js479
asked on
restrict users from changing the time on certain machines.
I'd like to restrict certain users from changing the time on certain machines.
I figured a GPO applied to the machines with a restriction based on user would work but in the GPO the setting is who is allowed to change it. The allow list would be extremely large, I just need to deny this right to 2 accounts.
Anyone have any suggestions?
This is a windows XP and windows 2003 network. I need to restrict 2 users from changing the time on 50 machines.
I figured a GPO applied to the machines with a restriction based on user would work but in the GPO the setting is who is allowed to change it. The allow list would be extremely large, I just need to deny this right to 2 accounts.
Anyone have any suggestions?
This is a windows XP and windows 2003 network. I need to restrict 2 users from changing the time on 50 machines.
Might almost be easier to simply deny access to c:\windows\system32\timeda te.cpl, for those 2 users, on each machine. perhaps an addition to the login script?
Use ntrights.exe (resource kit) to deny these 2 users the "SeSystemTimePrivilege". More info here: http://support.microsoft.com/kb/245207
ASKER
johnb6767 - there is no login script currently, so that would be even more work, though doable if no other solutions exist.
LauraEHunterMVP - I'll check into that tool. I see that it's a NT tool but I'll assume since you recommended it that it's in the 2003 recourse kit.
LauraEHunterMVP - I'll check into that tool. I see that it's a NT tool but I'll assume since you recommended it that it's in the 2003 recourse kit.
Put these 2 users in an OU, Link a new GPO to that OU, disable computer settings on that GPO. Set "User Configuration, Administrative Templates, Control Panel, Hide Specific Control Panel Applets , add "timedate.cpl" to the list.
I think it's the best configuration and you can add another user later if you want by minimum administrative effort.
I think it's the best configuration and you can add another user later if you want by minimum administrative effort.
ASKER
majidhajali - That is more what I was looking for but it only hides the date/time applet in the control panel. Users can still right click the clock or double click the clock and adjust the time.
I really don't want to have to deal with login scripts if it can be done with GPO, GPO is so much easier.
I really don't want to have to deal with login scripts if it can be done with GPO, GPO is so much easier.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Closed, 500 points refunded.
Vee_Mod
Community Support Moderator
Vee_Mod
Community Support Moderator