Non-administrators can change time?

  • Thread starter Thread starter Gis Bun
  • Start date Start date
G

Gis Bun

Guest
Hi,

We implemented a while back the time service through our AD such that the
PCs would sync with one of our services. The following is the rough
equivalent to what is set in AD:

System/Windows Time Service:
FrequencyCorrectRate 4
HoldPeriod 5
LargePhaseOffset 1280000
MaxAllowedPhaseOffset 300
MaxNegPhaseCorrection 54000
MaxPosPhaseCorrection 54000
PhaseCorrectRate 1
PollAdjustFactor 5
SpikeWatchPeriod 90
UpdateInterval 30000
General Parameters
AnnounceFlags 10
EventLogFlags 2
LocalClockDispersion 10
MaxPollInterval 15
MinPollInterval 10

System/Windows Time Service/Time Providers:

Policy Setting
Configure Windows NTP Client Enabled
NtpServer 172.16.0.6,0x1
Type NT5DS
CrossSiteSyncFlags 2
ResolvePeerBackoffMinutes 15
ResolvePeerBackoffMaxTimes 7
SpecialPollInterval 3600
EventLogFlags 0

Policy Setting
Enable Windows NTP Client Enabled


The settings are for the most part identical to the default settings.

What we noticed is that since implementing the time service via AD [or at
least we believe so], the typical local non-administrator can change the time
manually on their own. But in normal domain setup, they can't. So what's
going on?
 
Re: Non-administrators can change time?

Hello,

by default your can't change time, double clicking on the clock says that
you need administrator right.
Maybe they are member of power users ?


--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr

"Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de
news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...
> Hi,
>
> We implemented a while back the time service through our AD such that the
> PCs would sync with one of our services. The following is the rough
> equivalent to what is set in AD:
>
> System/Windows Time Service:
> FrequencyCorrectRate 4
> HoldPeriod 5
> LargePhaseOffset 1280000
> MaxAllowedPhaseOffset 300
> MaxNegPhaseCorrection 54000
> MaxPosPhaseCorrection 54000
> PhaseCorrectRate 1
> PollAdjustFactor 5
> SpikeWatchPeriod 90
> UpdateInterval 30000
> General Parameters
> AnnounceFlags 10
> EventLogFlags 2
> LocalClockDispersion 10
> MaxPollInterval 15
> MinPollInterval 10
>
> System/Windows Time Service/Time Providers:
>
> Policy Setting
> Configure Windows NTP Client Enabled
> NtpServer 172.16.0.6,0x1
> Type NT5DS
> CrossSiteSyncFlags 2
> ResolvePeerBackoffMinutes 15
> ResolvePeerBackoffMaxTimes 7
> SpecialPollInterval 3600
> EventLogFlags 0
>
> Policy Setting
> Enable Windows NTP Client Enabled
>
>
> The settings are for the most part identical to the default settings.
>
> What we noticed is that since implementing the time service via AD [or at
> least we believe so], the typical local non-administrator can change the
> time
> manually on their own. But in normal domain setup, they can't. So what's
> going on?
 
Re: Non-administrators can change time?

This seems to be feature in Windows XP - Users can change the local time.
The time will be corrected at the next time synchronization by the Windows
Time Service.
With Vista, Users can not change the time - an elevated administrative
account is required.

By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" will
be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time server
hierarchy.

Since the Time Service is automatically configured on all domain joined
computers by default to use the domain's NTP time hierarchy, I'm curious as
to why you are configuring the Time Service "in AD" (via a GPO?)?

--
Bruce Sanderson
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.


"Gis Bun" <GisBun@discussions.microsoft.com> wrote in message
news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...
> Hi,
>
> We implemented a while back the time service through our AD such that the
> PCs would sync with one of our services. The following is the rough
> equivalent to what is set in AD:
>
> System/Windows Time Service:
> FrequencyCorrectRate 4
> HoldPeriod 5
> LargePhaseOffset 1280000
> MaxAllowedPhaseOffset 300
> MaxNegPhaseCorrection 54000
> MaxPosPhaseCorrection 54000
> PhaseCorrectRate 1
> PollAdjustFactor 5
> SpikeWatchPeriod 90
> UpdateInterval 30000
> General Parameters
> AnnounceFlags 10
> EventLogFlags 2
> LocalClockDispersion 10
> MaxPollInterval 15
> MinPollInterval 10
>
> System/Windows Time Service/Time Providers:
>
> Policy Setting
> Configure Windows NTP Client Enabled
> NtpServer 172.16.0.6,0x1
> Type NT5DS
> CrossSiteSyncFlags 2
> ResolvePeerBackoffMinutes 15
> ResolvePeerBackoffMaxTimes 7
> SpecialPollInterval 3600
> EventLogFlags 0
>
> Policy Setting
> Enable Windows NTP Client Enabled
>
>
> The settings are for the most part identical to the default settings.
>
> What we noticed is that since implementing the time service via AD [or at
> least we believe so], the typical local non-administrator can change the
> time
> manually on their own. But in normal domain setup, they can't. So what's
> going on?
 
