System Clock in domain setting

I have reviewed the other thread, and am seeing some inaccurate information.  When dealing with group policies that affect the computer configuration (like the system time setting), after doing the gpupdate /force, then computer has to be rebooted, not just logged off and back on.

Next, I will get right to different locations this can done...
1.  go to admin tools and then select "Domain Security Policy".  Expand local polocies, then highlight "user Rights Assignments".  In the right pane you will see "Change the system time"
2.  go to admin tools and then select "Domain Controller Security Policy".  Expand local polocies, then highlight "user Rights Assignments".  In the right pane you will see "Change the system time"
3.  Next go to start then run and type mmc then enter.  Go to file and select add/remove snap in.  Select add at the bottom, then scroll down to Group Policy Object Editor, highlight it and then choose add.  You now be asked which gpo you want to add.  Please post all gpo's listed.  The reason I had you open it this way was so that we could see all the gpo's in a single list.  You post said you only have one, but I am double checking.  Select your one gpo and then finish.  Expand computer configuration, Windows Settings, Security settings, Local Polocies, Highlight user rights assignments then in the right pane will be your Change system time setting.
4.  You can also log onto the local computer as an administrator and follow the instructions from step 3 above, when you pick the gpo you want to open, just leave the default of local policy there and select finish.  Then drill down to the settinga nd you can verify what the computer is actually using as it's settings.

I am here for the long haul, and will help you work through this.

So if you do find the setting you changed, the proper steps will be to

1.  Make the change to add "domain users" are allowed to cahnge the system time.
2.  run gpupdate /force on the domain controller
3.  reboot a machine
4.  log on as a regular user and test changing the system time.

Ok I seem to be some what confused ast to waht you are describing on number 3 an what I am seeing with the mmc.

I have the admin pack installed and short cuts on my desk top for Group Policy Managment, Active dictory users and comptuers, etc...

As for number 2.,  I did make the change there  (though I thought I had before).  I did the gpudate /force on the clinet pc and rebooted it.

I logged in as a doman usier and dbl clicked the clock

"The operation has been cancelled due to restrictions in effect on this computer.  Please contactk your system administrator."

Thanks for helping me.

The reason I wanted you do do number 3 the way I described above (step by step) was so that I could see if there were any other policies that we might be over looking.  In step three, when I stated you will be asked which gpo you want add, I forgot to say hit the browse button.

In number 4, please follow the steps from three, but on a local user machine so that we can verify what the settings are on the local machine of a user having the issue.

I know working with the GPO's and security policies is frustrating because they are located all over the place, but we will get through it...

I is there a way to export my settings to txt or HTML and emial to you would that help or be an option?

Unfortunatly, no, you can only export unuseful lists when exporting the areas we need to look.  Can you please look on the local machine and tell me what the settings are for the "change system Time".  This will help greatly.

This won't solve our problem, but it might ahve some useful info in it...

http://support.microsoft.com/?id=300022

Looks like your not the only one...  Check out problem #2.  Lots of good info...

http://esj.com/Security/article.aspx?EditorialsID=1257

Here is how it all works, and how the GPO pull from the domain security policy and in what order they are applied.  There is some great information in here.  I think I read in your other post that you changed something back to undefined, and according to this article, that won't work.

http://www.microsoft.com/resources/documentation/WindowsServ/2003/all/techref/en-us/Default.asp?url=/Resources/Documentation/windowsserv/2003/all/techref/en-us/w2k3tr_gpssp_how.asp

My suggestion is to...
1.  Open GPO editor via your admin pack shortcut.
2.  right click on the OU, or highest level OU that contains all of your computer accounts (except for servers) and create a new GPO calling it system time
3.  make your change to the change system time (add domain users, domain admis, etc)
4.  Make sure the group policy is enabled, and linked to the specific OU
5.  Run gpupdate /force
6.  Reboot a machine
7.  Log on as a user and test

Please remember that this setting in a GPO has to applied to computer account OU's and not to user accounts OU's.

