Solved

GPO: Block everyone on "Change the System Time"

Posted on 2007-11-28
11
2,235 Views
Last Modified: 2013-12-04
In Windows 2003 server, how do I create a GPO to prevent everyone in the domain from changing the system clock? Our domain sync's with a stratum 2 time server and correctly updates the workstations with that time. I don't want users to adjust their clocks due to a time-keeping application used in payroll which logs the start and end time of employees' shifts based on workstation time.
0
Comment
Question by:light-blue
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20370411
Configure the
Computer Configureation->Windows Settings->Security Settings -> Local Policies -> User Rights Assignments -> "Change the system time" option in the domain security policy can add/remove the groups as desired
0
 
LVL 1

Author Comment

by:light-blue
ID: 20370662
yes, but what is the "as desired part"? I included only ourDomain\Administrator, then ran gpupdate /force on a client machine, but it didn't apply properly. I can post the gpresult, but it talks about (empty)

0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370705
Add only the groups whom you want to be able to change the time - remove anyone else. Add Groups - not users its easier to manage that way.

You also need to run gpupdate on the DC
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20370846
A normal "user" cannot change the system time.

Remove any "user" account from Power User or Administrators local groups on the workstations.

0
 
LVL 1

Author Comment

by:light-blue
ID: 20376156
I'm sure that I'm doing something wrong. It's probably basic. Below are partial results  from gpresult on a workstation.

Any thoughts?

 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------
     Prevent-Change-Clock-OfficeView
         Filtering:  Not Applied (Empty)

     Local Group Policy
         Filtering:  Not Applied (Empty)
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 51

Expert Comment

by:Netman66
ID: 20376276
Prevent-Change-Clock-OfficeView
         Filtering:  Not Applied (Empty)

This states there is no content in it that changed.

Like I stated earlier, a normal User cannot change the system time on a domain joined PC.

0
 
LVL 1

Author Comment

by:light-blue
ID: 20376292
In this case, the users at each workstation are Administrators. My hope is to bypass the ability of the local administrators from changing the system time.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376553
Well, this type of access cannot be blocked as long as they are local Admins.

The Group Policy element you refer to only grants permissions to Change the System time to groups that ordinarily DO NOT have this right.  It will not remove default behaviour or Administrators or Power Users.

0
 
LVL 1

Author Comment

by:light-blue
ID: 20376814
Netman, okay, is there an alternative?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 20376918
Not that I am aware of.

Remove them from the Admin group.  Is there a reason they are local admins on domain-joined PCs?  That really is asking for Malware, Rootkits and Virus issues - if you don't already have one.

0
 

Expert Comment

by:J_RHobbs
ID: 21692327
Actually if you set the "Change the system time" Attribute to "Domain Admins" Only, even the local admins will not be able to change the system time. They can not even double click the time to view the calendar, which is upsetting everyone...
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now