Guest Gis Bun Posted September 2, 2008 Posted September 2, 2008 Hi, We implemented a while back the time service through our AD such that the PCs would sync with one of our services. The following is the rough equivalent to what is set in AD: System/Windows Time Service: FrequencyCorrectRate 4 HoldPeriod 5 LargePhaseOffset 1280000 MaxAllowedPhaseOffset 300 MaxNegPhaseCorrection 54000 MaxPosPhaseCorrection 54000 PhaseCorrectRate 1 PollAdjustFactor 5 SpikeWatchPeriod 90 UpdateInterval 30000 General Parameters AnnounceFlags 10 EventLogFlags 2 LocalClockDispersion 10 MaxPollInterval 15 MinPollInterval 10 System/Windows Time Service/Time Providers: Policy Setting Configure Windows NTP Client Enabled NtpServer 172.16.0.6,0x1 Type NT5DS CrossSiteSyncFlags 2 ResolvePeerBackoffMinutes 15 ResolvePeerBackoffMaxTimes 7 SpecialPollInterval 3600 EventLogFlags 0 Policy Setting Enable Windows NTP Client Enabled The settings are for the most part identical to the default settings. What we noticed is that since implementing the time service via AD [or at least we believe so], the typical local non-administrator can change the time manually on their own. But in normal domain setup, they can't. So what's going on?
Guest Mathieu CHATEAU Posted September 2, 2008 Posted September 2, 2008 Re: Non-administrators can change time? Hello, by default your can't change time, double clicking on the clock says that you need administrator right. Maybe they are member of power users ? -- Cordialement, Mathieu CHATEAU English blog: http://lordoftheping.blogspot.com French blog: http://www.lotp.fr "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com... > Hi, > > We implemented a while back the time service through our AD such that the > PCs would sync with one of our services. The following is the rough > equivalent to what is set in AD: > > System/Windows Time Service: > FrequencyCorrectRate 4 > HoldPeriod 5 > LargePhaseOffset 1280000 > MaxAllowedPhaseOffset 300 > MaxNegPhaseCorrection 54000 > MaxPosPhaseCorrection 54000 > PhaseCorrectRate 1 > PollAdjustFactor 5 > SpikeWatchPeriod 90 > UpdateInterval 30000 > General Parameters > AnnounceFlags 10 > EventLogFlags 2 > LocalClockDispersion 10 > MaxPollInterval 15 > MinPollInterval 10 > > System/Windows Time Service/Time Providers: > > Policy Setting > Configure Windows NTP Client Enabled > NtpServer 172.16.0.6,0x1 > Type NT5DS > CrossSiteSyncFlags 2 > ResolvePeerBackoffMinutes 15 > ResolvePeerBackoffMaxTimes 7 > SpecialPollInterval 3600 > EventLogFlags 0 > > Policy Setting > Enable Windows NTP Client Enabled > > > The settings are for the most part identical to the default settings. > > What we noticed is that since implementing the time service via AD [or at > least we believe so], the typical local non-administrator can change the > time > manually on their own. But in normal domain setup, they can't. So what's > going on?
Guest Bruce Sanderson Posted September 2, 2008 Posted September 2, 2008 Re: Non-administrators can change time? This seems to be feature in Windows XP - Users can change the local time. The time will be corrected at the next time synchronization by the Windows Time Service. With Vista, Users can not change the time - an elevated administrative account is required. By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" will be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time server hierarchy. Since the Time Service is automatically configured on all domain joined computers by default to use the domain's NTP time hierarchy, I'm curious as to why you are configuring the Time Service "in AD" (via a GPO?)? -- Bruce Sanderson http://members.shaw.ca/bsanders/ It's perfectly useless to know the right answer to the wrong question. "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com... > Hi, > > We implemented a while back the time service through our AD such that the > PCs would sync with one of our services. The following is the rough > equivalent to what is set in AD: > > System/Windows Time Service: > FrequencyCorrectRate 4 > HoldPeriod 5 > LargePhaseOffset 1280000 > MaxAllowedPhaseOffset 300 > MaxNegPhaseCorrection 54000 > MaxPosPhaseCorrection 54000 > PhaseCorrectRate 1 > PollAdjustFactor 5 > SpikeWatchPeriod 90 > UpdateInterval 30000 > General Parameters > AnnounceFlags 10 > EventLogFlags 2 > LocalClockDispersion 10 > MaxPollInterval 15 > MinPollInterval 10 > > System/Windows Time Service/Time Providers: > > Policy Setting > Configure Windows NTP Client Enabled > NtpServer 172.16.0.6,0x1 > Type NT5DS > CrossSiteSyncFlags 2 > ResolvePeerBackoffMinutes 15 > ResolvePeerBackoffMaxTimes 7 > SpecialPollInterval 3600 > EventLogFlags 0 > > Policy Setting > Enable Windows NTP Client Enabled > > > The settings are for the most part identical to the default settings. > > What we noticed is that since implementing the time service via AD [or at > least we believe so], the typical local non-administrator can change the > time > manually on their own. But in normal domain setup, they can't. So what's > going on?
