lock windows time and date group policy

i am running a small business server 2003 premium edition server with about 50 workstations running windows xp pro sp2, is there anyway of "locking" the clock, time and date calendar so that people can view it but not change it.  problem was on numerous occasionsions i think people are using the time and date as a calender so to speak, and managed to reset the date on the pc.  of course when they shut down they cant log on because the time and date doesnt match the domain controller.
brad2000smithAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It doesn't really make sense that users can't log on after the computer is shut down because time synchronization actually occurs at boot, before they would log on.  And if they did change the time/date it should sync back to the current time automatically.

However, if you somehow have not joined the workstations to the domain properly so that they properly sync from the server, you will need to correct that.

First, review this article on fixing time sync errors:
http://www.smallbizserver.net/tabid/266/articleType/ArticleView/articleId/71/How-to-fix-time-synchronization-errors.aspx

Then, if you did not originally join the workstations to the server using http://<servername>/connectcomputer, you should fix that by following these steps:


At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://<servername>/connectcomputer

Jeff
TechSoEasy
0
lilceezCommented:
You can use the Group Policy Object Editor to hide the time from users so they can't play with it but I'm not 100% sure if there is an option to lock the time and date and still have it displayed. I would check it out.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
There is an option to do that in Group Policies, but that would be like putting a bandaid on a gunshot wound.  The root problem needs to be fixed.  Not the symptom.

Jeff
TechSoEasy
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

brad2000smithAuthor Commented:
ok well im pretty sure that they are joined to the domain correctly ie all the settings etc seem to be ok, is there any way to tell for sure?thank you for the help.
Do i do this on the server or client?

w32tm /config /manualpeerlist:time.nist.gov,0x8 /syncfromflags:MANUAL
net stop w32time
net start w32time
w32tm /resync

what does this mean and where do i set these?
Here we should use the "0x8" flag which sets the SBS server in Client Mode. These are the valid settings:

0x01 use special poll interval SpecialInterval
0x02 UseAsFallbackOnly
0x04 send request as SymmatricActive mode
0x08 send request as Client mode

and this i run on the client as its xp machines we have?
net time /setsntp:servername
w32tm /resync   (for XP)

i do have this occuring in event viewer would this be anything to do with it, if i dont have an external time source which i dont, how do i disable Ntpclient? which again event viewer prompts me to do.

"The time service has not synchronized the system time for 86400 seconds  because none of the time service providers provided a usable time  stamp. The time service is no longer synchronized and cannot provide  the time to other clients or update the system clock. Monitor the  system events displayed in the Event  Viewer to make sure that a more  serious problem does not exist. "
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Perhaps this KB article is a bit clearer?  http://support.microsoft.com/kb/816042

You don't disable the ntpclient, and you DO need to configure the server for an external time source.  THe above KB article will explain how.

Jeff
TechSoEasy
0
brad2000smithAuthor Commented:
my small business server is configured to this on the MS article
"Configuring the Windows Time service to use an internal hardware clock" these registry are correct.  so why are my clocks not re-synching? if i change the date on my windows clock to 2011 for example and reboot i cant log on.  it says that the time and date are incorrect.

"Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.  It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source.  Otherwise, this machine will  function as the authoritative time source in the domain hierarchy.  If an external  time source is not configured or used for this computer, you may choose to disable  the NtpClient."

"The time service has not synchronized the system time for 86400 seconds  because none of the time service providers provided a usable time  stamp. The time service is no longer synchronized and cannot provide  the time to other clients or update the system clock. Monitor the  system events displayed in the Event  Viewer to make sure that a more  serious problem does not exist"

I have these in event viewer occuring. any ideas?  as my server is the only server in the domain surely i can configure that as the master and for the workstations to resync their time from it?

0
brad2000smithAuthor Commented:
ps on a small business server when joing in a workstation should you always use servername\connectcomputer or can i go to computer name then change and type the domain in there, does it make a difference?
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It absolutely makes a difference and you should always use connectcomputer.  To see all that this does look at http://sbsurl.com/connect.

I have never configured an SBS to use it's internal clock, so I'm unsure as to why it wouldn't work.  I could guess though that if you change the clock to something that far off it will have a problem with all of the previously time-stamped items that are in place before your reboot.

Jeff
TechSoEasy
0
brad2000smithAuthor Commented:
when i try and run connectcomputer - it says please run the newtorking wizard to complete setup. what does this mean? has the connectcomputer feature been turned off? if so where and how?  i have also noticed that if i join a computer to the domain through system properties, the time and date changes to US time zone and we are in the UK.  even thought the time on the server and client pc was set to UK before joining.  why is this?
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
If that's the error you are getting, then you need to do what it says in this MS KB article:
http://support.microsoft.com/kb/838431

Jeff
TechSoEasy
0
brad2000smithAuthor Commented:
what external time sources should i use? my sbs server is the only server on the domain.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
It's best to use pool.ntp.org.  Go to http://pool.ntp.org to see how that works.  Also, you'll find a good overview of SBS's configuration needs here:  http://msmvps.com/blogs/bradley/archive/2007/01/03/need-to-set-up-the-sbs-box-as-an-authoritative-time-server.aspx

Jeff
TechSoEasy
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.