How do i allow domain users access to modify the time/clock w/o giving power user/admin privilege

MY GOAL: let users change time/clock without giving them Poweruser or Admin privilege

I have been trying to grant the domain users of the company access to change the time in the clock in the taskbar. Every time they click on it it says " You do not have the proper privilege level to change the System Time ".

I have tried applying a GPO in a seperate OU using the "Security Settings \ Local Policies \ User Rights Assignment\change system time" then i add the user i want to give access to.  the result of this is that it doesnt work.  
I have even tried changing this in the "Default Domain Security Settings" and it still didnt work.  (maybe i applied the GPO wrong, even though i dont think i did,i figured if i changed the DEFAULT DOMAIN SECURITY SETTINGS that would be fail proof, but i guess it still didnt work.)

I have also tried NT rights using the ntrights +r SeSystemtimePrivilege -u <username>
and the ntrights also failed to work.

At this point i dont care if everyone ends up with access to change time (although i just would rather just have it for one group, but like i said at this point i dont care if everyone can) i just want to be able to let my users or everyone be able to change the time. can someone please help!



xeonoxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lamaslanyCommented:
Power Management is controlled in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Controls Folder\PowerCfg

You should be able to use a GPO to set permissions on this registry key:

Policy
> Computer Configuration
>> Widows Settings
>>> Security Settings
>>>> Registry

Grant 'INTERACTIVE' the 'Set Value' and 'Create SubKey' rights on the  GlobalPowerPolicy and PowerPolicies keys.


"Change system time" can be modified using the registy key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation

You should be able to use a GPO to set permissions on this registry key:

Policy
> Computer Configuration
>> Widows Settings
>>> Security Settings
>>>> Registry

Grant 'INTERACTIVE' the following rights on the key:
"      Query Value
"      Set Value
"      Create Subkey
"      Enumerate Subkey
"      Notify
"      Read Control

Again if you don't want all users to have this right replace INTERACTIVE with the user/group name(s).
0
lamaslanyCommented:
Sorry - misread power user as power settings!
0
xeonoxAuthor Commented:
thanks for trying, maybe you didnt understand my question, power managment has nothing to do with the question. i stated "power user" which is a type of user account.

your solution wont work for me for 2 reasons, 1st of all i dont want to grant access to the users to change the registry, 2nd of all a registry change wont work because the group policy will over ride any manual registry change.

does anyone have any other solution?
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

djMundyCommented:
Hi xeonox,

Did you know that if a computer's clock is more than 5 minutes faster or slower than the Domain Controller's clock, that the PC will no longer be able to authenticate to the domain? It may not be such a good idea to allow your users to change the time, or you'll find that they can no longer log in. If that happens, you'll need to know the local admin password so that you can fix the time again.

Cheers,
Daniel
0
lamaslanyCommented:
As I say I spotted my mistake as soon as I posted.

The second part of the post is pushed via Group Policy - is is not a manual registry change.  Users do not need to manipulate the registry.
0
xeonoxAuthor Commented:
djMundy, i know, the time threshold can be changed via registry, so im not worried.

lamaslany, can you explain a little better, i think you confused me.
0
lamaslanyCommented:
For clarity I will repost the relevant section:
----------------------------------------------------

This bit was just a bit of information explaining how the GPO would work:
"Change system time" can be modified using the registy key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TimeZoneInformation

This bit explains it is possible to make the change via GPO:  
You should be able to use a GPO to set permissions on this registry key:

This is where to set the policy:
Policy
> Computer Configuration
>> Widows Settings
>>> Security Settings
>>>> Registry

And this is the settings needed:
Grant 'INTERACTIVE' the following rights on the key:
"      Query Value
"      Set Value
"      Create Subkey
"      Enumerate Subkey
"      Notify
"      Read Control

Finally this explains that you can tailor the solution.  In your case it may be a domain group that has just the accounts of those users you want to be able to modify the time:
Again if you don't want all users to have this right replace INTERACTIVE with the user/group name(s).  


0
xeonoxAuthor Commented:
should i change that on the "Default Domain Policy" or "Default Domain Controlers Policy"?
0
lamaslanyCommented:
You should be aware that djMundy makes a very good point.  While users may not deliberately change the time to be 10 minutes out they might naively change it by a few hours rather than changing the timezone or accidentally change the date if using it to look up dates.
0
xeonoxAuthor Commented:
Oh, and where is the NTERACTIVE at? i dont see that anywhere.
0
lamaslanyCommented:
It depends on the scope:
* if you want them to be able to change it on all computers in the domain apply it to the "Default Domain Policy"
* if you want them to be able to change it just on your DCs (I cannot think why you would!) apply it to the "Default Domain Controllers Policy"

Or you could create a new policy and apply it to a limited selection of PCs.
0
xeonoxAuthor Commented:
how does the INTERACTIVE thing work that u mentioned, i would rather only grant it to only 1 person. so i would rather figure out how to do it that way.
0
lamaslanyCommented:
INTERACTIVE is a special group - if you type the full name it should pick it up.
0
xeonoxAuthor Commented:
didnt work for some reason, do i also have to do the "Security Settings \ Local Policies \ User Rights Assignment\change system time" policy?
0
xeonoxAuthor Commented:
http://img139.imageshack.us/img139/9679/17749503nh8.jpg
thats pic of what i did for "testuser" wich is the domain user i am trying to give access to. Do you see anything wrong?
0
xeonoxAuthor Commented:
sorry my last statement was confusing, what i meant is :

here is a link to what i did http://img139.imageshack.us/img139/9679/17749503nh8.jpg
thats pic of what i did for of user accound of  "testuser"
Do you see anything wrong?