Guest Bruce Sanderson Posted September 2, 2008 Posted September 2, 2008 Re: Non-administrators can change time? Sorry, I was mistaken, Matheiu is correct - Users can not change the local time under Windows XP. -- Bruce Sanderson http://members.shaw.ca/bsanders/ It's perfectly useless to know the right answer to the wrong question. "Bruce Sanderson" <bsanders@newsgroups.nospam> wrote in message news:e7KbWeTDJHA.528@TK2MSFTNGP06.phx.gbl... > This seems to be feature in Windows XP - Users can change the local time. > The time will be corrected at the next time synchronization by the Windows > Time Service. > With Vista, Users can not change the time - an elevated administrative > account is required. > > By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" > will be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time > server hierarchy. > > Since the Time Service is automatically configured on all domain joined > computers by default to use the domain's NTP time hierarchy, I'm curious > as to why you are configuring the Time Service "in AD" (via a GPO?)? > > -- > Bruce Sanderson > http://members.shaw.ca/bsanders/ > It's perfectly useless to know the right answer to the wrong question. > > > "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message > news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com... >> Hi, >> >> We implemented a while back the time service through our AD such that the >> PCs would sync with one of our services. The following is the rough >> equivalent to what is set in AD: >> >> System/Windows Time Service: >> FrequencyCorrectRate 4 >> HoldPeriod 5 >> LargePhaseOffset 1280000 >> MaxAllowedPhaseOffset 300 >> MaxNegPhaseCorrection 54000 >> MaxPosPhaseCorrection 54000 >> PhaseCorrectRate 1 >> PollAdjustFactor 5 >> SpikeWatchPeriod 90 >> UpdateInterval 30000 >> General Parameters >> AnnounceFlags 10 >> EventLogFlags 2 >> LocalClockDispersion 10 >> MaxPollInterval 15 >> MinPollInterval 10 >> >> System/Windows Time Service/Time Providers: >> >> Policy Setting >> Configure Windows NTP Client Enabled >> NtpServer 172.16.0.6,0x1 >> Type NT5DS >> CrossSiteSyncFlags 2 >> ResolvePeerBackoffMinutes 15 >> ResolvePeerBackoffMaxTimes 7 >> SpecialPollInterval 3600 >> EventLogFlags 0 >> >> Policy Setting >> Enable Windows NTP Client Enabled >> >> >> The settings are for the most part identical to the default settings. >> >> What we noticed is that since implementing the time service via AD [or at >> least we believe so], the typical local non-administrator can change the >> time >> manually on their own. But in normal domain setup, they can't. So what's >> going on? >
Guest Gis Bun Posted September 2, 2008 Posted September 2, 2008 Re: Non-administrators can change time? Hi Mathieu, We don't use the Power Users in XP. About 50+ users are given basic rights. No need for anything out of the ordinary. They can't even install the Adobe Flash player via the web. Thanks "Mathieu CHATEAU" wrote: > Hello, > > by default your can't change time, double clicking on the clock says that > you need administrator right. > Maybe they are member of power users ? > > > -- > Cordialement, > Mathieu CHATEAU > English blog: http://lordoftheping.blogspot.com > French blog: http://www.lotp.fr > > "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de > news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com... > > Hi, > > > > We implemented a while back the time service through our AD such that the > > PCs would sync with one of our services. The following is the rough > > equivalent to what is set in AD: > > > > System/Windows Time Service: > > FrequencyCorrectRate 4 > > HoldPeriod 5 > > LargePhaseOffset 1280000 > > MaxAllowedPhaseOffset 300 > > MaxNegPhaseCorrection 54000 > > MaxPosPhaseCorrection 54000 > > PhaseCorrectRate 1 > > PollAdjustFactor 5 > > SpikeWatchPeriod 90 > > UpdateInterval 30000 > > General Parameters > > AnnounceFlags 10 > > EventLogFlags 2 > > LocalClockDispersion 10 > > MaxPollInterval 15 > > MinPollInterval 10 > > > > System/Windows Time Service/Time Providers: > > > > Policy Setting > > Configure Windows NTP Client Enabled > > NtpServer 172.16.0.6,0x1 > > Type NT5DS > > CrossSiteSyncFlags 2 > > ResolvePeerBackoffMinutes 15 > > ResolvePeerBackoffMaxTimes 7 > > SpecialPollInterval 3600 > > EventLogFlags 0 > > > > Policy Setting > > Enable Windows NTP Client Enabled > > > > > > The settings are for the most part identical to the default settings. > > > > What we noticed is that since implementing the time service via AD [or at > > least we believe so], the typical local non-administrator can change the > > time > > manually on their own. But in normal domain setup, they can't. So what's > > going on? > >
