[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Group policy setting to set workstations time with a domain controller

Posted on 2013-06-01
5
Medium Priority
?
13,648 Views
Last Modified: 2013-06-18
Hi guys,
I hope you are well and can help.
I wish to sync our workstations time through group policy with their domain controller but I cannot seem to find the required setting (if there is one).
We run windows xp and windows 7 and currently do this via a logon script, but windows 7 machines have issues with UAC when they try and sync with the net time command.

Any help greatly appreciated.
0
Comment
Question by:Simon336697
5 Comments
 
LVL 4

Assisted Solution

by:TalShyar
TalShyar earned 500 total points
ID: 39213861
Try this (This was done on Windows 2008 R2 Domain Controller with Forest and Domain set to Windows 2008 R2 functional level):

1. Open "Start | Administrative Tools | Group Policy Management"

2. Drill down to Forest | Domains | "Your Domain Nam" | Group Policy Objects | Default Domain Policy. [You can choose your own policy too]

3. Right click on policy and click on Edit.

4. Expand to "Computer Configuration | Policies | Administrative Templates: Policy definitions... | System | Windows Time Service"

5. Make the necessary changes

6. Wait for the group policy to propagate throughout your environment.

Good Luck
0
 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 500 total points
ID: 39213880
By default you shouldn't need to sync time.  The windows time hierarchy should take over.  Below are two of my favorite time blog entries

http://blogs.technet.com/b/nepapfe/archive/2013/03/01/it-s-simple-time-configuration-in-active-directory.aspx

http://tigermatt.wordpress.com/2009/08/01/windows-time-for-active-directory/

Thanks

Mike
0
 
LVL 1

Author Comment

by:Simon336697
ID: 39215325
Hi Mike,

Thanks so much for that.

We have Windows XP systems and Windows 7 machines.

When a user logs on, the Logon script executes:

Net time %logonserver% /set

Are you saying that we could remove this command, and that for both:

Windows XP and
Windows 7

Machines they will automatically sync time with their domain controller that authenticates them?

Thanks again
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 500 total points
ID: 39215839
If you have applied GPO or script then remove the same as suggested it is not required, computer will  sync time from DC by default assuming that authorative time server ois configured correctly.More see this:http://support.microsoft.com/kb/223184

Configure authorative time server on the PDC role holder server.http://support.microsoft.com/kb/816042
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 500 total points
ID: 39215902
Yes, You can safely remove those instructions from your logon script/startup script for ALL Windows clients and servers.

Description of windows time sync hierarchy:
To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not allow for loops. By default, Windows-based computers use the following hierarchy: •All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
•All member servers follow the same process that client desktop computers follow.
•All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
•All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.
In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to obtain the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.
http://support.microsoft.com/kb/816042

Other reading information:
http://technet.microsoft.com/en-us/library/cc756572(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc773013(v=ws.10).aspx

OOPS, Slow typist alert! Didn't mean to repeat earlier post.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question