Announcement

Collapse
No announcement yet.

GPO to prevent users changing the time except users from one specified group

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • GPO to prevent users changing the time except users from one specified group

    Hello,

    What I did by now:
    - I created a new policy
    - on User Rights Assigment, at the "Change the system time" I filled the group ("change time") that is allowed to change the time.
    - I didn't link the policy to any OU

    - on the client computer I used "gpupdate /force"
    That results in preventing ALL the users (even those that are members to the group "change_time") to change the time

    Would you help me, please?
    Thank you

  • #2
    Re: GPO to prevent users changing the time except users from one specified group

    You'll need to link the GPO to the OU containing the computers you want to apply this setting to.
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: GPO to prevent users changing the time except users from one specified group

      Thank you, Jeremy

      Forget about the group I mentioned before. I delete the group and the policy and start from the scratch
      I simplified the whole story:

      1. I create 2 users: user1 and user2
      2. I create a test OU: change_time
      3. I put the client computer (Bonn) in this OU (change_time)
      4. I create a policy and I linked to change_time OU
      In this policy, at User Rights Assigment > Change the system time, I put user1. That means only user1 logged on the computer Bonn can change the time (user2 is not allowed to do that). Please correct me if I'm wrong.

      5. On the client computer (Bonn), I enforce the policy (gpupdate /force).

      It' doesn't work. Both users are prevent to change the time.
      Any ideeas?

      Thank you
      Last edited by monolith; 11th November 2006, 23:26.

      Comment


      • #4
        Re: GPO to prevent users changing the time except users from one specified group

        Originally posted by monolith View Post
        In this policy, at User Rights Assigment > Change the system time, I put user1. That means only user1 logged on the computer Bonn can change the time (user2 is not allowed to do that). Please correct me if I'm wrong.
        Yup, that's how it's suposed to work.

        5. On the client computer (Bonn), I enforce the policy (gpupdate /force).

        It' doesn't work. Both users are prevent to change the time.
        Hmm, there are some policy settings that either require a reboot or logoff and IIRC it prompts you if necessary. In this case I don't this it's the issue but reboot just to rule it out. What I do think is that for some reason the GPO isn't getting applied. Run gpresults on the client and check to see if the GPO is listed as one that is applied. Post the results if you have any questions about it.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: GPO to prevent users changing the time except users from one specified group

          Code:
          Microsoft (R) Windows (R) XP Operating System Group Policy Result tool v2.0
          Copyright (C) Microsoft Corp. 1981-2001
          
          Created On 11/12/2006 at 3:58:14 PM
          
          
          
          RSOP results for NWTRADERS\user1 on BONN : Logging Mode
          --------------------------------------------------------
          
          OS Type:                     Microsoft Windows XP Professional
          OS Configuration:            Member Workstation
          OS Version:                  5.1.2600
          Domain Name:                 NWTRADERS
          Domain Type:                 Windows 2000
          Site Name:                   Default-First-Site
          Roaming Profile:             
          Local Profile:               C:\Documents and Settings\user1
          Connected over a slow link?: No
          
          
          COMPUTER SETTINGS
          ------------------
              CN=BONN,OU=change_time,DC=nwtraders,DC=msft
              Last time Group Policy was applied: 11/12/2006 at 3:57:03 PM
              Group Policy was applied from:      Glasgow.nwtraders.msft
              Group Policy slow link threshold:   500 kbps
          
              Applied Group Policy Objects
              -----------------------------
                  change_time
                  Default Domain Policy
          
              The following GPOs were not applied because they were filtered out
              -------------------------------------------------------------------
                  Local Group Policy
                      Filtering:  Not Applied (Empty)
          
              The computer is a part of the following security groups:
              --------------------------------------------------------
                  BUILTIN\Administrators
                  Everyone
                  BUILTIN\Users
                  BONN$
                  Domain Computers
                  NT AUTHORITY\NETWORK
                  NT AUTHORITY\Authenticated Users
                  
          
          USER SETTINGS
          --------------
              CN=user1,CN=Users,DC=nwtraders,DC=msft
              Last time Group Policy was applied: 11/12/2006 at 3:56:51 PM
              Group Policy was applied from:      Glasgow.nwtraders.msft
              Group Policy slow link threshold:   500 kbps
          
              Applied Group Policy Objects
              -----------------------------
                  Default Domain Policy
          
              The following GPOs were not applied because they were filtered out
              -------------------------------------------------------------------
                  Local Group Policy
                      Filtering:  Not Applied (Empty)
          
              The user is a part of the following security groups:
              ----------------------------------------------------
                  Domain Users
                  Everyone
                  BUILTIN\Users
                  LOCAL
                  NT AUTHORITY\INTERACTIVE
                  NT AUTHORITY\Authenticated Users

          Comment


          • #6
            Re: GPO to prevent users changing the time except users from one specified group

            Well the GPO is being applied.
            Two things:
            -restart the computer and check again
            -check the GPO to make sure you've configured the setting.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment

            Working...
            X