OK let me give you some more info here:

Group Policy Managment

INSIDE Grop Policy Objects

Altek Default Policy  (this is the one I use for my domain users)
Default Domain Controllers Policy (we dont use)
Default Domain Policy (we dont use)
New Group Policy Object (was used for testing at one time but not linked to any thing)


Under altek.local\ Altek Accounts  I have 2 Objects

Computers  (has blue circle with white !)
And Users  (has blue circle with white !)

The only Policy UP the chaing is the default domain policy in the root... but i have the inhernt turned off  thus the blue circle with the white!

In both the Computers and Users objects I have the  the Altek Defautl Policy linked.

The comand prompt was removed from the domain users when they log in a clint so ,... at the moment, I cannot run mmc or any thing from a command line or start.

Looking at my Altek Default Policy,  It shows that  Authenticated Users adn Domain Users of ALTEK\Domain Users  are linked to it.

When I edit this policy,  Computer Configuration\Windows Settings\Local Policies\User Rights Assigmnets\

Chance the system Time  is set to  ALTEK\Domain Users, Authenticated Users

Just for grins I made sure the same settings were made for Change the system time up hte chain int eh Default Domain Policie.

Logged into the clinet pc as an admin.  Ran gpupdate /force  then clicked start shutdown, restart.

I will try loggin in as a domain user and post back.  
If this doesn't work then I will try to re allow the start window and settings to see what is going on.

the gpupdate /force has to be done from the server, not the client.  You can log on as the admin and go to the admin tools and then open local security policy to see what the local settings are.  Please remember, these are computer setting, and not user settings.

Bah... and the reboot the client so the client gets the update right?

Perhaps this is where my problmes are.. I have been gjupdate /force on the clilnet and rebooting clinet.

Yes, please read steps I posted in my second post.  This might very well have been the problem.  The policy will update automatically every 90 minutes, but if you are constantly making changes, the PC's would not be getting the correct policy.

Hopefully, this will work, but if not we still ahve more avenues to try.

blah... no dice.

I did put hte run command back in the start menu..

I ran the MMC as you had asked.

When I clicked brows it showed teh Altek Default Policy.

I asume this means that it is loading the poclicy when computer logs on to domain.

WHen I try to run the snap in futher.. ti says I dont have permsision....  let me know if we go further for this part...I dont want to undo alot of the stuff I have done to lock peopel down.


So recap,  The settings for Altek Default seem to be corect.  The policy is enabled. That same polcy is linked to the computers and the users objects.

I am runign gpupdate /force on the server and rebooting client pc.

When I dbl click the time on the client I stil get the same Operation has canceled due to restrictiosn message.

Thank you again for hanging in there with me.

This is done on the client machine:
On the local machine we do not want to browse, we want to keep the local policy.  Or the other way is to>>> go to admin tools, and open the local security policy, then drill down to the change system time settings to verify what the local computer is using.

No problem...  We will get there.
Can you verify for me that the OU containing the computer accounts is indeed set to block policy inheratence?

Can you verify for me that the OU containing the computer accounts is indeed set to block policy inheratence?

Yes, I looked at both Computers and Users OU and there is a check mark in font of "Block Inheratence" for each.



As for on the client machine, so I should enable the administrative tools to the domain users so i can see what is happening correct?

No, you can just log in as the administrator, then go to the control panel, then admin tools, then local security policy.  These settings won't change by the person logging in as these are computer settings and not user settings.

Ok on the local machine with me logged in as admin;

Security Settings\ Local Policy\ User Rights Assignment\  Change teh system time =Authenticated Users, ALTEK\Domain Users

WOOT that fixed it!!!

so,  does this mean I hav eot do this with every clinet pc I hook up to this domain?

yes, unless you want to add users to the admin or power users group.  you can use the gpo to say what exe can be run as to minimize what users can do as a power user.  or you might want to post again ask someone for help creating a script file that can be run to set the permissions.  I would help with this, but I am horrible at writing script files.

Please click the link above and post something in it in reguards to this thread so I can award you those points as well.  Thank you for your help!