Guest Gis Bun Posted September 2, 2008 Posted September 2, 2008 Re: Non-administrators can change time? I think I chose the default settings. When i started to work at where I am, I had noticed that the PCs were slighly out of sync. I had though also that maybe Server 2003 provided syncing but I guess not since I've read threads about using the "net" command in a login script and how it fails if you don't have admin rights. "Bruce Sanderson" wrote: > This seems to be feature in Windows XP - Users can change the local time. > The time will be corrected at the next time synchronization by the Windows > Time Service. > With Vista, Users can not change the time - an elevated administrative > account is required. > > By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" will > be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time server > hierarchy. > > Since the Time Service is automatically configured on all domain joined > computers by default to use the domain's NTP time hierarchy, I'm curious as > to why you are configuring the Time Service "in AD" (via a GPO?)? > > -- > Bruce Sanderson > http://members.shaw.ca/bsanders/ > It's perfectly useless to know the right answer to the wrong question. > > > "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message > news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com... > > Hi, > > > > We implemented a while back the time service through our AD such that the > > PCs would sync with one of our services. The following is the rough > > equivalent to what is set in AD: > > > > System/Windows Time Service: > > FrequencyCorrectRate 4 > > HoldPeriod 5 > > LargePhaseOffset 1280000 > > MaxAllowedPhaseOffset 300 > > MaxNegPhaseCorrection 54000 > > MaxPosPhaseCorrection 54000 > > PhaseCorrectRate 1 > > PollAdjustFactor 5 > > SpikeWatchPeriod 90 > > UpdateInterval 30000 > > General Parameters > > AnnounceFlags 10 > > EventLogFlags 2 > > LocalClockDispersion 10 > > MaxPollInterval 15 > > MinPollInterval 10 > > > > System/Windows Time Service/Time Providers: > > > > Policy Setting > > Configure Windows NTP Client Enabled > > NtpServer 172.16.0.6,0x1 > > Type NT5DS > > CrossSiteSyncFlags 2 > > ResolvePeerBackoffMinutes 15 > > ResolvePeerBackoffMaxTimes 7 > > SpecialPollInterval 3600 > > EventLogFlags 0 > > > > Policy Setting > > Enable Windows NTP Client Enabled > > > > > > The settings are for the most part identical to the default settings. > > > > What we noticed is that since implementing the time service via AD [or at > > least we believe so], the typical local non-administrator can change the > > time > > manually on their own. But in normal domain setup, they can't. So what's > > going on? > >
Guest Mathieu CHATEAU Posted September 2, 2008 Posted September 2, 2008 Re: Non-administrators can change time? But with vista, user change the timezone (but not the time itself i think) -- Cordialement, Mathieu CHATEAU English blog: http://lordoftheping.blogspot.com French blog: http://www.lotp.fr "Bruce Sanderson" <bsanders@newsgroups.nospam> a écrit dans le message de news:Ocr5agTDJHA.2060@TK2MSFTNGP05.phx.gbl... > Sorry, I was mistaken, Matheiu is correct - Users can not change the local > time under Windows XP. > > -- > Bruce Sanderson > http://members.shaw.ca/bsanders/ > It's perfectly useless to know the right answer to the wrong question. > > > "Bruce Sanderson" <bsanders@newsgroups.nospam> wrote in message > news:e7KbWeTDJHA.528@TK2MSFTNGP06.phx.gbl... >> This seems to be feature in Windows XP - Users can change the local >> time. The time will be corrected at the next time synchronization by the >> Windows Time Service. >> With Vista, Users can not change the time - an elevated administrative >> account is required. >> >> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" >> will be ignored. "Type" of "NT5DS" specifies to use the domain's NTP >> time server hierarchy. >> >> Since the Time Service is automatically configured on all domain joined >> computers by default to use the domain's NTP time hierarchy, I'm curious >> as to why you are configuring the Time Service "in AD" (via a GPO?)