Re: Non-administrators can change time?

Sorry, I was mistaken, Matheiu is correct - Users can not change the local
time under Windows XP.

--
Bruce Sanderson
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.


"Bruce Sanderson" <bsanders@newsgroups.nospam> wrote in message
news:e7KbWeTDJHA.528@TK2MSFTNGP06.phx.gbl...
> This seems to be feature in Windows XP - Users can change the local time.
> The time will be corrected at the next time synchronization by the Windows
> Time Service.
> With Vista, Users can not change the time - an elevated administrative
> account is required.
>
> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer"
> will be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time
> server hierarchy.
>
> Since the Time Service is automatically configured on all domain joined
> computers by default to use the domain's NTP time hierarchy, I'm curious
> as to why you are configuring the Time Service "in AD" (via a GPO?)?
>
> --
> Bruce Sanderson
> http://members.shaw.ca/bsanders/
> It's perfectly useless to know the right answer to the wrong question.
>
>
> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message
> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...
>> Hi,
>>
>> We implemented a while back the time service through our AD such that the
>> PCs would sync with one of our services. The following is the rough
>> equivalent to what is set in AD:
>>
>> System/Windows Time Service:
>> FrequencyCorrectRate 4
>> HoldPeriod 5
>> LargePhaseOffset 1280000
>> MaxAllowedPhaseOffset 300
>> MaxNegPhaseCorrection 54000
>> MaxPosPhaseCorrection 54000
>> PhaseCorrectRate 1
>> PollAdjustFactor 5
>> SpikeWatchPeriod 90
>> UpdateInterval 30000
>> General Parameters
>> AnnounceFlags 10
>> EventLogFlags 2
>> LocalClockDispersion 10
>> MaxPollInterval 15
>> MinPollInterval 10
>>
>> System/Windows Time Service/Time Providers:
>>
>> Policy Setting
>> Configure Windows NTP Client Enabled
>> NtpServer 172.16.0.6,0x1
>> Type NT5DS
>> CrossSiteSyncFlags 2
>> ResolvePeerBackoffMinutes 15
>> ResolvePeerBackoffMaxTimes 7
>> SpecialPollInterval 3600
>> EventLogFlags 0
>>
>> Policy Setting
>> Enable Windows NTP Client Enabled
>>
>>
>> The settings are for the most part identical to the default settings.
>>
>> What we noticed is that since implementing the time service via AD [or at
>> least we believe so], the typical local non-administrator can change the
>> time
>> manually on their own. But in normal domain setup, they can't. So what's
>> going on?
>
 
Re: Non-administrators can change time?

Hi Mathieu,

We don't use the Power Users in XP. About 50+ users are given basic rights.
No need for anything out of the ordinary. They can't even install the Adobe
Flash player via the web.

Thanks


"Mathieu CHATEAU" wrote:

> Hello,
>
> by default your can't change time, double clicking on the clock says that
> you need administrator right.
> Maybe they are member of power users ?
>
>
> --
> Cordialement,
> Mathieu CHATEAU
> English blog: http://lordoftheping.blogspot.com
> French blog: http://www.lotp.fr
>
> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de
> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...
> > Hi,
> >
> > We implemented a while back the time service through our AD such that the
> > PCs would sync with one of our services. The following is the rough
> > equivalent to what is set in AD:
> >
> > System/Windows Time Service:
> > FrequencyCorrectRate 4
> > HoldPeriod 5
> > LargePhaseOffset 1280000
> > MaxAllowedPhaseOffset 300
> > MaxNegPhaseCorrection 54000
> > MaxPosPhaseCorrection 54000
> > PhaseCorrectRate 1
> > PollAdjustFactor 5
> > SpikeWatchPeriod 90
> > UpdateInterval 30000
> > General Parameters
> > AnnounceFlags 10
> > EventLogFlags 2
> > LocalClockDispersion 10
> > MaxPollInterval 15
> > MinPollInterval 10
> >
> > System/Windows Time Service/Time Providers:
> >
> > Policy Setting
> > Configure Windows NTP Client Enabled
> > NtpServer 172.16.0.6,0x1
> > Type NT5DS
> > CrossSiteSyncFlags 2
> > ResolvePeerBackoffMinutes 15
> > ResolvePeerBackoffMaxTimes 7
> > SpecialPollInterval 3600
> > EventLogFlags 0
> >
> > Policy Setting
> > Enable Windows NTP Client Enabled
> >
> >
> > The settings are for the most part identical to the default settings.
> >
> > What we noticed is that since implementing the time service via AD [or at
> > least we believe so], the typical local non-administrator can change the
> > time
> > manually on their own. But in normal domain setup, they can't. So what's
> > going on?
>
>
 
Re: Non-administrators can change time?

I think I chose the default settings.

When i started to work at where I am, I had noticed that the PCs were
slighly out of sync. I had though also that maybe Server 2003 provided
syncing but I guess not since I've read threads about using the "net" command
in a login script and how it fails if you don't have admin rights.

"Bruce Sanderson" wrote:

> This seems to be feature in Windows XP - Users can change the local time.
> The time will be corrected at the next time synchronization by the Windows
> Time Service.
> With Vista, Users can not change the time - an elevated administrative
> account is required.
>
> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" will
> be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time server
> hierarchy.
>
> Since the Time Service is automatically configured on all domain joined
> computers by default to use the domain's NTP time hierarchy, I'm curious as
> to why you are configuring the Time Service "in AD" (via a GPO?)?
>
> --
> Bruce Sanderson
> http://members.shaw.ca/bsanders/
> It's perfectly useless to know the right answer to the wrong question.
>
>
> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message
> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...
> > Hi,
> >
> > We implemented a while back the time service through our AD such that the
> > PCs would sync with one of our services. The following is the rough
> > equivalent to what is set in AD:
> >
> > System/Windows Time Service:
> > FrequencyCorrectRate 4
> > HoldPeriod 5
> > LargePhaseOffset 1280000
> > MaxAllowedPhaseOffset 300
> > MaxNegPhaseCorrection 54000
> > MaxPosPhaseCorrection 54000
> > PhaseCorrectRate 1
> > PollAdjustFactor 5
> > SpikeWatchPeriod 90
> > UpdateInterval 30000
> > General Parameters
> > AnnounceFlags 10
> > EventLogFlags 2
> > LocalClockDispersion 10
> > MaxPollInterval 15
> > MinPollInterval 10
> >
> > System/Windows Time Service/Time Providers:
> >
> > Policy Setting
> > Configure Windows NTP Client Enabled
> > NtpServer 172.16.0.6,0x1
> > Type NT5DS
> > CrossSiteSyncFlags 2
> > ResolvePeerBackoffMinutes 15
> > ResolvePeerBackoffMaxTimes 7
> > SpecialPollInterval 3600
> > EventLogFlags 0
> >
> > Policy Setting
> > Enable Windows NTP Client Enabled
> >
> >
> > The settings are for the most part identical to the default settings.
> >
> > What we noticed is that since implementing the time service via AD [or at
> > least we believe so], the typical local non-administrator can change the
> > time
> > manually on their own. But in normal domain setup, they can't. So what's
> > going on?
>
>
 
Re: Non-administrators can change time?

But with vista, user change the timezone (but not the time itself i think)

