runign gpupdate /force on the server and rebooting client pc.

When I dbl click the time on the client I stil get the same Operation has canceled due to restrictiosn message.

Thank you again for hanging in there with me.
0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13646951
This is done on the client machine:
On the local machine we do not want to browse, we want to keep the local policy.  Or the other way is to>>> go to admin tools, and open the local security policy, then drill down to the change system time settings to verify what the local computer is using.

No problem...  We will get there.
Can you verify for me that the OU containing the computer accounts is indeed set to block policy inheratence?
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13647000
Can you verify for me that the OU containing the computer accounts is indeed set to block policy inheratence?

Yes, I looked at both Computers and Users OU and there is a check mark in font of "Block Inheratence" for each.



As for on the client machine, so I should enable the administrative tools to the domain users so i can see what is happening correct?
0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13647036
No, you can just log in as the administrator, then go to the control panel, then admin tools, then local security policy.  These settings won't change by the person logging in as these are computer settings and not user settings.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13647120
Ok on the local machine with me logged in as admin;

Security Settings\ Local Policy\ User Rights Assignment\  Change teh system time =Authenticated Users, ALTEK\Domain Users
0
 
LVL 3

Accepted Solution

by:
scomo1026 earned 2000 total points
ID: 13647243
OK perfect, that is what I wanted to verify (from this we know it is getting the information from the GPO).  None of your users are admin or power users of the machines are they?  It was not the GPO that disallowed users to change the time, it was MS.  In this article, they say this is by design.

I was so wrong about this article not solving your problem.
http://support.microsoft.com/?id=300022

According to this article, you must grant the Change system time user right, AND then add the following permissions on the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation registry key.
They say this is by design.  So...  On the client machine...

1.  Log in as administrator (or remotely mange the registry from your computer)
2.  Browse to the registry key above, right click on TimeZoneInformation and choose permissions
3.  Add your user or users and click on apply
4.  Select the advanced button
5.  Uncheck inherit permissions from the parent, and then when asked, select copy.
6.  Under permission entries, select the user you added in step 3 and select edit
7.  Under allow, the user needs
• Query Value
• Set Value
• Create Subkey
• Enumerate Subkey
• Notify
• Read Control
8.  Select apply these permissions to objects and then okay your way out
9.  Close regedit
10. Log off admin and log in as user to test.



0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13647520
WOOT that fixed it!!!

so,  does this mean I hav eot do this with every clinet pc I hook up to this domain?
0
 
LVL 3

Expert Comment

by:scomo1026
ID: 13649430
yes, unless you want to add users to the admin or power users group.  you can use the gpo to say what exe can be run as to minimize what users can do as a power user.  or you might want to post again ask someone for help creating a script file that can be run to set the permissions.  I would help with this, but I am horrible at writing script files.
0
 
LVL 1

Author Comment

by:mrchaos101
ID: 13653069
Please click the link above and post something in it in reguards to this thread so I can award you those points as well.  Thank you for your help!
0

Featured Post

Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question