? >> >> -- >> Bruce Sanderson >> http://members.shaw.ca/bsanders/ >> It's perfectly useless to know the right answer to the wrong question. >> >> >> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message >> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com... >>> Hi, >>> >>> We implemented a while back the time service through our AD such that >>> the >>> PCs would sync with one of our services. The following is the rough >>> equivalent to what is set in AD: >>> >>> System/Windows Time Service: >>> FrequencyCorrectRate 4 >>> HoldPeriod 5 >>> LargePhaseOffset 1280000 >>> MaxAllowedPhaseOffset 300 >>> MaxNegPhaseCorrection 54000 >>> MaxPosPhaseCorrection 54000 >>> PhaseCorrectRate 1 >>> PollAdjustFactor 5 >>> SpikeWatchPeriod 90 >>> UpdateInterval 30000 >>> General Parameters >>> AnnounceFlags 10 >>> EventLogFlags 2 >>> LocalClockDispersion 10 >>> MaxPollInterval 15 >>> MinPollInterval 10 >>> >>> System/Windows Time Service/Time Providers: >>> >>> Policy Setting >>> Configure Windows NTP Client Enabled >>> NtpServer 172.16.0.6,0x1 >>> Type NT5DS >>> CrossSiteSyncFlags 2 >>> ResolvePeerBackoffMinutes 15 >>> ResolvePeerBackoffMaxTimes 7 >>> SpecialPollInterval 3600 >>> EventLogFlags 0 >>> >>> Policy Setting >>> Enable Windows NTP Client Enabled >>> >>> >>> The settings are for the most part identical to the default settings. >>> >>> What we noticed is that since implementing the time service via AD [or >>> at >>> least we believe so], the typical local non-administrator can change the >>> time >>> manually on their own. But in normal domain setup, they can't. So what's >>> going on? >> >
Guest Mathieu CHATEAU Posted September 2, 2008 Posted September 2, 2008 Re: Non-administrators can change time? Can you manually check on one station that anything went wrong it local groups or domain admins groups ? Restricted group used in gpo ? As it's not possible by default, something has been changed somewhere -- Cordialement, Mathieu CHATEAU English blog: http://lordoftheping.blogspot.com French blog: http://www.lotp.fr "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de news:EB09C968-773A-4D34-A873-83CA760A2592@microsoft.com... > Hi Mathieu, > > We don't use the Power Users in XP. About 50+ users are given basic > rights. > No need for anything out of the ordinary. They can't even install the > Adobe > Flash player via the web. > > Thanks > > > "Mathieu CHATEAU" wrote: > >> Hello, >> >> by default your can't change time, double clicking on the clock says that >> you need administrator right. >> Maybe they are member of power users ? >> >> >> -- >> Cordialement, >> Mathieu CHATEAU >> English blog: http://lordoftheping.blogspot.com >> French blog: http://www.lotp.fr >> >> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de >> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com... >> > Hi, >> > >> > We implemented a while back the time service through our AD such that >> > the >> > PCs would sync with one of our services. The following is the rough >> > equivalent to what is set in AD: >> > >> > System/Windows Time Service: >> > FrequencyCorrectRate 4 >> > HoldPeriod 5 >> > LargePhaseOffset 1280000 >> > MaxAllowedPhaseOffset 300 >> > MaxNegPhaseCorrection 54000 >> > MaxPosPhaseCorrection 54000 >> > PhaseCorrectRate 1 >> > PollAdjustFactor 5 >> > SpikeWatchPeriod 90 >> > UpdateInterval 30000 >> > General Parameters >> > AnnounceFlags 10 >> > EventLogFlags 2 >> > LocalClockDispersion 10 >> > MaxPollInterval 15 >> > MinPollInterval 10 >> > >> > System/Windows