0
xeonoxAuthor Commented:
Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
Print
Close
No explanation is available for this setting.
Supported On:
Not available
Default Domain Controllers Policy
Data collected on: 2/1/2008 8:12:22 AM hide all

Generalhide
Detailshide
Domain csszone.com
Owner CSSZONE\Domain Admins
Created 1/7/2008 8:41:36 PM
Modified 2/1/2008 1:37:16 AM
User Revisions 0 (AD), 0 (sysvol)
Computer Revisions 8 (AD), 8 (sysvol)
Unique ID {6AC1786C-016F-11D2-945F-00C04FB984F9}
GPO Status Enabled

Linkshide
Location Enforced Link Status Path
Domain Controllers Yes Enabled csszone.com/Domain Controllers

This list only includes links in the domain of the GPO.
Security Filteringhide
The settings in this GPO can only apply to the following groups, users, and computers:Name
NT AUTHORITY\Authenticated Users

WMI Filteringhide
WMI Filter Name None
Description Not applicable

Delegationhide
These groups and users have the specified permission for this GPOName Allowed Permissions Inherited
CSSZONE\Domain Admins Edit settings, delete, modify security No
CSSZONE\Enterprise Admins Edit settings, delete, modify security No
NT AUTHORITY\Authenticated Users Read (from Security Filtering) No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS Read No
NT AUTHORITY\SYSTEM Edit settings, delete, modify security No

Computer Configuration (Enabled)hide
Windows Settingshide
Security Settingshide
Local Policies/Audit Policyhide
Policy Setting
Audit account logon events Success
Audit account management Success
Audit directory service access Success
Audit logon events Success
Audit object access No auditing
Audit policy change Success
Audit privilege use No auditing
Audit process tracking No auditing
Audit system events Success

Local Policies/User Rights Assignmenthide
Policy Setting
Access this computer from the network BUILTIN\Pre-Windows 2000 Compatible Access, NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators, Everyone
Act as part of the operating system  
Add workstations to domain NT AUTHORITY\Authenticated Users
Adjust memory quotas for a process BUILTIN\Administrators, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Allow log on locally BUILTIN\Print Operators, BUILTIN\Server Operators, BUILTIN\Account Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Back up files and directories BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Bypass traverse checking BUILTIN\Pre-Windows 2000 Compatible Access, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators, Everyone
Change the system time NT AUTHORITY\INTERACTIVE, BUILTIN\Server Operators, NT AUTHORITY\LOCAL SERVICE, CSSZONE\testuser, CSSZONE\Domain Users, BUILTIN\Administrators, BUILTIN\Users
Create a pagefile BUILTIN\Administrators
Create a token object  
Create permanent shared objects  
Debug programs BUILTIN\Administrators
Deny access to this computer from the network CSSZONE\SUPPORT_388945a0
Deny log on as a batch job  
Deny log on as a service  
Deny log on locally CSSZONE\SUPPORT_388945a0
Enable computer and user accounts to be trusted for delegation BUILTIN\Administrators
Force shutdown from a remote system BUILTIN\Server Operators, BUILTIN\Administrators
Generate security audits NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Increase scheduling priority BUILTIN\Administrators
Load and unload device drivers BUILTIN\Print Operators, BUILTIN\Administrators
Lock pages in memory  
Log on as a batch job CSSZONE\SUPPORT_388945a0, NT AUTHORITY\LOCAL SERVICE
Log on as a service NT AUTHORITY\NETWORK SERVICE
Manage auditing and security log BUILTIN\Administrators
Modify firmware environment values BUILTIN\Administrators
Profile single process BUILTIN\Administrators
Profile system performance BUILTIN\Administrators
Remove computer from docking station BUILTIN\Administrators
Replace a process level token NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directories BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Shut down the system BUILTIN\Print Operators, BUILTIN\Server Operators, BUILTIN\Backup Operators, BUILTIN\Administrators
Synchronize directory service data  
Take ownership of files or other objects BUILTIN\Administrators

Local Policies/Security Optionshide
Domain Controllerhide
Policy Setting
Domain controller: LDAP server signing requirements None

Domain Memberhide
Policy Setting
Domain member: Digitally encrypt or sign secure channel data (always) Enabled

Microsoft Network Serverhide
Policy Setting
Microsoft network server: Digitally sign communications (always) Enabled
Microsoft network server: Digitally sign communications (if client agrees) Enabled

Network Securityhide
Policy Setting
Network security: LAN Manager authentication level Send NTLM response only

Registryhide
MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformationhide
Configure this key then: Propagate inheritable permissions to all subkeysOwner  
PermissionsType Name Permission Apply To
Allow BUILTIN\Administrators Full control This key and subkeys
Allow CREATOR OWNER Full control This key and subkeys
Allow NT AUTHORITY\SYSTEM Full control This key and subkeys
Allow BUILTIN\Users Full control This key and subkeys
Allow inheritable permissions from the parent to propagate to this object and all child objects Disabled
Auditing
No auditing specified
User Configuration (Enabled)hide
No settings defined.

0
xeonoxAuthor Commented:
well i got it to work, i used the following ntrights at the command prompt on the server

ntrights -m \\computername +r SeSystemtimePrivilege -u username
then i ran "gpupdate"

then on the clients machine i rebooted and it worked!!!

hope this helps alot of people, i couldnt find too much about this on google.

thanks lamaslany, for the help, you still showed me somethings i didnt know about and helped me the most so ill give u the points.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.