Jump to content

Non-administrators can change time?

Guest Gis Bun

By Guest Gis Bun
in Windows 2003 Server

 Share

Recommended Posts

Guest Gis Bun

Guest Gis Bun

Posted
Posted

Hi,

 

We implemented a while back the time service through our AD such that the

PCs would sync with one of our services. The following is the rough

equivalent to what is set in AD:

 

System/Windows Time Service:

FrequencyCorrectRate 4

HoldPeriod 5

LargePhaseOffset 1280000

MaxAllowedPhaseOffset 300

MaxNegPhaseCorrection 54000

MaxPosPhaseCorrection 54000

PhaseCorrectRate 1

PollAdjustFactor 5

SpikeWatchPeriod 90

UpdateInterval 30000

General Parameters

AnnounceFlags 10

EventLogFlags 2

LocalClockDispersion 10

MaxPollInterval 15

MinPollInterval 10

 

System/Windows Time Service/Time Providers:

 

Policy Setting

Configure Windows NTP Client Enabled

NtpServer 172.16.0.6,0x1

Type NT5DS

CrossSiteSyncFlags 2

ResolvePeerBackoffMinutes 15

ResolvePeerBackoffMaxTimes 7

SpecialPollInterval 3600

EventLogFlags 0

 

Policy Setting

Enable Windows NTP Client Enabled

 

 

The settings are for the most part identical to the default settings.

 

What we noticed is that since implementing the time service via AD [or at

least we believe so], the typical local non-administrator can change the time

manually on their own. But in normal domain setup, they can't. So what's

going on?

  • Replies 10
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Mathieu CHATEAU

Guest Mathieu CHATEAU

Posted
Posted

Re: Non-administrators can change time?

 

Hello,

 

by default your can't change time, double clicking on the clock says that

you need administrator right.

Maybe they are member of power users ?

 

 

--

Cordialement,

Mathieu CHATEAU

English blog: http://lordoftheping.blogspot.com

French blog: http://www.lotp.fr

 

"Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de

news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...

> Hi,

>

> We implemented a while back the time service through our AD such that the

> PCs would sync with one of our services. The following is the rough

> equivalent to what is set in AD:

>

> System/Windows Time Service:

> FrequencyCorrectRate 4

> HoldPeriod 5

> LargePhaseOffset 1280000

> MaxAllowedPhaseOffset 300

> MaxNegPhaseCorrection 54000

> MaxPosPhaseCorrection 54000

> PhaseCorrectRate 1

> PollAdjustFactor 5

> SpikeWatchPeriod 90

> UpdateInterval 30000

> General Parameters

> AnnounceFlags 10

> EventLogFlags 2

> LocalClockDispersion 10

> MaxPollInterval 15

> MinPollInterval 10

>

> System/Windows Time Service/Time Providers:

>

> Policy Setting

> Configure Windows NTP Client Enabled

> NtpServer 172.16.0.6,0x1

> Type NT5DS

> CrossSiteSyncFlags 2

> ResolvePeerBackoffMinutes 15

> ResolvePeerBackoffMaxTimes 7

> SpecialPollInterval 3600

> EventLogFlags 0

>

> Policy Setting

> Enable Windows NTP Client Enabled

>

>

> The settings are for the most part identical to the default settings.

>

> What we noticed is that since implementing the time service via AD [or at

> least we believe so], the typical local non-administrator can change the

> time

> manually on their own. But in normal domain setup, they can't. So what's

> going on?

Guest Bruce Sanderson

Guest Bruce Sanderson

Posted
Posted

Re: Non-administrators can change time?

 

This seems to be feature in Windows XP - Users can change the local time.

The time will be corrected at the next time synchronization by the Windows

Time Service.

With Vista, Users can not change the time - an elevated administrative

account is required.

 

By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" will

be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time server

hierarchy.

 

Since the Time Service is automatically configured on all domain joined

computers by default to use the domain's NTP time hierarchy, I'm curious as

to why you are configuring the Time Service "in AD" (via a GPO?)?

