Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

GPO: Block everyone on "Change the System Time"

Posted on 2007-11-28
11
Medium Priority
?
2,243 Views
Last Modified: 2013-12-04
In Windows 2003 server, how do I create a GPO to prevent everyone in the domain from changing the system clock? Our domain sync's with a stratum 2 time server and correctly updates the workstations with that time. I don't want users to adjust their clocks due to a time-keeping application used in payroll which logs the start and end time of employees' shifts based on workstation time.
0
Comment
Question by:light-blue
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 2
  • +1
11 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20370411
Configure the
Computer Configureation->Windows Settings->Security Settings -> Local Policies -> User Rights Assignments -> "Change the system time" option in the domain security policy can add/remove the groups as desired
0
 
LVL 1

Author Comment

by:light-blue
ID: 20370662
yes, but what is the "as desired part"? I included only ourDomain\Administrator, then ran gpupdate /force on a client machine, but it didn't apply properly. I can post the gpresult, but it talks about (empty)

0
 
LVL 70

Expert Comment

by:KCTS
ID: 20370705
Add only the groups whom you want to be able to change the time - remove anyone else. Add Groups - not users its easier to manage that way.

You also need to run gpupdate on the DC
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 51

Expert Comment

by:Netman66
ID: 20370846
A normal "user" cannot change the system time.

Remove any "user" account from Power User or Administrators local groups on the workstations.

0
 
LVL 1

Author Comment

by:light-blue
ID: 20376156
I'm sure that I'm doing something wrong. It's probably basic. Below are partial results  from gpresult on a workstation.

Any thoughts?

 The following GPOs were not applied because they were filtered out
 -------------------------------------------------------------------
     Prevent-Change-Clock-OfficeView
         Filtering:  Not Applied (Empty)

     Local Group Policy
         Filtering:  Not Applied (Empty)
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376276
Prevent-Change-Clock-OfficeView
         Filtering:  Not Applied (Empty)

This states there is no content in it that changed.

Like I stated earlier, a normal User cannot change the system time on a domain joined PC.

0
 
LVL 1

Author Comment

by:light-blue
ID: 20376292
In this case, the users at each workstation are Administrators. My hope is to bypass the ability of the local administrators from changing the system time.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 20376553
Well, this type of access cannot be blocked as long as they are local Admins.

The Group Policy element you refer to only grants permissions to Change the System time to groups that ordinarily DO NOT have this right.  It will not remove default behaviour or Administrators or Power Users.

0
 
LVL 1

Author Comment

by:light-blue
ID: 20376814
Netman, okay, is there an alternative?
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 2000 total points
ID: 20376918
Not that I am aware of.

Remove them from the Admin group.  Is there a reason they are local admins on domain-joined PCs?  That really is asking for Malware, Rootkits and Virus issues - if you don't already have one.

0
 

Expert Comment

by:J_RHobbs
ID: 21692327
Actually if you set the "Change the system time" Attribute to "Domain Admins" Only, even the local admins will not be able to change the system time. They can not even double click the time to view the calendar, which is upsetting everyone...
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question