--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr

"Bruce Sanderson" <bsanders@newsgroups.nospam> a écrit dans le message de
news:Ocr5agTDJHA.2060@TK2MSFTNGP05.phx.gbl...
> Sorry, I was mistaken, Matheiu is correct - Users can not change the local
> time under Windows XP.
>
> --
> Bruce Sanderson
> http://members.shaw.ca/bsanders/
> It's perfectly useless to know the right answer to the wrong question.
>
>
> "Bruce Sanderson" <bsanders@newsgroups.nospam> wrote in message
> news:e7KbWeTDJHA.528@TK2MSFTNGP06.phx.gbl...
>> This seems to be feature in Windows XP - Users can change the local
>> time. The time will be corrected at the next time synchronization by the
>> Windows Time Service.
>> With Vista, Users can not change the time - an elevated administrative
>> account is required.
>>
>> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer"
>> will be ignored. "Type" of "NT5DS" specifies to use the domain's NTP
>> time server hierarchy.
>>
>> Since the Time Service is automatically configured on all domain joined
>> computers by default to use the domain's NTP time hierarchy, I'm curious
>> as to why you are configuring the Time Service "in AD" (via a GPO?)?
>>
>> --
>> Bruce Sanderson
>> http://members.shaw.ca/bsanders/
>> It's perfectly useless to know the right answer to the wrong question.
>>
>>
>> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message
>> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...
>>> Hi,
>>>
>>> We implemented a while back the time service through our AD such that
>>> the
>>> PCs would sync with one of our services. The following is the rough
>>> equivalent to what is set in AD:
>>>
>>> System/Windows Time Service:
>>> FrequencyCorrectRate 4
>>> HoldPeriod 5
>>> LargePhaseOffset 1280000
>>> MaxAllowedPhaseOffset 300
>>> MaxNegPhaseCorrection 54000
>>> MaxPosPhaseCorrection 54000
>>> PhaseCorrectRate 1
>>> PollAdjustFactor 5
>>> SpikeWatchPeriod 90
>>> UpdateInterval 30000
>>> General Parameters
>>> AnnounceFlags 10
>>> EventLogFlags 2
>>> LocalClockDispersion 10
>>> MaxPollInterval 15
>>> MinPollInterval 10
>>>
>>> System/Windows Time Service/Time Providers:
>>>
>>> Policy Setting
>>> Configure Windows NTP Client Enabled
>>> NtpServer 172.16.0.6,0x1
>>> Type NT5DS
>>> CrossSiteSyncFlags 2
>>> ResolvePeerBackoffMinutes 15
>>> ResolvePeerBackoffMaxTimes 7
>>> SpecialPollInterval 3600
>>> EventLogFlags 0
>>>
>>> Policy Setting
>>> Enable Windows NTP Client Enabled
>>>
>>>
>>> The settings are for the most part identical to the default settings.
>>>
>>> What we noticed is that since implementing the time service via AD [or
>>> at
>>> least we believe so], the typical local non-administrator can change the
>>> time
>>> manually on their own. But in normal domain setup, they can't. So what's
>>> going on?
>>
>
 
Re: Non-administrators can change time?

Can you manually check on one station that anything went wrong it local
groups or domain admins groups ?
Restricted group used in gpo ?

As it's not possible by default, something has been changed somewhere

--
Cordialement,
Mathieu CHATEAU
English blog: http://lordoftheping.blogspot.com
French blog: http://www.lotp.fr

"Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de
news:EB09C968-773A-4D34-A873-83CA760A2592@microsoft.com...
> Hi Mathieu,
>
> We don't use the Power Users in XP. About 50+ users are given basic
> rights.
> No need for anything out of the ordinary. They can't even install the
> Adobe
> Flash player via the web.
>
> Thanks
>
>
> "Mathieu CHATEAU" wrote:
>
>> Hello,
>>
>> by default your can't change time, double clicking on the clock says that
>> you need administrator right.
>> Maybe they are member of power users ?
>>
>>
>> --
>> Cordialement,
>> Mathieu CHATEAU
>> English blog: http://lordoftheping.blogspot.com
>> French blog: http://www.lotp.fr
>>
>> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de
>> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...
>> > Hi,
>> >
>> > We implemented a while back the time service through our AD such that
>> > the
>> > PCs would sync with one of our services. The following is the rough
>> > equivalent to what is set in AD:
>> >
>> > System/Windows Time Service:
>> > FrequencyCorrectRate 4
>> > HoldPeriod 5
>> > LargePhaseOffset 1280000
>> > MaxAllowedPhaseOffset 300
>> > MaxNegPhaseCorrection 54000
>> > MaxPosPhaseCorrection 54000
>> > PhaseCorrectRate 1
>> > PollAdjustFactor 5
>> > SpikeWatchPeriod 90
>> > UpdateInterval 30000
>> > General Parameters
>> > AnnounceFlags 10
>> > EventLogFlags 2
>> > LocalClockDispersion 10
>> > MaxPollInterval 15
>> > MinPollInterval 10
>> >
>> > System/Windows Time Service/Time Providers:
>> >
>> > Policy Setting
>> > Configure Windows NTP Client Enabled
>> > NtpServer 172.16.0.6,0x1
>> > Type NT5DS
>> > CrossSiteSyncFlags 2
>> > ResolvePeerBackoffMinutes 15
>> > ResolvePeerBackoffMaxTimes 7
>> > SpecialPollInterval 3600
>> > EventLogFlags 0
>> >
>> > Policy Setting
>> > Enable Windows NTP Client Enabled
>> >
>> >
>> > The settings are for the most part identical to the default settings.
>> >
>> > What we noticed is that since implementing the time service via AD [or
>> > at
>> > least we believe so], the typical local non-administrator can change
>> > the
>> > time
>> > manually on their own. But in normal domain setup, they can't. So
>> > what's
>> > going on?
>>
>>
 