 

--

Bruce Sanderson

http://members.shaw.ca/bsanders/

It's perfectly useless to know the right answer to the wrong question.

 

 

"Gis Bun" <GisBun@discussions.microsoft.com> wrote in message

news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...

> Hi,

>

> We implemented a while back the time service through our AD such that the

> PCs would sync with one of our services. The following is the rough

> equivalent to what is set in AD:

>

> System/Windows Time Service:

> FrequencyCorrectRate 4

> HoldPeriod 5

> LargePhaseOffset 1280000

> MaxAllowedPhaseOffset 300

> MaxNegPhaseCorrection 54000

> MaxPosPhaseCorrection 54000

> PhaseCorrectRate 1

> PollAdjustFactor 5

> SpikeWatchPeriod 90

> UpdateInterval 30000

> General Parameters

> AnnounceFlags 10

> EventLogFlags 2

> LocalClockDispersion 10

> MaxPollInterval 15

> MinPollInterval 10

>

> System/Windows Time Service/Time Providers:

>

> Policy Setting

> Configure Windows NTP Client Enabled

> NtpServer 172.16.0.6,0x1

> Type NT5DS

> CrossSiteSyncFlags 2

> ResolvePeerBackoffMinutes 15

> ResolvePeerBackoffMaxTimes 7

> SpecialPollInterval 3600

> EventLogFlags 0

>

> Policy Setting

> Enable Windows NTP Client Enabled

>

>

> The settings are for the most part identical to the default settings.

>

> What we noticed is that since implementing the time service via AD [or at

> least we believe so], the typical local non-administrator can change the

> time

> manually on their own. But in normal domain setup, they can't. So what's

> going on?

Guest Bruce Sanderson

Guest Bruce Sanderson

Posted
Posted

Re: Non-administrators can change time?

 

Sorry, I was mistaken, Matheiu is correct - Users can not change the local

time under Windows XP.

 

--

Bruce Sanderson

http://members.shaw.ca/bsanders/

It's perfectly useless to know the right answer to the wrong question.

 

 

"Bruce Sanderson" <bsanders@newsgroups.nospam> wrote in message

news:e7KbWeTDJHA.528@TK2MSFTNGP06.phx.gbl...

> This seems to be feature in Windows XP - Users can change the local time.

> The time will be corrected at the next time synchronization by the Windows

> Time Service.

> With Vista, Users can not change the time - an elevated administrative

> account is required.

>

> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer"

> will be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time

> server hierarchy.

>

> Since the Time Service is automatically configured on all domain joined

> computers by default to use the domain's NTP time hierarchy, I'm curious

> as to why you are configuring the Time Service "in AD" (via a GPO?)?

>

> --

> Bruce Sanderson

> http://members.shaw.ca/bsanders/

> It's perfectly useless to know the right answer to the wrong question.

>

>

> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message

> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...

>> Hi,

>>

>> We implemented a while back the time service through our AD such that the

>> PCs would sync with one of our services. The following is the rough

>> equivalent to what is set in AD:

>>

>> System/Windows Time Service:

>> FrequencyCorrectRate 4

>> HoldPeriod 5

>> LargePhaseOffset 1280000

>> MaxAllowedPhaseOffset 300

>> MaxNegPhaseCorrection 54000

>> MaxPosPhaseCorrection 54000

>> PhaseCorrectRate 1

>> PollAdjustFactor 5

>> SpikeWatchPeriod 90

>> UpdateInterval 30000

>> General Parameters

>> AnnounceFlags 10

>> EventLogFlags 2

>> LocalClockDispersion 10

>> MaxPollInterval 15

>> MinPollInterval 10

>>

>> System/Windows Time Service/Time Providers:

>>

>> Policy Setting

>> Configure Windows NTP Client Enabled

>> NtpServer 172.16.0.6,0x1

>> Type NT5DS

>> CrossSiteSyncFlags 2

>> ResolvePeerBackoffMinutes 15

>> ResolvePeerBackoffMaxTimes 7

>> SpecialPollInterval 3600

>> EventLogFlags 0

>>

>> Policy Setting

>> Enable Windows NTP Client Enabled

>>

>>

>> The settings are for the most part identical to the default settings.

