GPO: Block everyone on "Change the System Time"

In Windows 2003 server, how do I create a GPO to prevent everyone in the domain from changing the system clock? Our domain sync's with a stratum 2 time server and correctly updates the workstations with that time. I don't want users to adjust their clocks due to a time-keeping application used in payroll which logs the start and end time of employees' shifts based on workstation time.
LVL 1
light-blueAsked:
Who is Participating?
 
Netman66Commented:
Not that I am aware of.

Remove them from the Admin group.  Is there a reason they are local admins on domain-joined PCs?  That really is asking for Malware, Rootkits and Virus issues - if you don't already have one.

0
 
Brian PiercePhotographerCommented:
Configure the
Computer Configureation->Windows Settings->Security Settings -> Local Policies -> User Rights Assignments -> "Change the system time" option in the domain security policy can add/remove the groups as desired
0
 
light-blueAuthor Commented:
yes, but what is the "as desired part"? I included only ourDomain\Administrator, then ran gpupdate /force on a client machine, but it didn't apply properly. I can post the gpresult, but it talks about (empty)

0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Brian PiercePhotographerCommented:
Add only the groups whom you want to be able to change the time - remove anyone else. Add Groups - not users its easier to manage that way.

You also need to run gpupdate on the DC
0
 
Netman66Commented:
A normal "user" cannot change the system time.

Remove any "user" account from Power User or Administrators local groups on the workstations.

0
 
light-blueAuthor Commented:
I'm sure that I'm doing something wrong. It's probably basic. Below are partial results  from gpresult on a workstation.

Any thoughts?

 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------
     Prevent-Change-Clock-OfficeView
         Filtering:  Not Applied (Empty)

     Local Group Policy
         Filtering:  Not Applied (Empty)
0
 
Netman66Commented:
Prevent-Change-Clock-OfficeView
         Filtering:  Not Applied (Empty)

This states there is no content in it that changed.

Like I stated earlier, a normal User cannot change the system time on a domain joined PC.

0
 
light-blueAuthor Commented:
In this case, the users at each workstation are Administrators. My hope is to bypass the ability of the local administrators from changing the system time.
0
 
Netman66Commented:
Well, this type of access cannot be blocked as long as they are local Admins.

The Group Policy element you refer to only grants permissions to Change the System time to groups that ordinarily DO NOT have this right.  It will not remove default behaviour or Administrators or Power Users.

0
 
light-blueAuthor Commented:
Netman, okay, is there an alternative?
0
 
J_RHobbsCommented:
Actually if you set the "Change the system time" Attribute to "Domain Admins" Only, even the local admins will not be able to change the system time. They can not even double click the time to view the calendar, which is upsetting everyone...
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.