Batch file to lock down ability to change time

I have 200 remote Windows XP Pro machines that are not on a domain, workgroup only.  I  want to lock down the ability to change the windows time.  I want to allow the local administrator account the ability to change the windows time, all 200 machines have the same local admin password.  I know you can lock down the system time from the local security settings>user rights assignment.  My question is, can you create a batch file that will do this?  If so, give me an example on creating such a batch file.
LVL 1
POINTGREENAsked:
Who is Participating?
 
johnb6767Commented:
Are they local admins?

If they are not local admins, this should work ok..... Edits the ACL so that the Users group is denied access to timedate.cpl.....


@echo off
xcacls C:\WINDOWS\system32\timedate.cpl /e /d Users
exit

Open in new window

0
 
POINTGREENAuthor Commented:
The particular user account that is logged in, Yes, they are local admins.  But I want to prevent them from changing the time.  I also don't want to login as another user in order to run this batch file.  
0
 
POINTGREENAuthor Commented:
Basically, I want only the Administrator account, not the group Administrators ability to change time.  
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
POINTGREENAuthor Commented:
Show me an example of your batch file, that only allows the Administrator account access.  I've tried your example a few ways, but can't get it to work.  Show me the light, I must be doing something wrong.  
0
 
POINTGREENAuthor Commented:
Also, keep in mind simplicity.  I don't want to install xcalcs.exe on 200 machines in order to run your script example.  Is there another way to run this?
0
 
POINTGREENAuthor Commented:
This is what I was looking for:
@echo off
cacls C:\WINDOWS\system32\timedate.cpl /e /p Administrator:n
exit
0
 
POINTGREENAuthor Commented:
xcacls is not installed by default on Windows XP machines..
0
 
johnb6767Commented:
xcacls is already there on XP...... Or should be if I am not mistaken...... Not on Home.....

Doing it via xcacls is probably not going to work well..... Cant allow Administrator, and then deny the group "Administrators"... Just doesnt work that way.

We are going to have to look at a reg script method, and probably use psexec to push out the script to each machine.......

Is it causing you problems with them changing the time?



0
 
johnb6767Commented:
Youre right, its in the 2003 support tools..... My bad....  :)
0
 
POINTGREENAuthor Commented:
This is what I actually went with:  

@echo off
cacls C:\WINDOWS\system32\timedate.cpl /e /d "user account"
exit

The particular account I want to deny has a space in it, so if you put quotations in, it works.  Yes, the problem is with users changing the time.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.