>>

>> What we noticed is that since implementing the time service via AD [or at

>> least we believe so], the typical local non-administrator can change the

>> time

>> manually on their own. But in normal domain setup, they can't. So what's

>> going on?

>

Guest Gis Bun

Guest Gis Bun

Posted
Posted

Re: Non-administrators can change time?

 

Hi Mathieu,

 

We don't use the Power Users in XP. About 50+ users are given basic rights.

No need for anything out of the ordinary. They can't even install the Adobe

Flash player via the web.

 

Thanks

 

 

"Mathieu CHATEAU" wrote:

> Hello,

>

> by default your can't change time, double clicking on the clock says that

> you need administrator right.

> Maybe they are member of power users ?

>

>

> --

> Cordialement,

> Mathieu CHATEAU

> English blog: http://lordoftheping.blogspot.com

> French blog: http://www.lotp.fr

>

> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de

> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...

> > Hi,

> >

> > We implemented a while back the time service through our AD such that the

> > PCs would sync with one of our services. The following is the rough

> > equivalent to what is set in AD:

> >

> > System/Windows Time Service:

> > FrequencyCorrectRate 4

> > HoldPeriod 5

> > LargePhaseOffset 1280000

> > MaxAllowedPhaseOffset 300

> > MaxNegPhaseCorrection 54000

> > MaxPosPhaseCorrection 54000

> > PhaseCorrectRate 1

> > PollAdjustFactor 5

> > SpikeWatchPeriod 90

> > UpdateInterval 30000

> > General Parameters

> > AnnounceFlags 10

> > EventLogFlags 2

> > LocalClockDispersion 10

> > MaxPollInterval 15

> > MinPollInterval 10

> >

> > System/Windows Time Service/Time Providers:

> >

> > Policy Setting

> > Configure Windows NTP Client Enabled

> > NtpServer 172.16.0.6,0x1

> > Type NT5DS

> > CrossSiteSyncFlags 2

> > ResolvePeerBackoffMinutes 15

> > ResolvePeerBackoffMaxTimes 7

> > SpecialPollInterval 3600

> > EventLogFlags 0

> >

> > Policy Setting

> > Enable Windows NTP Client Enabled

> >

> >

> > The settings are for the most part identical to the default settings.

> >

> > What we noticed is that since implementing the time service via AD [or at

> > least we believe so], the typical local non-administrator can change the

> > time

> > manually on their own. But in normal domain setup, they can't. So what's

> > going on?

>

>

Guest Gis Bun

Guest Gis Bun

Posted
Posted

Re: Non-administrators can change time?

 

I think I chose the default settings.

 

When i started to work at where I am, I had noticed that the PCs were

slighly out of sync. I had though also that maybe Server 2003 provided

syncing but I guess not since I've read threads about using the "net" command

in a login script and how it fails if you don't have admin rights.

 

"Bruce Sanderson" wrote:

> This seems to be feature in Windows XP - Users can change the local time.

> The time will be corrected at the next time synchronization by the Windows

> Time Service.

> With Vista, Users can not change the time - an elevated administrative

> account is required.

>

> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" will

> be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time server

> hierarchy.

>

> Since the Time Service is automatically configured on all domain joined

> computers by default to use the domain's NTP time hierarchy, I'm curious as

> to why you are configuring the Time Service "in AD" (via a GPO?)?

>

> --

> Bruce Sanderson

> http://members.shaw.ca/bsanders/

> It's perfectly useless to know the right answer to the wrong question.

>

>

> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message

> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...

