Solved

Group policy setting to set workstations time with a domain controller

Posted on 2013-06-01
5
8,549 Views
Last Modified: 2013-06-18
Hi guys,
I hope you are well and can help.
I wish to sync our workstations time through group policy with their domain controller but I cannot seem to find the required setting (if there is one).
We run windows xp and windows 7 and currently do this via a logon script, but windows 7 machines have issues with UAC when they try and sync with the net time command.

Any help greatly appreciated.
0
Comment
Question by:Simon336697
5 Comments
 
LVL 4

Assisted Solution

by:TalShyar
TalShyar earned 125 total points
ID: 39213861
Try this (This was done on Windows 2008 R2 Domain Controller with Forest and Domain set to Windows 2008 R2 functional level):

1. Open "Start | Administrative Tools | Group Policy Management"

2. Drill down to Forest | Domains | "Your Domain Nam" | Group Policy Objects | Default Domain Policy. [You can choose your own policy too]

3. Right click on policy and click on Edit.

4. Expand to "Computer Configuration | Policies | Administrative Templates: Policy definitions... | System | Windows Time Service"

5. Make the necessary changes

6. Wait for the group policy to propagate throughout your environment.

Good Luck
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 125 total points
ID: 39213880
By default you shouldn't need to sync time.  The windows time hierarchy should take over.  Below are two of my favorite time blog entries

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

Thanks

Mike
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39215325
Hi Mike,

Thanks so much for that.

We have Windows XP systems and Windows 7 machines.

When a user logs on, the Logon script executes:

Net time %logonserver% /set

Are you saying that we could remove this command, and that for both:

Windows XP and
Windows 7

Machines they will automatically sync time with their domain controller that authenticates them?

Thanks again
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 125 total points
ID: 39215839
If you have applied GPO or script then remove the same as suggested it is not required, computer will  sync time from DC by default assuming that authorative time server ois configured correctly.More see this:http://support.microsoft.com/kb/223184

Configure authorative time server on the PDC role holder server.http://support.microsoft.com/kb/816042
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 125 total points
ID: 39215902
Yes, You can safely remove those instructions from your logon script/startup script for ALL Windows clients and servers.

Description of windows time sync hierarchy:
To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not allow for loops. By default, Windows-based computers use the following hierarchy: •All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
•All member servers follow the same process that client desktop computers follow.
•All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
•All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
http://support.microsoft.com/kb/816042

Other reading information:
http://technet.microsoft.com/en-us/library/cc756572(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx

OOPS, Slow typist alert! Didn't mean to repeat earlier post.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now