Changing the system date, time and/or time zone


By default, only Administrators and Power Users can use the “Date and Time” applet to change the computer’s date, time, or time zone.  A regular User double-clicking on the clock in the notification area of the taskbar gets only an error message that says, “You do not have the proper privilege level to change the System Time.”  This is probably the #1 annoyance for people who have tried running as non-admin.

 

KB article 300022 describes how to allow non-admins to change the date, time or time zone.  The KB’s first suggestion is that you ask to be made an admin or Power User.  Please don’t do that.  That’s kind of like saying, “I occasionally need change for a dollar, so please grant me unfettered access to the US Mint.”  Fortunately, the KB also describes more granular modifications.

 

First, you need to have the “Change the system time” privilege.  Run “Local Security Settings” (as admin), navigate in the left pane to Security Settings \ Local Policies \ User Rights Assignment.  Double-click on “Change the system time” and add users or groups.  You can also specify “INTERACTIVE”, which will allow whoever is logged on to the computer to change the date and time.  You need to log off and back on for the change to take effect.

 

That gets you past the error message, and lets you change the date and the time.  However, attempts to change the time zone will fail silently, with no error message.  To change the time zone, you need to change the permissions on this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

According to my testing, here are the permissions you need:  Query Value, Set Value, Create Subkey, Enumerate Subkeys, Notify, Read Control.  KB 300022 says to grant “Delete” also, but as far as I can tell, that does not appear to be necessary.  This change doesn’t require logoff/logon to take effect.

 

[Update March 1 2005:  KB 300022 has now been updated.  It no longer recommends that the user be added to Administrators or Power Users, and it removed its requirement for “Delete” permission on the TimeZoneInformation regkey.]

Comments (74)

  1. Stephen says:

    Ugh – it looks like XP Home Edition doesn’t have the security policy utility/snap-in.

    Ideas?

  2. Stefan Rusek says:

    My big annoyance is that I can’t double click on the time to see a calendar. I almost never need to change the time. I can bring up the outlook, but I would prefer many times to just see it by double clicking on the time.

  3. I think Stefan is leveraging the one big facet of the problem:

    Viewing these settings is sometimes useful, but allowing their modification by users (even fully trusted, fully skilled ones) is quite dangerous.

    Time, for example, is certainly the most dangerous one:

    A lot of viruses, trojans, rootkits try to hide from system, users and scan tools by tweaking file system meta data about creation and modification date.

    A lot of important code is based on a "trusted time": event logs, kerberos settings, some GUID generation tools, and a lot of tracking software.

    But the same could be said for money, decimals, etc…

    So as an enterprise admin, I completely disallow editing of these settings by users, and as a user I use a calendaring apps that reduces to the tray for the purpose Stefan describes.

  4. Billy says:

    Aaron, I just wanted to say how glad I am to see you have new entries! I enjoy reading your posts a lot. I find them very helpful in pursuing my own non-admin status. I was worried that you’d stopped blogging completely for a while. Keep up the blogging, please!

  5. Stephen – Wow, sorry about that "little" oversight. I used to have a Home Edition computer here but recently rebuilt it with Pro. The best workaround I’ve heard is to grab a copy of NTRights.exe from the Windows Server 2003 Resource Kit Tools ( http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en ) and run something like the following at a command prompt:

    ntrights -u INTERACTIVE +r SeSystemtimePrivilege

    This will let whoever is logged on to the computer to change the date and time (including Guest). Replace "INTERACTIVE" with a user name if you want to give the privilege to a specific user.

  6. Norman Diamond says:

    > I used to have a Home Edition computer

    You still can. Virtual PC 2004 SP1 is useful for stuff like this. I haven’t experimented with changing the system date/time in a virtual machine (more on this in a moment) but for ordinary stuff like setting permissions it ought to work. You’d be able to verify if your intended instructions operate as expected. Even the language version of a virtual Windows installation can differ from the language version of the host, so you don’t even need to reboot in order to check if your selected fonts allow display of strings that you intended to display.

    In Virtual PC 2004 each virtual system’s date/time are taken from the real system’s date/time. I haven’t experimented with changing it in a virtual PC, and don’t know if it might be rejected by specialized virtual drivers, or cause a blue screen in specialized virtual drivers (some do), etc. But I did set AppVerifier in a virtual PC to fake the date that would be presented to explorer.exe, after which new logins on that virtual PC didn’t get a desktop any more.

  7. tonyso says:

    If you have not read Jen’s article on LUA, you should be asking yourself why not?

