Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Group policy setting to set workstations time with a domain controller

Posted on 2013-06-01
5
Medium Priority
?
13,016 Views
Last Modified: 2013-06-18
Hi guys,
I hope you are well and can help.
I wish to sync our workstations time through group policy with their domain controller but I cannot seem to find the required setting (if there is one).
We run windows xp and windows 7 and currently do this via a logon script, but windows 7 machines have issues with UAC when they try and sync with the net time command.

Any help greatly appreciated.
0
Comment
Question by:Simon336697
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 4

Assisted Solution

by:TalShyar
TalShyar earned 500 total points
ID: 39213861
Try this (This was done on Windows 2008 R2 Domain Controller with Forest and Domain set to Windows 2008 R2 functional level):

1. Open "Start | Administrative Tools | Group Policy Management"

2. Drill down to Forest | Domains | "Your Domain Nam" | Group Policy Objects | Default Domain Policy. [You can choose your own policy too]

3. Right click on policy and click on Edit.

4. Expand to "Computer Configuration | Policies | Administrative Templates: Policy definitions... | System | Windows Time Service"

5. Make the necessary changes

6. Wait for the group policy to propagate throughout your environment.

Good Luck
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 500 total points
ID: 39213880
By default you shouldn't need to sync time.  The windows time hierarchy should take over.  Below are two of my favorite time blog entries

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

Thanks

Mike
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39215325
Hi Mike,

Thanks so much for that.

We have Windows XP systems and Windows 7 machines.

When a user logs on, the Logon script executes:

Net time %logonserver% /set

Are you saying that we could remove this command, and that for both:

Windows XP and
Windows 7

Machines they will automatically sync time with their domain controller that authenticates them?

Thanks again
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 500 total points
ID: 39215839
If you have applied GPO or script then remove the same as suggested it is not required, computer will  sync time from DC by default assuming that authorative time server ois configured correctly.More see this:http://support.microsoft.com/kb/223184

Configure authorative time server on the PDC role holder server.http://support.microsoft.com/kb/816042
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 39215902
Yes, You can safely remove those instructions from your logon script/startup script for ALL Windows clients and servers.

Description of windows time sync hierarchy:
To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not allow for loops. By default, Windows-based computers use the following hierarchy: •All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
•All member servers follow the same process that client desktop computers follow.
•All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
•All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
http://support.microsoft.com/kb/816042

Other reading information:
http://technet.microsoft.com/en-us/library/cc756572(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx

OOPS, Slow typist alert! Didn't mean to repeat earlier post.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question