Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need to prevent users from changing the system time

Status
Not open for further replies.
StNixon

StNixon

MIS
Jul 14, 2003
92
US
Hi all:
I need to block all our users from changing the system time on their PC. We are a W2K domain with XP sp2 for all the clients.
Do to some annoying software all the users are either Power Users or have Local Admin rights.
Is their something I can use to stop them from altering the system time? Several applications we use check system time for a time stamp and if the user is off it causes all sorts of issues. Also it can make the actual time the work was done questionable.
I am using the registry to force the choice of Time servers (my main DC) but this is only in affect when the PC is started. Is there a GPO for this?

Help!

Stance
 
Sort by date Sort by votes
Do these users connect to your applications remotely? If so, you can push out local policies.

If they connect locally to these apps, then your DC (PDC Emulator) should set the time when they log in. Make sure you have you PDC Emulator (FSMO Role) set to an external time source.

Hope This Helps,

Good Luck!
 
Upvote 0 Downvote
You could try removing power user and admins from the change the system time policy.



Or find out why those apps need this access it's usually that they need to write to the install directory in that case you could just give the users write access to that area and downgrade their privileges.
File and Process mon should allow you to find the problem files.








When you are the IT director, it's your job to make sure the IT works. If it does work they know already and if it doesn't, they don't want to hear your pathetic excuses.
 
Upvote 0 Downvote
I think we're headed in the right direction. I will try editing the system time policy (maybe I will allow backup operators the right to change it and then drop the domain admins group into backup operators, just in case).
I have used file mon and reg mon both. I am afraid a couple of the applications require full access (they create new files and configure existing files and edit reg entries) or they go to folders other than the install folder. I gave up trying to just give them access to specific files or folders there were way too many. I think it is just bad coding, but I haven't been a coder for over 15 years.
Okay I’ve been reading. I think the steps are to make a security template and then assign it via GPO. Any advice on how to do this?

Thanks for the guidance.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

B
  • Locked
  • Question
Robocopy Timestamp
Replies
0
Views
186
blackvan253
B
B
  • Locked
  • Question
Robocopy Timestamp
Replies
2
Views
270
blackvan253
B
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
1K
goombawaho
goombawaho
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
586
DTGMI
DTGMI
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
684
microsGuy16
microsGuy16

Part and Inventory Search

Sponsor

Back
Top