> > Hi,

> >

> > We implemented a while back the time service through our AD such that the

> > PCs would sync with one of our services. The following is the rough

> > equivalent to what is set in AD:

> >

> > System/Windows Time Service:

> > FrequencyCorrectRate 4

> > HoldPeriod 5

> > LargePhaseOffset 1280000

> > MaxAllowedPhaseOffset 300

> > MaxNegPhaseCorrection 54000

> > MaxPosPhaseCorrection 54000

> > PhaseCorrectRate 1

> > PollAdjustFactor 5

> > SpikeWatchPeriod 90

> > UpdateInterval 30000

> > General Parameters

> > AnnounceFlags 10

> > EventLogFlags 2

> > LocalClockDispersion 10

> > MaxPollInterval 15

> > MinPollInterval 10

> >

> > System/Windows Time Service/Time Providers:

> >

> > Policy Setting

> > Configure Windows NTP Client Enabled

> > NtpServer 172.16.0.6,0x1

> > Type NT5DS

> > CrossSiteSyncFlags 2

> > ResolvePeerBackoffMinutes 15

> > ResolvePeerBackoffMaxTimes 7

> > SpecialPollInterval 3600

> > EventLogFlags 0

> >

> > Policy Setting

> > Enable Windows NTP Client Enabled

> >

> >

> > The settings are for the most part identical to the default settings.

> >

> > What we noticed is that since implementing the time service via AD [or at

> > least we believe so], the typical local non-administrator can change the

> > time

> > manually on their own. But in normal domain setup, they can't. So what's

> > going on?

>

>

Guest Mathieu CHATEAU

Guest Mathieu CHATEAU

Posted
Posted

Re: Non-administrators can change time?

 

But with vista, user change the timezone (but not the time itself i think)

 

--

Cordialement,

Mathieu CHATEAU

English blog: http://lordoftheping.blogspot.com

French blog: http://www.lotp.fr

 

"Bruce Sanderson" <bsanders@newsgroups.nospam> a écrit dans le message de

news:Ocr5agTDJHA.2060@TK2MSFTNGP05.phx.gbl...

> Sorry, I was mistaken, Matheiu is correct - Users can not change the local

> time under Windows XP.

>

> --

> Bruce Sanderson

> http://members.shaw.ca/bsanders/

> It's perfectly useless to know the right answer to the wrong question.

>

>

> "Bruce Sanderson" <bsanders@newsgroups.nospam> wrote in message

> news:e7KbWeTDJHA.528@TK2MSFTNGP06.phx.gbl...

>> This seems to be feature in Windows XP - Users can change the local

>> time. The time will be corrected at the next time synchronization by the

>> Windows Time Service.

>> With Vista, Users can not change the time - an elevated administrative

>> account is required.

>>

>> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer"

>> will be ignored. "Type" of "NT5DS" specifies to use the domain's NTP

>> time server hierarchy.

>>

>> Since the Time Service is automatically configured on all domain joined

>> computers by default to use the domain's NTP time hierarchy, I'm curious

>> as to why you are configuring the Time Service "in AD" (via a GPO?)?

>>

>> --

>> Bruce Sanderson

>> http://members.shaw.ca/bsanders/

>> It's perfectly useless to know the right answer to the wrong question.

>>

>>

>> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message

>> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...

>>> Hi,

>>>

>>> We implemented a while back the time service through our AD such that

>>> the

>>> PCs would sync with one of our services. The following is the rough

>>> equivalent to what is set in AD:

>>>

>>> System/Windows Time Service:

>>> FrequencyCorrectRate 4

>>> HoldPeriod 5

>>> LargePhaseOffset 1280000

>>> MaxAllowedPhaseOffset 300

>>> MaxNegPhaseCorrection 54000

>>> MaxPosPhaseCorrection 54000

>>> PhaseCorrectRate 1

>>> PollAdjustFactor 5

>>> SpikeWatchPeriod 90

>>> UpdateInterval 30000

>>> General Parameters

>>> AnnounceFlags 10

>>> EventLogFlags 2

>>> LocalClockDispersion 10

>>> MaxPollInterval 15

>>> MinPollInterval 10

>>>

>>> System/Windows Time Service/Time Providers:

>>>

>>> Policy Setting

>>> Configure Windows NTP Client Enabled

>>> NtpServer 172.16.0.6,0x1

>>> Type NT5DS

>>> CrossSiteSyncFlags 2

>>> ResolvePeerBackoffMinutes 15

>>> ResolvePeerBackoffMaxTimes 7

>>> SpecialPollInterval 3600

>>> EventLogFlags 0

>>>

>>> Policy Setting

>>> Enable Windows NTP Client Enabled

>>>

>>>

>>> The settings are for the most part identical to the default settings.

>>>

>>> What we noticed is that since implementing the time service via AD [or

>>> at

>>> least we believe so], the typical local non-administrator can change the

>>> time

>>> manually on their own. But in normal domain setup, they can't. So what's

>>> going on?

>>

>

Guest Mathieu CHATEAU

Guest Mathieu CHATEAU

Posted
Posted

Re: Non-administrators can change time?

 

Can you manually check on one station that anything went wrong it local

groups or domain admins groups ?

Restricted group used in gpo ?

 

As it's not possible by default, something has been changed somewhere

 

--

Cordialement,

Mathieu CHATEAU

English blog: http://lordoftheping.blogspot.com

French blog: http://www.lotp.fr

 

"Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de

news:EB09C968-773A-4D34-A873-83CA760A2592@microsoft.com...

> Hi Mathieu,

>

> We don't use the Power Users in XP. About 50+ users are given basic

> rights.

> No need for anything out of the ordinary. They can't even install the

> Adobe

> Flash player via the web.

>

> Thanks

>

>

> "Mathieu CHATEAU" wrote:

>

>> Hello,

>>

>> by default your can't change time, double clicking on the clock says that

>> you need administrator right.

>> Maybe they are member of power users ?

>>

>>

>> --

>> Cordialement,

>> Mathieu CHATEAU

>> English blog: http://lordoftheping.blogspot.com

>> French blog: http://www.lotp.fr

>>

>> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de

>> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...

>> > Hi,

>> >

>> > We implemented a while back the time service through our AD such that

>> > the

>> > PCs would sync with one of our services. The following is the rough

>> > equivalent to what is set in AD:

>> >

>> > System/Windows Time Service:

>> > FrequencyCorrectRate 4

>> > HoldPeriod 5

>> > LargePhaseOffset 1280000

>> > MaxAllowedPhaseOffset 300

>> > MaxNegPhaseCorrection 54000

>> > MaxPosPhaseCorrection 54000

>> > PhaseCorrectRate 1

>> > PollAdjustFactor 5

>> > SpikeWatchPeriod 90

>> > UpdateInterval 30000

>> > General Parameters

>> > AnnounceFlags 10

>> > EventLogFlags 2

>> > LocalClockDispersion 10

>> > MaxPollInterval 15

>> > MinPollInterval 10

>> >

>> > System/Windows Time Service/Time Providers:

>> >

>> > Policy Setting

>> > Configure Windows NTP Client Enabled

>> > NtpServer 172.16.0.6,0x1

>> > Type NT5DS

>> > CrossSiteSyncFlags 2

>> > ResolvePeerBackoffMinutes 15

>> > ResolvePeerBackoffMaxTimes 7

>> > SpecialPollInterval 3600

>> > EventLogFlags 0

>> >

>> > Policy Setting

>> > Enable Windows NTP Client Enabled

>> >

>> >

>> > The settings are for the most part identical to the default settings.

>> >

>> > What we noticed is that since implementing the time service via AD [or

>> > at

>> > least we believe so], the typical local non-administrator can change

>> > the

>> > time

>> > manually on their own. But in normal domain setup, they can't. So

>> > what's

>> > going on?

>>

>>

Guest Gis Bun

Guest Gis Bun

Posted
Posted

Re: Non-administrators can change time?

 

Oooops. "Me bad".

