On 6/21/2006 4:41 AM, Thomas Heiligenmann wrote: > Ivan Teliatnikov schrieb: >> On Tue, 2006-06-20 at 08:21 -0500, Adam Williams wrote: >>> Sorry I haven't followed the thread, but if you use netlogon script, >>> you can put in it >>> >>> net time \\server /set /yes >> I do use netlogon and the line is in the script. It starts working ONLY >> if the use who logs in has escalated (PowerUser or Admin) privileges on >> the machine, this is not possible because we use DOMAIN authentication. >> >> I still cannot understand why it does not work? Do you I need to change >> permissions on each client to allow non-admin users to change time? > IIRC yes - you have to add 'SeSystemTimePrivilege' to the users. Under > nt40 it's accessible under UserManager, there's also a command line > tool named ntrights.exe, or you could try Samba's rpcclient... Setting the system time is, by default, a right reserved to members of the local Administrators and Power Users groups on the local machine. (Note that Domain Admins is a member of the local Administrators group.)
This can be changed in group policy under Windows 2000/XP. In the group policy editor, look under "Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment". The policy name is "Change the system time". This right can be assigned by domain group policy (though I'm not sure how to globally apply group policy in a Samba domain). It can also be assigned on Windows NT systems, but at the moment I can't recall how. As far as the Windows Time service that is included with Windows 2000 and later goes, be aware that it synchronizes to an Internet-based time server only once a week. In a Windows 2000 (or later) domain, the Windows Time service synchronizes with the domain controller. For a discussion of the Windows Time service, please see this Microsoft link: http://technet2.microsoft.com/WindowsServer/en/Library/a0fcd250-e5f7-41b3-b0e8-240f8236e2101033.mspx (Note: this link discusses Windows Server 2003, but I believe it mostly applies to XP and 2000 systems as well.) I have found that synchronizing once a week is sometimes not often enough -- a computer's clock can drift considerably in that time (I have seen anywhere from 1/2 sec per day to several seconds per day). For some applications, especially where the systems are in a regulated environment such as securities trading, this is far too much drift to be acceptable. A very useful utility I have found to improve this is Tom Horsley's NTPTime, which is an NTP client. You can download it here: http://home.att.net/~Tom.Horsley/ntptime.html As others have suggested, on your Samba server, be sure to run an NTP server. Configuring it can be daunting, so don't give up too easily. Once configured, it will keep the clock on your Samba server very accurate. Then configure your workstations and other servers to synchronize against the Samba server (instead of an Internet server, to keep the load on those servers down). -Jon Johnson Sutinen Consulting, Inc. www.sutinen.com -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
