Link to home
Start Free TrialLog in
Avatar of POINTGREEN
POINTGREENFlag for United States of America

asked on

Batch file to lock down ability to change time

I have 200 remote Windows XP Pro machines that are not on a domain, workgroup only.  I  want to lock down the ability to change the windows time.  I want to allow the local administrator account the ability to change the windows time, all 200 machines have the same local admin password.  I know you can lock down the system time from the local security settings>user rights assignment.  My question is, can you create a batch file that will do this?  If so, give me an example on creating such a batch file.
ASKER CERTIFIED SOLUTION
Avatar of johnb6767
johnb6767
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of POINTGREEN
POINTGREEN
Flag of United States of America image

ASKER

The particular user account that is logged in, Yes, they are local admins.  But I want to prevent them from changing the time.  I also don't want to login as another user in order to run this batch file.  
Avatar of POINTGREEN
POINTGREEN
Flag of United States of America image

ASKER

Basically, I want only the Administrator account, not the group Administrators ability to change time.  
Avatar of POINTGREEN
POINTGREEN
Flag of United States of America image

ASKER

Show me an example of your batch file, that only allows the Administrator account access.  I've tried your example a few ways, but can't get it to work.  Show me the light, I must be doing something wrong.  
Avatar of POINTGREEN
POINTGREEN
Flag of United States of America image

ASKER

Also, keep in mind simplicity.  I don't want to install xcalcs.exe on 200 machines in order to run your script example.  Is there another way to run this?
Avatar of POINTGREEN
POINTGREEN
Flag of United States of America image

ASKER

This is what I was looking for:
@echo off
cacls C:\WINDOWS\system32\timedate.cpl /e /p Administrator:n
exit
Avatar of POINTGREEN
POINTGREEN
Flag of United States of America image

ASKER

xcacls is not installed by default on Windows XP machines..
Avatar of johnb6767
johnb6767
Flag of United States of America image
xcacls is already there on XP...... Or should be if I am not mistaken...... Not on Home.....

Doing it via xcacls is probably not going to work well..... Cant allow Administrator, and then deny the group "Administrators"... Just doesnt work that way.

We are going to have to look at a reg script method, and probably use psexec to push out the script to each machine.......

Is it causing you problems with them changing the time?



Avatar of johnb6767
johnb6767
Flag of United States of America image
Youre right, its in the 2003 support tools..... My bad....  :)
Avatar of POINTGREEN
POINTGREEN
Flag of United States of America image

ASKER

This is what I actually went with:  

@echo off
cacls C:\WINDOWS\system32\timedate.cpl /e /d "user account"
exit

The particular account I want to deny has a space in it, so if you put quotations in, it works.  Yes, the problem is with users changing the time.