Want to stop time synchronization form Primary Domain controller

[Guest]

Hi everyone,

I have 4 windows XP machines under windows 2000 Advance server Active
Directory domain controller group (clients joint to domain).

Users right are power users
These users have to need to change machines' time for their requirement. but
Domain controller doesn't allow them to change time. Even I up their right to
admin, they can change, but nobody can access them on the Network. Because
different time from server time.

Q: Please someone help me to solve this problem: what my requirement is :
Everybody can access them on the network even though they change the machine
time, without disjoint form domain.

Thank you for your corporation..
KO3MDY

 

[Kerry Brown]

Hi everyone,

I have 4 windows XP machines under windows 2000 Advance server Active
Directory domain controller group (clients joint to domain).

Users right are power users
These users have to need to change machines' time for their
requirement. but Domain controller doesn't allow them to change time.
Even I up their right to admin, they can change, but nobody can
access them on the Network. Because different time from server time.

Q: Please someone help me to solve this problem: what my requirement
is : Everybody can access them on the network even though they change
the machine time, without disjoint form domain.

Thank you for your corporation..
KO3MDY

Kerberos uses time signatures to determine if a ticket is valid. I don't
know if there is any way to do what you want and have domain authentication
work properly. Why do these computers need to set their time differently
from the rest of the network?

Kerry

 

[Steven L Umbach]

There are ways that it can be done but I agree with Kerry in that time synch
is very important in an Active Directory domain for authentication and
application of Group Policy, etc. If it is that important them you might
want to remove the computers from the domain. Also keep in mind that a non
domain computer can potentially access shares and resources in a domain if
the user has an account in the domain that matches what he uses to logon to
his computer or he can use those credentials to access a share if he is not
logged onto his computer with a user account that is in the domain. If ipsec
is used to secure network traffic then the user will not be able to do such
if the computer with the share has an ipsec require policy and uses the
default kerberos for computer authentication for the ipsec main mode. ---
Steve