Time Service/Time Providers: >> > >> > Policy Setting >> > Configure Windows NTP Client Enabled >> > NtpServer 172.16.0.6,0x1 >> > Type NT5DS >> > CrossSiteSyncFlags 2 >> > ResolvePeerBackoffMinutes 15 >> > ResolvePeerBackoffMaxTimes 7 >> > SpecialPollInterval 3600 >> > EventLogFlags 0 >> > >> > Policy Setting >> > Enable Windows NTP Client Enabled >> > >> > >> > The settings are for the most part identical to the default settings. >> > >> > What we noticed is that since implementing the time service via AD [or >> > at >> > least we believe so], the typical local non-administrator can change >> > the >> > time >> > manually on their own. But in normal domain setup, they can't. So >> > what's >> > going on? >> >>
Guest Gis Bun Posted September 3, 2008 Posted September 3, 2008 Re: Non-administrators can change time? Oooops. "Me bad". I thought I checked the Power Users but I guess I didn't. The user had Power User rights. Now it's removed.... A follow up then. Is it possible to have a user see the calendar but not change anything? "Mathieu CHATEAU" wrote: > Can you manually check on one station that anything went wrong it local > groups or domain admins groups ? > Restricted group used in gpo ? > > As it's not possible by default, something has been changed somewhere > > -- > Cordialement, > Mathieu CHATEAU > English blog: http://lordoftheping.blogspot.com > French blog: http://www.lotp.fr > > "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de > news:EB09C968-773A-4D34-A873-83CA760A2592@microsoft.com... > > Hi Mathieu, > > > > We don't use the Power Users in XP. About 50+ users are given basic > > rights. > > No need for anything out of the ordinary. They can't even install the > > Adobe > > Flash player via the web. > > > > Thanks > > > > > > "Mathieu CHATEAU" wrote: > > > >> Hello, > >> > >> by default your can't change time, double clicking on the clock says that > >> you need administrator right. > >> Maybe they are member of power users ? > >> > >> > >> -- > >> Cordialement, > >> Mathieu CHATEAU > >> English blog: http://lordoftheping.blogspot.com > >> French blog: http://www.lotp.fr > >> > >> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de > >> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com... > >> > Hi, > >> > > >> > We implemented a while back the time service through our AD such that > >> > the > >> > PCs would sync with one of our services. The following is the rough > >> > equivalent to what is set in AD: > >> > > >> > System/Windows Time Service: > >> > FrequencyCorrectRate 4 > >> > HoldPeriod 5 > >> > LargePhaseOffset 1280000 > >> > MaxAllowedPhaseOffset 300 > >> > MaxNegPhaseCorrection 54000 > >> > MaxPosPhaseCorrection 54000 > >> > PhaseCorrectRate 1 > >> > PollAdjustFactor 5 > >> > SpikeWatchPeriod 90 > >> > UpdateInterval 30000 > >> > General Parameters > >> > AnnounceFlags 10 > >> > EventLogFlags 2 > >> > LocalClockDispersion 10 > >> > MaxPollInterval 15 > >> > MinPollInterval 10 > >> > > >> > System/Windows Time Service/Time Providers: > >> > > >> > Policy Setting > >> > Configure Windows NTP Client Enabled > >> > NtpServer 172.16.0.6,0x1 > >> > Type NT5DS > >> > CrossSiteSyncFlags 2 > >> > ResolvePeerBackoffMinutes 15 > >> > ResolvePeerBackoffMaxTimes 7 > >> > SpecialPollInterval 3600 > >> > EventLogFlags 0 > >> > > >> > Policy Setting > >> > Enable Windows NTP Client Enabled > >> > > >> > > >> > The settings are for the most part identical to the default settings. > >> > > >> > What we noticed is that since implementing the time service via AD [or > >> > at > >> > least we believe so], the typical local non-administrator can change > >> > the > >> > time > >> > manually on their own. But in normal domain setup, they can't. So > >> > what's > >> > going on? > >> > >> > >
Guest DevilsPGD Posted September 3, 2008 Posted September 3, 2008 Re: Non-administrators can change time? In message <B25C993B-F584-4058-8BD7-30E0BD303BF9@microsoft.com> Gis Bun <GisBun@discussions.microsoft.com> wrote: >A follow up then. Is it possible to have a user see the calendar but not >change anything? In Vista, yes. In XP, no.