 

I thought I checked the Power Users but I guess I didn't. The user had Power

User rights. Now it's removed....

 

A follow up then. Is it possible to have a user see the calendar but not

change anything?

 

"Mathieu CHATEAU" wrote:

> Can you manually check on one station that anything went wrong it local

> groups or domain admins groups ?

> Restricted group used in gpo ?

>

> As it's not possible by default, something has been changed somewhere

>

> --

> Cordialement,

> Mathieu CHATEAU

> English blog: http://lordoftheping.blogspot.com

> French blog: http://www.lotp.fr

>

> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de

> news:EB09C968-773A-4D34-A873-83CA760A2592@microsoft.com...

> > Hi Mathieu,

> >

> > We don't use the Power Users in XP. About 50+ users are given basic

> > rights.

> > No need for anything out of the ordinary. They can't even install the

> > Adobe

> > Flash player via the web.

> >

> > Thanks

> >

> >

> > "Mathieu CHATEAU" wrote:

> >

> >> Hello,

> >>

> >> by default your can't change time, double clicking on the clock says that

> >> you need administrator right.

> >> Maybe they are member of power users ?

> >>

> >>

> >> --

> >> Cordialement,

> >> Mathieu CHATEAU

> >> English blog: http://lordoftheping.blogspot.com

> >> French blog: http://www.lotp.fr

> >>

> >> "Gis Bun" <GisBun@discussions.microsoft.com> a écrit dans le message de

> >> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...

> >> > Hi,

> >> >

> >> > We implemented a while back the time service through our AD such that

> >> > the

> >> > PCs would sync with one of our services. The following is the rough

> >> > equivalent to what is set in AD:

> >> >

> >> > System/Windows Time Service:

> >> > FrequencyCorrectRate 4

> >> > HoldPeriod 5

> >> > LargePhaseOffset 1280000

> >> > MaxAllowedPhaseOffset 300

> >> > MaxNegPhaseCorrection 54000

> >> > MaxPosPhaseCorrection 54000

> >> > PhaseCorrectRate 1

> >> > PollAdjustFactor 5

> >> > SpikeWatchPeriod 90

> >> > UpdateInterval 30000

> >> > General Parameters

> >> > AnnounceFlags 10

> >> > EventLogFlags 2

> >> > LocalClockDispersion 10

> >> > MaxPollInterval 15

> >> > MinPollInterval 10

> >> >

> >> > System/Windows Time Service/Time Providers:

> >> >

> >> > Policy Setting

> >> > Configure Windows NTP Client Enabled

> >> > NtpServer 172.16.0.6,0x1

> >> > Type NT5DS

> >> > CrossSiteSyncFlags 2

> >> > ResolvePeerBackoffMinutes 15

> >> > ResolvePeerBackoffMaxTimes 7

> >> > SpecialPollInterval 3600

> >> > EventLogFlags 0

> >> >

> >> > Policy Setting

> >> > Enable Windows NTP Client Enabled

> >> >

> >> >

> >> > The settings are for the most part identical to the default settings.

> >> >

> >> > What we noticed is that since implementing the time service via AD [or

> >> > at

> >> > least we believe so], the typical local non-administrator can change

> >> > the

> >> > time

> >> > manually on their own. But in normal domain setup, they can't. So

> >> > what's

> >> > going on?

> >>

> >>

>

>

Guest DevilsPGD

Guest DevilsPGD

Posted
Posted

Re: Non-administrators can change time?

 

In message <B25C993B-F584-4058-8BD7-30E0BD303BF9@microsoft.com> Gis Bun

<GisBun@discussions.microsoft.com> wrote:

>A follow up then. Is it possible to have a user see the calendar but not

>change anything?

 

In Vista, yes. In XP, no.

  • 2 weeks later...
Guest Bruce Sanderson

Guest Bruce Sanderson

Posted
Posted

Re: Non-administrators can change time?

 

Windows Server 2003 DOES have built in NTP service and can provide time

syncronization to clients. In a domain, the default is for all member

computers to syncronize their time with a domain controller. Domain

controllers syncronize their time according to a defined hierarchy.