Re: Non-administrators can change time?

Oooops. "Me bad".

I thought I checked the Power Users but I guess I didn't. The user had Power
User rights. Now it's removed....

A follow up then. Is it possible to have a user see the calendar but not
change anything?

"Mathieu CHATEAU" wrote:

> Can you manually check on one station that anything went wrong it local
> groups or domain admins groups ?
> Restricted group used in gpo ?
>
> As it's not possible by default, something has been changed somewhere
>
> --
> Cordialement,
> Mathieu CHATEAU
> English blog: http://lordoftheping.blogspot.com
> French blog: http://www.lotp.fr
>
> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de
> news:EB09C968-773A-4D34-A873-83CA760A2592@microsoft.com...
> > Hi Mathieu,
> >
> > We don't use the Power Users in XP. About 50+ users are given basic
> > rights.
> > No need for anything out of the ordinary. They can't even install the
> > Adobe
> > Flash player via the web.
> >
> > Thanks
> >
> >
> > "Mathieu CHATEAU" wrote:
> >
> >> Hello,
> >>
> >> by default your can't change time, double clicking on the clock says that
> >> you need administrator right.
> >> Maybe they are member of power users ?
> >>
> >>
> >> --
> >> Cordialement,
> >> Mathieu CHATEAU
> >> English blog: http://lordoftheping.blogspot.com
> >> French blog: http://www.lotp.fr
> >>
> >> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de
> >> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...
> >> > Hi,
> >> >
> >> > We implemented a while back the time service through our AD such that
> >> > the
> >> > PCs would sync with one of our services. The following is the rough
> >> > equivalent to what is set in AD:
> >> >
> >> > System/Windows Time Service:
> >> > FrequencyCorrectRate 4
> >> > HoldPeriod 5
> >> > LargePhaseOffset 1280000
> >> > MaxAllowedPhaseOffset 300
> >> > MaxNegPhaseCorrection 54000
> >> > MaxPosPhaseCorrection 54000
> >> > PhaseCorrectRate 1
> >> > PollAdjustFactor 5
> >> > SpikeWatchPeriod 90
> >> > UpdateInterval 30000
> >> > General Parameters
> >> > AnnounceFlags 10
> >> > EventLogFlags 2
> >> > LocalClockDispersion 10
> >> > MaxPollInterval 15
> >> > MinPollInterval 10
> >> >
> >> > System/Windows Time Service/Time Providers:
> >> >
> >> > Policy Setting
> >> > Configure Windows NTP Client Enabled
> >> > NtpServer 172.16.0.6,0x1
> >> > Type NT5DS
> >> > CrossSiteSyncFlags 2
> >> > ResolvePeerBackoffMinutes 15
> >> > ResolvePeerBackoffMaxTimes 7
> >> > SpecialPollInterval 3600
> >> > EventLogFlags 0
> >> >
> >> > Policy Setting
> >> > Enable Windows NTP Client Enabled
> >> >
> >> >
> >> > The settings are for the most part identical to the default settings.
> >> >
> >> > What we noticed is that since implementing the time service via AD [or
> >> > at
> >> > least we believe so], the typical local non-administrator can change
> >> > the
> >> > time
> >> > manually on their own. But in normal domain setup, they can't. So
> >> > what's
> >> > going on?
> >>
> >>
>
>
 
Re: Non-administrators can change time?

In message <B25C993B-F584-4058-8BD7-30E0BD303BF9@microsoft.com> Gis Bun
<GisBun@discussions.microsoft.com> wrote:

>A follow up then. Is it possible to have a user see the calendar but not
>change anything?

In Vista, yes. In XP, no.
 
Re: Non-administrators can change time?

