We help IT Professionals succeed at work.

restrict users from changing the time on certain machines.

js479
js479 asked
on
I'd like to restrict certain users from changing the time on certain machines.
I figured a GPO applied to the machines with a restriction based on user would work but in the GPO the setting is who is allowed to change it. The allow list would be extremely large, I just need to deny this right to 2 accounts.
Anyone have any suggestions?

This is a windows XP and windows 2003 network. I  need to restrict 2 users from changing the time on 50 machines.
Comment
Watch Question

CERTIFIED EXPERT
Most Valuable Expert 2011
Top Expert 2011

Commented:
Might almost be easier to simply deny access to c:\windows\system32\timedate.cpl, for those 2 users, on each machine. perhaps an addition to the login script?
Use ntrights.exe (resource kit) to deny these 2 users the "SeSystemTimePrivilege".  More info here: http://support.microsoft.com/kb/245207

Author

Commented:
johnb6767 - there is no login script currently, so that would be even more work, though doable if no other solutions exist.

LauraEHunterMVP - I'll check into that tool. I see that it's a NT tool but I'll assume since you recommended it that it's in the 2003 recourse kit.
Put these 2 users in an OU, Link a new GPO to that OU, disable computer settings on that GPO. Set "User Configuration, Administrative Templates, Control Panel, Hide Specific Control Panel Applets , add "timedate.cpl" to the list.
I think it's the best configuration and you can add another user later if you want by minimum administrative effort.

Author

Commented:
majidhajali - That is more what I was looking for but it only hides the date/time applet in the control panel. Users can still right click the clock or double click the clock and adjust the time.

I really don't want to have to deal with login scripts if it can be done with GPO, GPO is so much easier.

Commented:
I opened another question specific to the GPO and found my solution there.
I ended up creating a group with all users but the 2 i wanted to restrict, make a new OU, apply a GPO to only allow said group to change the system time, then add the computers i want restricted into that OU.
It's a long way of just locking out 2 users but it works.

Commented:
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator

Explore More ContentExplore courses, solutions, and other research materials related to this topic.