can't get login script to set workstation time properly

G

Gerry Voras

I'm working on a Win2K, Active Directory network. I've made a copy of an old
NT Server login script which has the following command:

net time /set /yes

This command works just fine in the 98 and NT workstation environments;
however, when I try to use it in the Win2K environment, with a Win2KPro
workstation, I get the error:

Error 1314, Cannot Set System Clock

I get this error when attempting to log in as a user from the User or
Everyone local groups. This error does not appear when I log in from an
Administrator or Power User

I have attempted to modify the Default Domain Policy on the server at start
| programs | admin tools | Domain Security Policies| Local Policies | User
Rights Assignment | Change System Time to include more groups; the
workstation effective policies do not show the change.

I have also attempted to set the workstation local security policy at start
| programs | admin tools | LSP | User Rights Assignment | Change System Time
to include Everyone and Users; however the effective policy does not show
these groups, and I do not wich to modify the LSP on 100 workstations.

I think there is a set of settings in the AD Domain or Group Policy that I
need to alter, but which ones?

In what I believe is a related detail, workstation users that are not
Administrators or Power Users cannot open the systray clock/calander.
 
M

Miha Pihler

Hi Gerry,

Windows 2000 and XP client in domain will synchronize their time with Active
Directory domain controllers. If you clients time is of by more then 5
minutes, Kerberos authentication will fail and your clients will not be able
to log on to domain.

My advice is to leave Win2k and WinXP time synchronization to domain
controllers and make sure your domain controllers can set their time with
some reliable external public time server...
 
G

Gerry Voras

Forgot to mention... tried the automatic AD approach also, but the
workstations only adjust their time if an Administrator or Power User logs
in. Also, since I'm running a mixed client network, I do need the net time
command to accomodate the older workstations.
 
M

Miha Pihler

Hi Garry,

I am not sure if this will work for you but there is a policy where you can
set which users (groups) can adjust system time. You could add Domain Users
group or create a group of users that use Win2K or WinXP... You can use this
setting with Group Policy.

Setting can be find
Computer Configuration -> Windows Settings ->Security Settings -> Local
Policies -> User Rights Assignment -> Change the system time setting...

Some other resources:
http://www.microsoft.com/windows2000/docs/wintimeserv.doc
http://support.microsoft.com/default.aspx?scid=kb;EN-US;216734
http://support.microsoft.com/default.aspx?scid=kb;EN-US;224799
http://support.microsoft.com/default.aspx?scid=kb;EN-US;223184
http://support.microsoft.com/default.aspx?scid=kb;en-us;297025
 
O

Oli Restorick

The AD approach shouldn't be dependent on the rights of the user that logs
in.

Anyway, you can grant ordinary users the right to change the system date a
time by using ntrights.exe from the Windows 2000 Resource Kit.

ntrights +r SeSystemtimePrivilege -u Users

Of course, you will need to log in as an administrator of the local machine
to be able to run this command.

Hope this helps

Oli
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Logon local to W2k workstation using domain account 9
Windows XP Logon script location 3
Auto logoff user workstation after idle time 1
Group Policy Problem 1
Changing process priorities of normal users 3
Domain User can't login unless it has local Administrators right 0
How do I get Restricted Groups to be real time? 5
blank password in W2K Pro workstation even when policy set 6

Top