Re: can't get login script to set workstation time properly

From: Miha Pihler (miha.pihler_at_Atlantis-N0Spam.si)
Date: 08/01/03 

Date: Fri, 1 Aug 2003 17:57:27 +0200

Hi Gerry,

Windows 2000 and XP client in domain will synchronize their time with Active
Directory domain controllers. If you clients time is of by more then 5
minutes, Kerberos authentication will fail and your clients will not be able
to log on to domain.

My advice is to leave Win2k and WinXP time synchronization to domain
controllers and make sure your domain controllers can set their time with
some reliable external public time server... 

-- 
Mike
MCSA 2K, MCSE 2K, MCT, ...
"Gerry Voras" <Gerry.Voras@NEXTACTION.COM> wrote in message
news:%23ygD9QEWDHA.1928@TK2MSFTNGP12.phx.gbl...
> I'm working on a Win2K, Active Directory network. I've made a copy of an
old
> NT Server login script which has the following command:
>
>      net time /set /yes
>
> This command works just fine in the 98 and NT workstation environments;
> however, when I try to use it in the Win2K environment, with a Win2KPro
> workstation, I get the error:
>
>      Error 1314, Cannot Set System Clock
>
> I get this error when attempting to log in as a user from the User or
> Everyone local groups.  This error does not appear when I log in from an
> Administrator or Power User
>
> I have attempted to modify the Default Domain Policy on the server at
start
> | programs | admin tools | Domain Security Policies| Local Policies | User
> Rights Assignment | Change System Time to include more groups; the
> workstation effective policies do not show the change.
>
> I have also attempted to set the workstation local security policy at
start
> | programs | admin tools | LSP | User Rights Assignment | Change System
Time
> to include Everyone and Users; however the effective policy does not show
> these groups, and I do not wich to modify the LSP on 100 workstations.
>
> I think there is a set of settings in the AD Domain or Group Policy that I
> need to alter, but which ones?
>
> In what I believe is a related detail, workstation users that are not
> Administrators or Power Users cannot open the systray clock/calander.
>
>

Relevant Pages

  • Re: Group Policy not applying
    ... The first and most obvious thing I can think of is that you'll need ICMP ... you'll need to disable slow link detection on the clients. ... >workstation and I am getting the error: ... >There is a firewall between our workstations and Domain Controllers. ...
    (microsoft.public.win2000.group_policy)
  • Re: Users cannot log on to other domain machines
    ... domain policy? ... If the clients were joined with the connectcomputer like they should have, ... Marina Roos ... administrators group or going to every workstation and editing the local ...
    (microsoft.public.windows.server.sbs)
  • Re: Users cannot log on to other domain machines
    ... Do NOT mess with the default domain policy please. ... If the clients were joined with the connectcomputer like they should have, ... the domain users would already have been added to the local user group on ... administrators group or going to every workstation and editing the local ...
    (microsoft.public.windows.server.sbs)
  • Re: Users cannot log on to other domain machines
    ... If you're an absolute whiz with group policy you might be alright changing ... If the clients were joined with the connectcomputer like they should ... Opened up my Group Policy Management console and under my Defaul Domain ... administrators group or going to every workstation and editing the local ...
    (microsoft.public.windows.server.sbs)
  • Re: what gpo setting is this?
    ... English blog: http://lordoftheping.blogspot.com ... In the same place check for "Interactive Logon: ... For that policy you need to create a conflict policy that reverses ... Simple (Assuming that you moved that workstation ...
    (microsoft.public.windows.server.active_directory)
Loading