• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1405
  • Last Modified:

restrict users from changing the time on certain machines.

I'd like to restrict certain users from changing the time on certain machines.
I figured a GPO applied to the machines with a restriction based on user would work but in the GPO the setting is who is allowed to change it. The allow list would be extremely large, I just need to deny this right to 2 accounts.
Anyone have any suggestions?

This is a windows XP and windows 2003 network. I  need to restrict 2 users from changing the time on 50 machines.
1 Solution
Might almost be easier to simply deny access to c:\windows\system32\timedate.cpl, for those 2 users, on each machine. perhaps an addition to the login script?
Use ntrights.exe (resource kit) to deny these 2 users the "SeSystemTimePrivilege".  More info here: http://support.microsoft.com/kb/245207
js479Author Commented:
johnb6767 - there is no login script currently, so that would be even more work, though doable if no other solutions exist.

LauraEHunterMVP - I'll check into that tool. I see that it's a NT tool but I'll assume since you recommended it that it's in the 2003 recourse kit.
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Put these 2 users in an OU, Link a new GPO to that OU, disable computer settings on that GPO. Set "User Configuration, Administrative Templates, Control Panel, Hide Specific Control Panel Applets , add "timedate.cpl" to the list.
I think it's the best configuration and you can add another user later if you want by minimum administrative effort.
js479Author Commented:
majidhajali - That is more what I was looking for but it only hides the date/time applet in the control panel. Users can still right click the clock or double click the clock and adjust the time.

I really don't want to have to deal with login scripts if it can be done with GPO, GPO is so much easier.

js479Author Commented:
I opened another question specific to the GPO and found my solution there.
I ended up creating a group with all users but the 2 i wanted to restrict, make a new OU, apply a GPO to only allow said group to change the system time, then add the computers i want restricted into that OU.
It's a long way of just locking out 2 users but it works.
Closed, 500 points refunded.
Community Support Moderator

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Tackle projects and never again get stuck behind a technical roadblock.
Join Now