POINTGREEN
asked on
Batch file to lock down ability to change time
I have 200 remote Windows XP Pro machines that are not on a domain, workgroup only. I want to lock down the ability to change the windows time. I want to allow the local administrator account the ability to change the windows time, all 200 machines have the same local admin password. I know you can lock down the system time from the local security settings>user rights assignment. My question is, can you create a batch file that will do this? If so, give me an example on creating such a batch file.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Basically, I want only the Administrator account, not the group Administrators ability to change time.
ASKER
Show me an example of your batch file, that only allows the Administrator account access. I've tried your example a few ways, but can't get it to work. Show me the light, I must be doing something wrong.
ASKER
Also, keep in mind simplicity. I don't want to install xcalcs.exe on 200 machines in order to run your script example. Is there another way to run this?
ASKER
This is what I was looking for:
@echo off
cacls C:\WINDOWS\system32\timeda te.cpl /e /p Administrator:n
exit
@echo off
cacls C:\WINDOWS\system32\timeda
exit
ASKER
xcacls is not installed by default on Windows XP machines..
xcacls is already there on XP...... Or should be if I am not mistaken...... Not on Home.....
Doing it via xcacls is probably not going to work well..... Cant allow Administrator, and then deny the group "Administrators"... Just doesnt work that way.
We are going to have to look at a reg script method, and probably use psexec to push out the script to each machine.......
Is it causing you problems with them changing the time?
Doing it via xcacls is probably not going to work well..... Cant allow Administrator, and then deny the group "Administrators"... Just doesnt work that way.
We are going to have to look at a reg script method, and probably use psexec to push out the script to each machine.......
Is it causing you problems with them changing the time?
Youre right, its in the 2003 support tools..... My bad.... :)
ASKER
This is what I actually went with:
@echo off
cacls C:\WINDOWS\system32\timeda te.cpl /e /d "user account"
exit
The particular account I want to deny has a space in it, so if you put quotations in, it works. Yes, the problem is with users changing the time.
@echo off
cacls C:\WINDOWS\system32\timeda
exit
The particular account I want to deny has a space in it, so if you put quotations in, it works. Yes, the problem is with users changing the time.
ASKER