Batch file to lock down ability to change time

I have 200 remote Windows XP Pro machines that are not on a domain, workgroup only.  I  want to lock down the ability to change the windows time.  I want to allow the local administrator account the ability to change the windows time, all 200 machines have the same local admin password.  I know you can lock down the system time from the local security settings>user rights assignment.  My question is, can you create a batch file that will do this?  If so, give me an example on creating such a batch file.
LVL 1
POINTGREENAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

johnb6767Commented:
Are they local admins?

If they are not local admins, this should work ok..... Edits the ACL so that the Users group is denied access to timedate.cpl.....


@echo off
xcacls C:\WINDOWS\system32\timedate.cpl /e /d Users
exit

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
POINTGREENAuthor Commented:
The particular user account that is logged in, Yes, they are local admins.  But I want to prevent them from changing the time.  I also don't want to login as another user in order to run this batch file.  
0
POINTGREENAuthor Commented:
Basically, I want only the Administrator account, not the group Administrators ability to change time.  
0
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

POINTGREENAuthor Commented:
Show me an example of your batch file, that only allows the Administrator account access.  I've tried your example a few ways, but can't get it to work.  Show me the light, I must be doing something wrong.  
0
POINTGREENAuthor Commented:
Also, keep in mind simplicity.  I don't want to install xcalcs.exe on 200 machines in order to run your script example.  Is there another way to run this?
0
POINTGREENAuthor Commented:
This is what I was looking for:
@echo off
cacls C:\WINDOWS\system32\timedate.cpl /e /p Administrator:n
exit
0
POINTGREENAuthor Commented:
xcacls is not installed by default on Windows XP machines..
0
johnb6767Commented:
xcacls is already there on XP...... Or should be if I am not mistaken...... Not on Home.....

Doing it via xcacls is probably not going to work well..... Cant allow Administrator, and then deny the group "Administrators"... Just doesnt work that way.

We are going to have to look at a reg script method, and probably use psexec to push out the script to each machine.......

Is it causing you problems with them changing the time?



0
johnb6767Commented:
Youre right, its in the 2003 support tools..... My bad....  :)
0
POINTGREENAuthor Commented:
This is what I actually went with:  

@echo off
cacls C:\WINDOWS\system32\timedate.cpl /e /d "user account"
exit

The particular account I want to deny has a space in it, so if you put quotations in, it works.  Yes, the problem is with users changing the time.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.