Windows Server 2003 DOES have built in NTP service and can provide time
syncronization to clients. In a domain, the default is for all member
computers to syncronize their time with a domain controller. Domain
controllers syncronize their time according to a defined hierarchy.

In "normal" situations, one only has to configure one Domain Controller to
be a "reliable" time source and to synchronize its time with an external
time source. Everything else required to keep all the domain controllers
and domain members in sync is done automatically by the Windows Time
Service.

See, for example:
http://blogs.technet.com/industry_insiders/articles/w32_tm_service.aspx
http://technet.microsoft.com/en-us/library/cc773061.aspx
http://technet.microsoft.com/en-us/library/cc786897.aspx
http://technet.microsoft.com/en-us/library/cc739801.aspx
--
Bruce Sanderson
http://members.shaw.ca/bsanders

It is perfectly useless to know the right answer to the wrong question.



"Gis Bun" <GisBun@discussions.microsoft.com> wrote in message
news:A0EA2689-4007-4A0E-9EDF-DFBC9BA5BAF0@microsoft.com...
>I think I chose the default settings.
>
> When i started to work at where I am, I had noticed that the PCs were
> slighly out of sync. I had though also that maybe Server 2003 provided
> syncing but I guess not since I've read threads about using the "net"
> command
> in a login script and how it fails if you don't have admin rights.
>
> "Bruce Sanderson" wrote:
>
>> This seems to be feature in Windows XP - Users can change the local
>> time.
>> The time will be corrected at the next time synchronization by the
>> Windows
>> Time Service.
>> With Vista, Users can not change the time - an elevated administrative
>> account is required.
>>
>> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer"
>> will
>> be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time
>> server
>> hierarchy.
>>
>> Since the Time Service is automatically configured on all domain joined
>> computers by default to use the domain's NTP time hierarchy, I'm curious
>> as
>> to why you are configuring the Time Service "in AD" (via a GPO?)?
>>
>> --
>> Bruce Sanderson
>> http://members.shaw.ca/bsanders/
>> It's perfectly useless to know the right answer to the wrong question.
>>
>>
>> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message
>> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...
>> > Hi,
>> >
>> > We implemented a while back the time service through our AD such that
>> > the
>> > PCs would sync with one of our services. The following is the rough
>> > equivalent to what is set in AD:
>> >
>> > System/Windows Time Service:
>> > FrequencyCorrectRate 4
>> > HoldPeriod 5
>> > LargePhaseOffset 1280000
>> > MaxAllowedPhaseOffset 300
>> > MaxNegPhaseCorrection 54000
>> > MaxPosPhaseCorrection 54000
>> > PhaseCorrectRate 1
>> > PollAdjustFactor 5
>> > SpikeWatchPeriod 90
>> > UpdateInterval 30000
>> > General Parameters
>> > AnnounceFlags 10
>> > EventLogFlags 2
>> > LocalClockDispersion 10
>> > MaxPollInterval 15
>> > MinPollInterval 10
>> >
>> > System/Windows Time Service/Time Providers:
>> >
>> > Policy Setting
>> > Configure Windows NTP Client Enabled
>> > NtpServer 172.16.0.6,0x1
>> > Type NT5DS
>> > CrossSiteSyncFlags 2
>> > ResolvePeerBackoffMinutes 15
>> > ResolvePeerBackoffMaxTimes 7
>> > SpecialPollInterval 3600
>> > EventLogFlags 0
>> >
>> > Policy Setting
>> > Enable Windows NTP Client Enabled
>> >
>> >
>> > The settings are for the most part identical to the default settings.
>> >
>> > What we noticed is that since implementing the time service via AD [or
>> > at
>> > least we believe so], the typical local non-administrator can change
>> > the
>> > time
>> > manually on their own. But in normal domain setup, they can't. So
>> > what's
>> > going on?
>>
>>
 

Similar threads

R
Time sync won't change from NT5DS
Replies
0
Views
269
RLAGroup
R
T
Issues With Ntp Server (W32Time)
Replies
0
Views
2,299
TrexXx
T
J
Syncronizing time: Server 2003
Replies
3
Views
252
Meinolf Weber
M
J
Windows 2003 W32TM connection to Time Server problem
Replies
3
Views
289
Meinolf Weber
M
M
Windows 2003 Domain Controller Won't Sync Time w/ External Clock
Replies
0
Views
180
Marks70
M
Back
Top