Solved

lock windows time and date group policy

Posted on 2007-04-05
12
951 Views
Last Modified: 2008-02-20
i am running a small business server 2003 premium edition server with about 50 workstations running windows xp pro sp2, is there anyway of "locking" the clock, time and date calendar so that people can view it but not change it.  problem was on numerous occasionsions i think people are using the time and date as a calender so to speak, and managed to reset the date on the pc.  of course when they shut down they cant log on because the time and date doesnt match the domain controller.
0
Comment
Question by:brad2000smith
  • 6
  • 5
12 Comments
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18856972
It doesn't really make sense that users can't log on after the computer is shut down because time synchronization actually occurs at boot, before they would log on.  And if they did change the time/date it should sync back to the current time automatically.

However, if you somehow have not joined the workstations to the domain properly so that they properly sync from the server, you will need to correct that.

First, review this article on fixing time sync errors:
http://www.smallbizserver.net/tabid/266/articleType/ArticleView/articleId/71/How-to-fix-time-synchronization-errors.aspx

Then, if you did not originally join the workstations to the server using http://<servername>/connectcomputer, you should fix that by following these steps:


At the client machine:
1.  Log in with THAT machine's LOCAL administrator account.
2.  Unjoin the domain into a WORKGROUP
3.  Change the name of the computer (this is not an option, you must use a name that is unique and hasn't been used before on your SBS)
4.  Delete or rename the following directory C:\Program Files\Microsoft Windows Small Business Server\Clients if it exists
5.  Make sure that the network settings are configured to get an IP address automatically (DHCP enabled)
6.  Reboot

Then on the server, from the Server Management Console:
1.  Remove the client computers if it still shows in the Client Computer screen on the Server Management Console
2.  Add the client with it's NEW name using the Add Computer wizard

Then, go back to the client machine, log back in with the local Administrator account and join the domain by opening Internet Explorer and navigating to http://<servername>/connectcomputer

Jeff
TechSoEasy
0
 

Expert Comment

by:lilceez
ID: 18863019
You can use the Group Policy Object Editor to hide the time from users so they can't play with it but I'm not 100% sure if there is an option to lock the time and date and still have it displayed. I would check it out.
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18864582
There is an option to do that in Group Policies, but that would be like putting a bandaid on a gunshot wound.  The root problem needs to be fixed.  Not the symptom.

Jeff
TechSoEasy
0
 

Author Comment

by:brad2000smith
ID: 18881213
ok well im pretty sure that they are joined to the domain correctly ie all the settings etc seem to be ok, is there any way to tell for sure?thank you for the help.
Do i do this on the server or client?

w32tm /config /manualpeerlist:time.nist.gov,0x8 /syncfromflags:MANUAL
net stop w32time
net start w32time
w32tm /resync

what does this mean and where do i set these?
Here we should use the "0x8" flag which sets the SBS server in Client Mode. These are the valid settings:

0x01 use special poll interval SpecialInterval
0x02 UseAsFallbackOnly
0x04 send request as SymmatricActive mode
0x08 send request as Client mode

and this i run on the client as its xp machines we have?
net time /setsntp:servername
w32tm /resync   (for XP)

i do have this occuring in event viewer would this be anything to do with it, if i dont have an external time source which i dont, how do i disable Ntpclient? which again event viewer prompts me to do.

"The time service has not synchronized the system time for 86400 seconds  because none of the time service providers provided a usable time  stamp. The time service is no longer synchronized and cannot provide  the time to other clients or update the system clock. Monitor the  system events displayed in the Event  Viewer to make sure that a more  serious problem does not exist. "
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18886954
Perhaps this KB article is a bit clearer?  http://support.microsoft.com/kb/816042

You don't disable the ntpclient, and you DO need to configure the server for an external time source.  THe above KB article will explain how.

Jeff
TechSoEasy
0
 

Author Comment

by:brad2000smith
ID: 18888151
my small business server is configured to this on the MS article
"Configuring the Windows Time service to use an internal hardware clock" these registry are correct.  so why are my clocks not re-synching? if i change the date on my windows clock to 2011 for example and reboot i cant log on.  it says that the time and date are incorrect.

"Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source.  It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source.  Otherwise, this machine will  function as the authoritative time source in the domain hierarchy.  If an external  time source is not configured or used for this computer, you may choose to disable  the NtpClient."

"The time service has not synchronized the system time for 86400 seconds  because none of the time service providers provided a usable time  stamp. The time service is no longer synchronized and cannot provide  the time to other clients or update the system clock. Monitor the  system events displayed in the Event  Viewer to make sure that a more  serious problem does not exist"

I have these in event viewer occuring. any ideas?  as my server is the only server in the domain surely i can configure that as the master and for the workstations to resync their time from it?

0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:brad2000smith
ID: 18888167
ps on a small business server when joing in a workstation should you always use servername\connectcomputer or can i go to computer name then change and type the domain in there, does it make a difference?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18901433
It absolutely makes a difference and you should always use connectcomputer.  To see all that this does look at http://sbsurl.com/connect.

I have never configured an SBS to use it's internal clock, so I'm unsure as to why it wouldn't work.  I could guess though that if you change the clock to something that far off it will have a problem with all of the previously time-stamped items that are in place before your reboot.

Jeff
TechSoEasy
0
 

Author Comment

by:brad2000smith
ID: 18916675
when i try and run connectcomputer - it says please run the newtorking wizard to complete setup. what does this mean? has the connectcomputer feature been turned off? if so where and how?  i have also noticed that if i join a computer to the domain through system properties, the time and date changes to US time zone and we are in the UK.  even thought the time on the server and client pc was set to UK before joining.  why is this?
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18925146
If that's the error you are getting, then you need to do what it says in this MS KB article:
http://support.microsoft.com/kb/838431

Jeff
TechSoEasy
0
 

Author Comment

by:brad2000smith
ID: 18927334
what external time sources should i use? my sbs server is the only server on the domain.
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 125 total points
ID: 18932582
It's best to use pool.ntp.org.  Go to http://pool.ntp.org to see how that works.  Also, you'll find a good overview of SBS's configuration needs here:  http://msmvps.com/blogs/bradley/archive/2007/01/03/need-to-set-up-the-sbs-box-as-an-authoritative-time-server.aspx

Jeff
TechSoEasy
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Written by Glen Knight (demazter) as part of a series of how-to articles. Introduction One of the biggest consumers of disk space with Small Business Server 2008(SBS) is Windows Server Update Services, more affectionately known as WSUS. For t…
The SBS 2011 release date (RTM) is supposed to be around Christmas, 2011.  This article is a compilation of my notes -- things I have learned first hand.  The items are in a rather random order, but I think this list covers most of what is new and d…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now