restrict users from changing the time on certain machines.

I'd like to restrict certain users from changing the time on certain machines.
I figured a GPO applied to the machines with a restriction based on user would work but in the GPO the setting is who is allowed to change it. The allow list would be extremely large, I just need to deny this right to 2 accounts.
Anyone have any suggestions?

This is a windows XP and windows 2003 network. I  need to restrict 2 users from changing the time on 50 machines.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Might almost be easier to simply deny access to c:\windows\system32\timedate.cpl, for those 2 users, on each machine. perhaps an addition to the login script?
Use ntrights.exe (resource kit) to deny these 2 users the "SeSystemTimePrivilege".  More info here:
js479Author Commented:
johnb6767 - there is no login script currently, so that would be even more work, though doable if no other solutions exist.

LauraEHunterMVP - I'll check into that tool. I see that it's a NT tool but I'll assume since you recommended it that it's in the 2003 recourse kit.
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Put these 2 users in an OU, Link a new GPO to that OU, disable computer settings on that GPO. Set "User Configuration, Administrative Templates, Control Panel, Hide Specific Control Panel Applets , add "timedate.cpl" to the list.
I think it's the best configuration and you can add another user later if you want by minimum administrative effort.
js479Author Commented:
majidhajali - That is more what I was looking for but it only hides the date/time applet in the control panel. Users can still right click the clock or double click the clock and adjust the time.

I really don't want to have to deal with login scripts if it can be done with GPO, GPO is so much easier.

js479Author Commented:
I opened another question specific to the GPO and found my solution there.
I ended up creating a group with all users but the 2 i wanted to restrict, make a new OU, apply a GPO to only allow said group to change the system time, then add the computers i want restricted into that OU.
It's a long way of just locking out 2 users but it works.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Closed, 500 points refunded.
Community Support Moderator
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.