Guest Bruce Sanderson Posted September 12, 2008 Posted September 12, 2008 Re: Non-administrators can change time? Windows Server 2003 DOES have built in NTP service and can provide time syncronization to clients. In a domain, the default is for all member computers to syncronize their time with a domain controller. Domain controllers syncronize their time according to a defined hierarchy. In "normal" situations, one only has to configure one Domain Controller to be a "reliable" time source and to synchronize its time with an external time source. Everything else required to keep all the domain controllers and domain members in sync is done automatically by the Windows Time Service. See, for example: http://blogs.technet.com/industry_insiders/articles/w32_tm_service.aspx http://technet.microsoft.com/en-us/library/cc773061.aspx http://technet.microsoft.com/en-us/library/cc786897.aspx http://technet.microsoft.com/en-us/library/cc739801.aspx -- Bruce Sanderson http://members.shaw.ca/bsanders It is perfectly useless to know the right answer to the wrong question. "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message news:A0EA2689-4007-4A0E-9EDF-DFBC9BA5BAF0@microsoft.com... >I think I chose the default settings. > > When i started to work at where I am, I had noticed that the PCs were > slighly out of sync. I had though also that maybe Server 2003 provided > syncing but I guess not since I've read threads about using the "net" > command > in a login script and how it fails if you don't have admin rights. > > "Bruce Sanderson" wrote: > >> This seems to be feature in Windows XP - Users can change the local >> time. >> The time will be corrected at the next time synchronization by the >> Windows >> Time Service. >> With Vista, Users can not change the time - an elevated administrative >> account is required. >> >> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" >> will >> be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time >> server >> hierarchy. >> >> Since the Time Service is automatically configured on all domain joined >> computers by default to use the domain's NTP time hierarchy, I'm curious >> as >> to why you are configuring the Time Service "in AD" (via a GPO?)? >> >> -- >> Bruce Sanderson >> http://members.shaw.ca/bsanders/ >> It's perfectly useless to know the right answer to the wrong question. >> >> >> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message >> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com... >> > Hi, >> > >> > We implemented a while back the time service through our AD such that >> > the >> > PCs would sync with one of our services. The following is the rough >> > equivalent to what is set in AD: >> > >> > System/Windows Time Service: >> > FrequencyCorrectRate 4 >> > HoldPeriod 5 >> > LargePhaseOffset 1280000 >> > MaxAllowedPhaseOffset 300 >> > MaxNegPhaseCorrection 54000 >> > MaxPosPhaseCorrection 54000 >> > PhaseCorrectRate 1 >> > PollAdjustFactor 5 >> > SpikeWatchPeriod 90 >> > UpdateInterval 30000 >> > General Parameters >> > AnnounceFlags 10 >> > EventLogFlags 2 >> > LocalClockDispersion 10 >> > MaxPollInterval 15 >> > MinPollInterval 10 >> > >> > System/Windows Time Service/Time Providers: >> > >> > Policy Setting >> > Configure Windows NTP Client Enabled >> > NtpServer 172.16.0.6,0x1 >> > Type NT5DS >> > CrossSiteSyncFlags 2 >> > ResolvePeerBackoffMinutes 15 >> > ResolvePeerBackoffMaxTimes 7 >> > SpecialPollInterval 3600 >> > EventLogFlags 0 >> > >> > Policy Setting >> > Enable Windows NTP Client Enabled >> > >> > >> > The settings are for the most part identical to the default settings. >> > >> > What we noticed is that since implementing the time service via AD [or >> > at >> > least we believe so], the typical local non-administrator can change >> > the >> > time >> > manually on their own. But in normal domain setup, they can't. So >> > what's >> > going on? >> >>
Recommended Posts