We help IT Professionals succeed at work.

restrict users from changing the time on certain machines.

js479 asked
I'd like to restrict certain users from changing the time on certain machines.
I figured a GPO applied to the machines with a restriction based on user would work but in the GPO the setting is who is allowed to change it. The allow list would be extremely large, I just need to deny this right to 2 accounts.
Anyone have any suggestions?

This is a windows XP and windows 2003 network. I  need to restrict 2 users from changing the time on 50 machines.
Watch Question

Most Valuable Expert 2011
Top Expert 2011

Might almost be easier to simply deny access to c:\windows\system32\timedate.cpl, for those 2 users, on each machine. perhaps an addition to the login script?
Use ntrights.exe (resource kit) to deny these 2 users the "SeSystemTimePrivilege".  More info here: http://support.microsoft.com/kb/245207


johnb6767 - there is no login script currently, so that would be even more work, though doable if no other solutions exist.

LauraEHunterMVP - I'll check into that tool. I see that it's a NT tool but I'll assume since you recommended it that it's in the 2003 recourse kit.
Put these 2 users in an OU, Link a new GPO to that OU, disable computer settings on that GPO. Set "User Configuration, Administrative Templates, Control Panel, Hide Specific Control Panel Applets , add "timedate.cpl" to the list.
I think it's the best configuration and you can add another user later if you want by minimum administrative effort.


majidhajali - That is more what I was looking for but it only hides the date/time applet in the control panel. Users can still right click the clock or double click the clock and adjust the time.

I really don't want to have to deal with login scripts if it can be done with GPO, GPO is so much easier.

I opened another question specific to the GPO and found my solution there.
I ended up creating a group with all users but the 2 i wanted to restrict, make a new OU, apply a GPO to only allow said group to change the system time, then add the computers i want restricted into that OU.
It's a long way of just locking out 2 users but it works.

Closed, 500 points refunded.
Community Support Moderator

Explore More ContentExplore courses, solutions, and other research materials related to this topic.