    This article…

  8. Complete list of Aaron Margosis’ non-admin / least privilege posts, for easy lookup.

  9. tonyso says:

    Get your friends and family, all those folks that come to you for computer help once their machines have…

  10. You really didn’t want to use it to browse the calendar, really.

  11. Shannon Reis says:

    It would even be more elegant if TIMEDATE.CPL would still launch if it detected a standard user. The interface would then configure all of the controls to change the time/date as "Disabled". (Hopefully allowing the user to still toggle through the months, but not required)

    This would make them visible to a non-admin, but we wouldn’t have to grant the user the right to change the time (quite detrimental in a domain environment)

    If I had the source…it would be a relatively easy thing to do (if..then, and a few lines to disable the controls).

  12. Ian says:

    I have a lot of travelling/laptop users who I’d like to give permission to change the time zone but not the actual system date/time, is this possible?

  13. Aaron Margosis says:

    Ian —

    No, not through the Time/Date UI. It would certainly be useful to allow that. But what problems do you think might arise from giving users the ability to change the time?

  14. Dylan says:

    Actually XP Home has usrmgr2.exe, but it has no icon. Just run this from the ‘Run’ command. Does anyone know how to do this through WMI? The zone changes but the system tray reflects the original zone.

  15. fgfgfdg says:

    @Shannon Reis: That’s why I’m using Rainlendar with a Windows Classic Skin.

  16. fgfgfdg says:

    @Shannon Reis: The leaked parts of the Win2K SP1 sourcecode actually contains the TimeDate applet sources. I’m working on fixing it, for the later stage I will also add the NTP dialog from WinXP.

    Just to say, the simple replacement that just starts a skinned Rainlender works quite well in our corporate environment.

  17. Not every "access denied" indicates a LUA bug!

  18. Khalid says:

    Dear Sir,

    I need to know how to change time in the control pannel (Regional Options) from the visual basic program.

    Best regards,

    Khalid

  19. Jeff says:

    My laptop users need to change their timezones.  I added permissions to the TimeZoneInformation key.  I thought, Microsoft Time Zone would be great here since it has an option to change the timezone.  Too bad, appears they are testing group membership instead of key write permissions…  The Change Timezone option is disabled apparently unless you are an admin!

  20. livar says:

    Its strange….I have an account which is member of "Adminitrators", but still cant change time/date, display calendar! (?)

    I also tried to run "Local Security Settings", when i doubble clicked on the "Change the system time" I was not able to add or remove users. The only message I got was: "This setting is not compatible with computers running Windows 2000 SP1 or earlier. Apply Group Policy objects containing this setting only to computers running a later version of the operating system"

    Errm….wth? I’m not running Win2k! I’ve got WinXP SP2 installed!

  21. Mark Doubson says:

    I need to synchronize local client time with server time while client running application under Least-privilege User Account. I agree with idea to restrict user from interactive change time but still need system level sync.
    Any ideas?

    The first idea that comes to my mind:  Configure both the client and the server to sync automatically with the same time source (“Internet Time” tab.)

    — Aaron

  22. Mark Doubson says:

    Aron – it is not possible in many cases – e.g. – client machine has time port closed. Out programm always started with Internet Time sync attempt (e.g. using NIST time server) but some LUI environment not allow to make such sync. My idea – use some service running on system level (before user login) and call this service to sync local time with server time when our application will start. How?

    I don’t suppose the client and server would happen to be in the same Windows domain, would they?  If so, then they will be synched – at least to within 5 minutes (required for Kerberos).  I guess you could write a service to change the system time – but that seems like overkill.

    Since you’re going to this trouble, is it a problem just to grant the user account the “change the system time” privilege, without changing the other settings?

    — Aaron

  23. GL says:

    All this talk about “changing” the system date and time. The Windows code and behavior in this case is totally wrong. No user, not even guest if enabled, should be denied the ability to view the familiar calendar. It has been around for over 10 years. It’s called “usability.” If 500 million users are using this to view a calendar, then Microsoft needs to change the design, change the behavior and change the code (p.s. don’t forget to test it.) The analogy would be denying read access to customary files and folders just in the normal course of running apps. Gee, how silly that would be. I don’t care how “it currently is” – it’s wrong. After opening the “system” calendar interface, no changes should ever become effective unless the user clicks apply or ok and has the rights to do so. Ever hear of graying-out a button microsoft? The design, behavior, and code are all totally wrong in this case and limited users should have full viewability of said calendar without the ability to cause any changes. This is an inconsiderate design, lacking usability testing and it needs to be fixed asap. “In other words, the Date/Time control panel was not designed for letting you flip through a calendar. It was designed for changing the system date and time.” No, it was designed without usability testing and the “design” does not follow the existing system-wide philosophy of read access by limited users. It needs to be corrected. Clicking the date/time to VIEW the calendar is NOT mis-use, it would rather be proper software behavior and human expectation. I’m taking an end-user point of view here. It’s actually a permission granularity design problem – just deny access to the whole date/time thing – it’s easier and we can go to lunch.