 

In "normal" situations, one only has to configure one Domain Controller to

be a "reliable" time source and to synchronize its time with an external

time source. Everything else required to keep all the domain controllers

and domain members in sync is done automatically by the Windows Time

Service.

 

See, for example:

http://blogs.technet.com/industry_insiders/articles/w32_tm_service.aspx

http://technet.microsoft.com/en-us/library/cc773061.aspx

http://technet.microsoft.com/en-us/library/cc786897.aspx

http://technet.microsoft.com/en-us/library/cc739801.aspx

--

Bruce Sanderson

http://members.shaw.ca/bsanders

 

It is perfectly useless to know the right answer to the wrong question.

 

 

 

"Gis Bun" <GisBun@discussions.microsoft.com> wrote in message

news:A0EA2689-4007-4A0E-9EDF-DFBC9BA5BAF0@microsoft.com...

>I think I chose the default settings.

>

> When i started to work at where I am, I had noticed that the PCs were

> slighly out of sync. I had though also that maybe Server 2003 provided

> syncing but I guess not since I've read threads about using the "net"

> command

> in a login script and how it fails if you don't have admin rights.

>

> "Bruce Sanderson" wrote:

>

>> This seems to be feature in Windows XP - Users can change the local

>> time.

>> The time will be corrected at the next time synchronization by the

>> Windows

>> Time Service.

>> With Vista, Users can not change the time - an elevated administrative

>> account is required.

>>

>> By the way, since "Type" is set to "NT5DS", the setting in "NtpServer"

>> will

>> be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time

>> server

>> hierarchy.

>>

>> Since the Time Service is automatically configured on all domain joined

>> computers by default to use the domain's NTP time hierarchy, I'm curious

>> as

>> to why you are configuring the Time Service "in AD" (via a GPO?)?

>>

>> --

>> Bruce Sanderson

>> http://members.shaw.ca/bsanders/

>> It's perfectly useless to know the right answer to the wrong question.

>>

>>

>> "Gis Bun" <GisBun@discussions.microsoft.com> wrote in message

>> news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@microsoft.com...

>> > Hi,

>> >

>> > We implemented a while back the time service through our AD such that

>> > the

>> > PCs would sync with one of our services. The following is the rough

>> > equivalent to what is set in AD:

>> >

>> > System/Windows Time Service:

>> > FrequencyCorrectRate 4

>> > HoldPeriod 5

>> > LargePhaseOffset 1280000

>> > MaxAllowedPhaseOffset 300

>> > MaxNegPhaseCorrection 54000

>> > MaxPosPhaseCorrection 54000

>> > PhaseCorrectRate 1

>> > PollAdjustFactor 5

>> > SpikeWatchPeriod 90

>> > UpdateInterval 30000

>> > General Parameters

>> > AnnounceFlags 10

>> > EventLogFlags 2

>> > LocalClockDispersion 10

>> > MaxPollInterval 15

>> > MinPollInterval 10

>> >

>> > System/Windows Time Service/Time Providers:

>> >

>> > Policy Setting

>> > Configure Windows NTP Client Enabled

>> > NtpServer 172.16.0.6,0x1

>> > Type NT5DS

>> > CrossSiteSyncFlags 2

>> > ResolvePeerBackoffMinutes 15

>> > ResolvePeerBackoffMaxTimes 7

>> > SpecialPollInterval 3600

>> > EventLogFlags 0

>> >

>> > Policy Setting

>> > Enable Windows NTP Client Enabled

>> >

>> >

>> > The settings are for the most part identical to the default settings.

>> >

>> > What we noticed is that since implementing the time service via AD [or

>> > at

>> > least we believe so], the typical local non-administrator can change

>> > the

>> > time

>> > manually on their own. But in normal domain setup, they can't. So

>> > what's

>> > going on?

>>

>>

 Share
Go to topic listing
×
×
  • Create New...