I have a similar question already open but this question is specific to the actually group policy I have already setup. (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23120216.html
I have 2 users that I want to restrict from changing the time on certain machines or all machines, either is ok.
So what I did was create a user group with every user except these 2. I called it time changers. In the OU that all my users exist I created a GPO called time changers and only modified 1 setting, computer config >windows settings > security settings > local policy > user rights > Change the system time - I set this to enabled and added the time changers group.
This in effect should allow anyone in this group to change the system time regardless of their permissions on the local system, right? well it's not working and here's what I'm getting.
User1 is local admin but not a member of time changers - he can change the time.
User2 is just in the users group on the local machine and not a member of time changers - he can't change the time.
I add User2 to the time changers group but keep him just a local user on the PC - he still can't change the time.
I run gpresult at this time to see what policies are going into effect. He's what I get:
Name Link Location revision
Default domain policy mydomain.com AD(20), Sysvol (20)
Name Link Location Reason Denied
Local Group policy local Empty
time changers mydomain.com/myOU Empty
So why does it show the policy as empty? I've triple checked that the group is added to the GPO setting I listed above, what am i missing here?