    On behalf of all Microsoft employees past and present, I humbly apologize for any offense that the design of the Date&Time applet has given you.  I anticipate hearing from your legal team soon regarding the pain-and-suffering lawsuit you no doubt have already initiated.

    Fixing the UI involves more than simply disabling buttons — code requiring elevated privilege needs to be factored out and a separate UI designed.  That work has been done in Windows Vista.  In the meantime, you can consider the workaround posted here if it’s appropriate for your scenario, as well as a switch to decaf.

    HTH

    — Aaron 

  24. ihi says:

    When I am as a user on a "foreign" PC, need a calendar and cannot "change the time" (and have not set my start page in IE which usually contains a calendar), I press Window+F and select to search files based on last changed. There is a calendar (you do not have to use it for searching only).

    Yes, double-clicking the clock is faster than Win+F plus three mouse clicks; but even this is faster than asking an admin to get permission 😉

  25. David says:

    Rather than reengineering the existing systray icon to separate the configuration functions what we need is a simple calendar program that can replace the time setting icon.

    I have looked for such a program and can’t find one. I know that it would take this issue off the table for all of our desktop users and most of our laptop users. The only folks that would require escalated privileges are users who travel out to other time zone.

  26. Noman says:

    Thanks for your Tips its really work

  27. GL says:

    Sad to see your sarcasm and sorry that you do not understand my rant, on behalf of all users. My post has nothing to do with coffee and everything to do with human factors and usability – which by the way is fifteen years overdue from Microsoft. Nothing like sarcasm to demonstrate where you stand.

    Nevertheless, without changing any permissions, to have a useable calendar located next to the icon tray for convenience under Windows XP logged in as a limited user one may do the following:

    1. Close all Apps and Windows currently open
    2. Browse to http://www.timeanddate.com/calendar
    3. Choose File, Send, Shortcut to Desktop
    4. If desired, change the icon as follows: right click the shortcut and choose Properties, Change Icon. Choose an icon that looks like a calendar (Browse, shell32.dll) click ‘OK’ as needed
    5. Move the shortcut to C:Documents and SettingsUserApplication DataMicrosoftInternet ExplorerQuick Launch where ‘User’ is the limited user account
    6. In this same folder move or remove shortcuts that are not needed
    7. On the taskbar, click and grab the quicklaunch border position control (identified by a double-arrow from mouse-over) and move it to the far right.
    8. Next the icon-tray you now have a non-invasive calendar which will display with a single click
    9. A static image may be used instead of a link if desired.

    I am rarely provoked to use sarcasm in a forum like this, but your earlier [sarcastic and unnecessarily nasty] rant did the trick.  I understood your rant perfectly well, but I think you missed the key point that — contrary to the way you wish it had been — the original design for the Date/Time applet really was to allow the user to change the date and the time, not to provide a browsable calendar or time zone map.  Such features certainly would have been nice to have, but they were not considered in the original design.  One clue is that Date/Time has always been in “Control Panel” and not in “Accessories”, which is where one might have expected to find a calendar-browser (or even a PIM).

    — Aaron

  28. Nicholas Fone says:

    Aaron, get a grip mate. Your response to GL’s post is nothing short of unprofessinal.

    Not surprising though really… after all you work for the very company that has chosen not to address this blindingly obvious design flaw in XP.

    When will Microsoft LISTEN to its customers? <sigh>

    Nicholas, please note that I never said that the designers of the Date/Time applet made the right choices — I only said that the purpose of the applet was to support changing the date and time, and that the designers designed toward that purpose.  Obviously, the applet ended up being used for far more.  On Win9x (for which it was originally designed) and on NT-based systems with admin users, this was rarely an issue.  It has become increasingly one, though, and has been addressed very nicely in Windows Vista.  At this late date, there won’t be any significant design changes to Windows XP.

    — Aaron

  29. Nicholas Fone says:

    Aaron, are you honestly trying to suggest that fixing a small (but pretty annoying) design flaw in the Date/Time applet is a “significant design change”? C’mon mate!

    Nobody is interested in a history lesson on the Date/Time applet. Folks would just like the problem to be fixed.

    You summed it up perfectly in your opening paragraph: “This is probably the #1 annoyance for people who have tried running as non-admin.” Yes, it sure is.

