Re: Non-administrators can change time?
- From: "Bruce Sanderson" <bsanders@xxxxxxxxxxxxxxxxx>
- Date: Thu, 11 Sep 2008 20:19:27 -0700
Windows Server 2003 DOES have built in NTP service and can provide time syncronization to clients. In a domain, the default is for all member computers to syncronize their time with a domain controller. Domain controllers syncronize their time according to a defined hierarchy.
In "normal" situations, one only has to configure one Domain Controller to be a "reliable" time source and to synchronize its time with an external time source. Everything else required to keep all the domain controllers and domain members in sync is done automatically by the Windows Time Service.
See, for example:
http://blogs.technet.com/industry_insiders/articles/w32_tm_service.aspx
http://technet.microsoft.com/en-us/library/cc773061.aspx
http://technet.microsoft.com/en-us/library/cc786897.aspx
http://technet.microsoft.com/en-us/library/cc739801.aspx
--
Bruce Sanderson
http://members.shaw.ca/bsanders
It is perfectly useless to know the right answer to the wrong question.
"Gis Bun" <GisBun@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:A0EA2689-4007-4A0E-9EDF-DFBC9BA5BAF0@xxxxxxxxxxxxxxxx
I think I chose the default settings.
When i started to work at where I am, I had noticed that the PCs were
slighly out of sync. I had though also that maybe Server 2003 provided
syncing but I guess not since I've read threads about using the "net" command
in a login script and how it fails if you don't have admin rights.
"Bruce Sanderson" wrote:
This seems to be feature in Windows XP - Users can change the local time.
The time will be corrected at the next time synchronization by the Windows
Time Service.
With Vista, Users can not change the time - an elevated administrative
account is required.
By the way, since "Type" is set to "NT5DS", the setting in "NtpServer" will
be ignored. "Type" of "NT5DS" specifies to use the domain's NTP time server
hierarchy.
Since the Time Service is automatically configured on all domain joined
computers by default to use the domain's NTP time hierarchy, I'm curious as
to why you are configuring the Time Service "in AD" (via a GPO?)?
--
Bruce Sanderson
http://members.shaw.ca/bsanders/
It's perfectly useless to know the right answer to the wrong question.
"Gis Bun" <GisBun@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1580BEA9-55AD-4D3C-9CE2-E6FDE07923E9@xxxxxxxxxxxxxxxx
> Hi,
>
> We implemented a while back the time service through our AD such that > the
> PCs would sync with one of our services. The following is the rough
> equivalent to what is set in AD:
>
> System/Windows Time Service:
> FrequencyCorrectRate 4
> HoldPeriod 5
> LargePhaseOffset 1280000
> MaxAllowedPhaseOffset 300
> MaxNegPhaseCorrection 54000
> MaxPosPhaseCorrection 54000
> PhaseCorrectRate 1
> PollAdjustFactor 5
> SpikeWatchPeriod 90
> UpdateInterval 30000
> General Parameters
> AnnounceFlags 10
> EventLogFlags 2
> LocalClockDispersion 10
> MaxPollInterval 15
> MinPollInterval 10
>
> System/Windows Time Service/Time Providers:
>
> Policy Setting
> Configure Windows NTP Client Enabled
> NtpServer 172.16.0.6,0x1
> Type NT5DS
> CrossSiteSyncFlags 2
> ResolvePeerBackoffMinutes 15
> ResolvePeerBackoffMaxTimes 7
> SpecialPollInterval 3600
> EventLogFlags 0
>
> Policy Setting
> Enable Windows NTP Client Enabled
>
>
> The settings are for the most part identical to the default settings.
>
> What we noticed is that since implementing the time service via AD [or > at
> least we believe so], the typical local non-administrator can change > the
> time
> manually on their own. But in normal domain setup, they can't. So > what's
> going on?
.
- Prev by Date: Archiving old files
- Next by Date: Re: Archiving old files
- Previous by thread: Re: Non-administrators can change time?
- Next by thread: Windows Performance Analysis help
- Index(es):
Relevant Pages
|
