GPO to set who can change the system time

I have a similar question already open but this question is specific to the actually group policy I have already setup. (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23120216.html)

I have 2 users that I want to restrict from changing the time on certain machines or all machines, either is ok.
So what I did was create a user group with every user except these 2. I called it time changers. In the OU that all my users exist I created a GPO called time changers and only modified 1 setting, computer config >windows settings > security settings > local policy > user rights > Change the system time - I set this to enabled and added the time changers group.
This in effect should allow anyone in this group to change the system time regardless of their permissions on the local system, right? well it's not working and here's what I'm getting.

User1 is local admin but not a member of time changers - he can change the time.
User2 is just in the users group on the local machine and not a member of time changers - he can't change the time.
I add User2 to the time changers group but keep him just a local user on the PC - he still can't change the time.

I run gpresult at this time to see what policies are going into effect. He's what I get:

Applied GPOs
Name                                                 Link Location                         revision
Default domain policy                        mydomain.com                       AD(20), Sysvol (20)

Denied GPOs
Name                                               Link Location                           Reason Denied
Local Group policy                            local                                        Empty
time changers                                  mydomain.com/myOU             Empty

So why does it show the policy as empty? I've triple checked that the group is added to the GPO setting I listed above, what am i missing here?
LVL 1
js479Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

newborn1281Commented:
By modifying setting in computer config it will work only on computers you have in that ou if you want setting to take effect on users you have to change user configs.
0
newborn1281Commented:
To clear it up  
IN GPO you have 2 sections
Computer Config
and
USER Config

computer configs will affect only computer accounts in AD
User configs Will take effect only on USERS.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
js479Author Commented:
Does this setting exist on the user config side?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

newborn1281Commented:
no unfortunately only on computer side.
0
js479Author Commented:
So if I make a new OU and drop all the computers I want restricted in it, then the users defined in my time changers GPO will be the only ones able to change the time on the computers in that OU, that sound right?
0
newborn1281Commented:
If you said that you can block all machines just apply this policy on the domain level and it will block all machines from changing time.
0
newborn1281Commented:
no it will will block by computer name bases so if you drop all computers in there it will block time change on all computers "not" by user  the computer configs do not apply to users.
0
js479Author Commented:
Unfortunately we need to block certain users from making changes to only certain machines. While this certainly isn't as easy as I would like it seems like it will get the job done.
Going to test it now.
0
js479Author Commented:
"no it will will block by computer name bases so if you drop all computers in there it will block time change on all computers "not" by user  the computer configs do not apply to users."
But in the policy, under computer setting, you specify which USERS CAN change the time. So I understand that the GPO only applies to computers in the OU, but the setting in the GPO applies to USERS I choose.
So computers1-5 are in OU nochangetime.
OU nochangetime has GPO enabled that says only users1-5 can change the system time.

So on computers1-5 only users1-5 will be able to change the system time, all other users will be restricted from making a time change on these computers.

0
newborn1281Commented:
lets see
create a group (allowed users add users to that group who you want to allow access)and apply this policy to container where all computer account exist.
What should happen is that people you specify could modify time on any machine in that ou and people not included in that group will not be able to. But you have to apply this GPO in container where computer account are and not users or users optional but wont take any effect.
0
newborn1281Commented:
Don't forget to add that user group "allowed users" to that policy
0
newborn1281Commented:
I believe what you did in the beginning is correct but you applied policy to users instead of computers.
0
Jessie Gill, CISSPTechnical ArchitectCommented:
make an ou under your current ou that holds your computer accounts and call it denied time change( name it what you want)  Drop the computers that you do not what the time changed on( probably the ones that those 2 users you dont want chaning the time work on)  Leave teh rest of your machines in there original ou.

Setup up the group policies on the denied time change ou so it blocks time changes.
If you want you can setup the gpo allow time change on teh original ou.  This will make it so computers in our original ou can change time, but in teh other ou they cannot.

even tho you have set the time change to allow on teh original ou, those changes dont affect the child ou you made with the denied computers, since the same gpo is set to deny.  the last policy applied will win.
0
js479Author Commented:
Thank you - it's not the perfect solution since every new user will need to be added to the "allowed" group but it works.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.