    Nicholas:  Yes, to do it right it absolutely is a significant design change.  True, one could make a few trivial changes to the code — e.g., don’t check for the privileges until the user presses OK or Apply, but that’s a bad user experience, too.  Look at the work that was done in the Vista UI around date/time.  They really did it right, and it’s quite a bit of effort there.

    Who is “Nobody”?  Raymond Chen’s blog is one of the most popular on blogs.msdn.com, and a lot of that is history lessons.

    — Aaron

  30. Nicholas Fone says:

    Just took a look at kb article 300022… it’s been through 5 major revisions!

    Instead of providing a workaround, surely fixing the problem would be more beneficial for the end-user… and less costly for Microsoft to support.

    It would be great if someone from Microsoft said “I here you, hey I’ll see if we can get that fixed” instead of writing blog articles about the workaround, then dismissing people’s feedback as ranting. That sort of response disappoints me more than the problem itself.

    Nicholas:  I’m perfectly happy to accept feedback, including harsh criticism, but I expect the tone to be professional.  If feedback has a “rant” attitude (which it did) and I’m in a bit of an unforgiving mood (which I was), I may respond with sarcasm (which I did).  I have privately apologized to GL for my part in the unprofessional tone of that exchange.  I have also done my best over the years to provide feedback to the Windows team re the non-admin user experience, as well as provide help to our customers.  FYI, here’s part of what I wrote to GL:

    I have never defended the decisions that the designers of the applet made.  I never said it was a good design.  And it’s pretty well known that limited-user scenarios did not get the level of attention that Win9x and NT-admin scenarios did.  A lot of the UI in Windows XP was originally designed for Windows 95, which (as you know) had no separation between types of users.  People tried to make the best decisions they could in the era in which they did.  Looking back, not all of those decisions turned out to be the best.  This happens in all realms of life.  All I was saying was that the applet was intended to support the changing of the date and time, and that the designers designed toward that purpose.  They did not anticipate users referring to its calendar UI on a regular basis.  As far as I know, this particular UI decision has not led to a lot of complaints.  Perhaps this is because many users continue to run as admin, and many corporate users have other calendar UIs they can refer to.  I agree with you that it is a pain, but I strongly suspect it’s pain felt by a relatively small number of us.  While I’d enjoy the change also, it’s hard to build a business case for a relatively major design change to Windows XP at this late date to fix relatively small pain.  In general, I wouldn’t expect to see any significant design changes to Windows XP at this late date, especially with all the risks that design changes entail.  The work has been done in Windows Vista, and they’ve done a really good job.  Please don’t take that to infer that we’re using this to force users to upgrade to Vista – like I said, I very truly, strongly suspect that the pain that you and I feel around this UI is not widely felt.

  31. Nicholas Fone says:

    I agree with very little of what you have said Aaron, but I guess we will just have to agree to disagree. Enough said, I’m off to a BBQ… (at least I tried folks, eh?!)

  32. David says:

    Since I last posted I have been running alpha clock as a limited user. It replaces the standard windows clock and does everything the users want except change the time and date which is what we don’t want the users to change.

    It’s free and seems to work well in our testing. Check it out at –

    http://www.alfaclock.com

    Cheers dave

    Does that site render in IE7?  I don’t see any content on the page.  When I View Source, I see that they’ve got a bunch of browser-specific CSS hacks, but nothing for IE7, so I get essentially no content.

    — Aaron

  33. fuzzy says:

    YUK YUK DAVID !!!

    PLEASE COME INTO MY LAN AND TRY TO DO THIS

    I WILL SHOW HOW’S DEEP WOLF’S LAIR !!

  34. BullShit says:

    I have XP home and I don’t have policy editor. And I want use my PC as more as possible like all linux users use: they are owner of their PC and have root (Administrator) access also, but login as restricted user and use for ordinary work that one. But in Windows side that is s**t!!!

    What users do when they want check the calendar quickly? They do double click on system tray clock and they get it quickly!!! But I don’t have this, because MS thinks for users new s**t MS!

     Another thing I cant do updates from restricted user account, I must login as Administrator and ‘Run as’ doesn’t work in that situation.

  35. Me says:

    See the sixth comment. There there is the solution, using ntrights. I have just tried it and it works perfectly 😀

    Thanks, Aaron. I wouldn’t have found without this entry.

    I must admit, i also wanted it to show the calendar 😉

    It is not wrong having a control panel applet wanting the privilege, what would be wrong would be launching it from taskbar. If taskbar launched a different version (maybe with a /readonly commandline parameter) it’d be fine.

  36. RAGHU says:

    iam using win xp as a client. This (win xp pro) i have connected to win 2003 server.

    i have add a user ( let us say xyz). This is the user(xyz)i have created in the server ( win 2003) when i log in with this user (through win xp pro) even after adding the this uer (xyz) to “change the system time” under “Local Security Settings”/pane to Security Settings Local Policies User Rights Assignment.still i have the same problem.

    I’m not clear on the relationship between the XP and 2003 systems.  Is the server a domain controller?  Is the XP system a domain workstation?  Is User XYZ a domain user or a local account?

    Did you make the user rights changes on the server or on the XP computer?  Did you also make the registry permissions changes as described in this post?

    If this is a domain, do you have any domain policies overriding the local policy changes you made?

    Did you log off user xyz after the policy change was made?

    — Aaron

  37. Crystalfish says:

    My question is how to add those regkeys, like key name, key value…..

  38. Kelley says:

    Is there an easy way to change permission at server so users can change they time and date?

    kelleybrown1@comcast.net

  39. DriverDude says:

    "I agree with you that it is a pain, but I strongly suspect it’s pain felt by a relatively small number of us."

    Sigh.

    It’s late so I’ll be brief:

    1. I know many people who run as Admin because of the little inconvient things that make non-admin in Windows that much harder to use. They are developers and UNIX users and actually understand what non-admin user accounts are good for.

    2. UNIX has a "date" command that allows non-root users to see the date and MacOS X’ menubar clock has been doing the right thing for years.

    3. I, as well as many people I know, think Microsoft (and others) are clueless when it comes to security/usability. We don’t bother complaining because we figure it’s just a waste of time. And so now we vent on your blogs. :=)

    4. Microsoft published Application Guidelines with recommendations on how apps can behave well w/o admin privs – since *WINDOWS 2000*

    5. Even today, there is software from the likes of Adobe and TaxCut that either don’t run as admin or are hard for the average user to configure for non-admin usage. It could be as simple as saying "register this software as Admin before other use" but the software makes it confusing!

    I, for one, am glad that Vista’s new security is so in-your-face and annoying that developers might actually fix things correctly.

    As for the clock… I don’t mind that the Clock was designed as a control panel applet. But why expose the *CP applet* so prominently – people haven’t had the need to set the clock on a daily basis since the PC-AT added a RTC. Vista’s clock is much improved.

    And I do appreciate that you, RaymondChen, and other MSFT folks know what you’re talking about even if I have doubts about the rest of the company.

  40. zxc says:

    wow brilliant, when you mentioned the number1 thing not to do was ask for admin or power user privileges i would have thought right, so there’s some way for normal user’s to do this but your guide is for admins.. if an admin had placed those restrictions in the first place i would have thought that they would surely know how to remove this restriction to, from your guides point of view it might be useful to that 1 person in a million that gains admin rights through malicious means and then decides damn, that clocks been bugging me.  Otherwise this is useless.

    zxc:  The restrictions are the defaults, not something that an admin is likely to have deliberately added.  This post describes how an admin can change the defaults for non-admin users.

    HTH

    — Aaron

  41. chirag chaudhari says:

    dear Sir,

    last one months in my server date sometimes change or some times not change but time is regularly change so we can’t tell to esue a cmos bettary  plz give me soluation

  42. maxlonn says:

    Hi,

    My system Time and Date is suddenly set back to 1970!!? I have tried to change manualy and as well sync with the internet time tab. but it just pops back to 1970. This problem stops me from updating and saving files done in this year.

    What can i do to change back to current time and date?

    Max Lönnqvist

  43. kelvin says:

    My problem is when I open my clock and change the year of system time, it cannot be changed and always fixed at 1970..Same problem as Max.

    Please help!!

  44. jason says:

    please help.

    same problem ..

    could be change date. still maintained 1970.

  45. jason says:

    msn messenger will not login, becuase of date too

    earlier 1970. help.

    To Jason, maxlonn, Kelvin:

    These sound like CMOS battery problems.

    HTH

    — Aaron

  46. utomatically synchronized with an Internet time server says:

    how to enable this option in the normal user in xp

    Enabling the “Internet Time” tab for a normal user can’t be done safely in Windows XP.  According to my testing, it would require granting “write” access to a key that also contains the path to a DLL to run within the Windows Time service.  If that were modified, the user (or malware running as the user) could run arbitrary code as LocalSystem.

    — Aaron

  47. lijo says:

    same problem with the system date as above.. plz help

    lijo:  As I stated above, this sounds like a CMOS battery problem.  Nothing more I can do to help.

    — Aaron

  48. lijo says:

    Dear Aaron,

    Thanx 4 the reply, i changed the CMOS battery..still the issue continues.. any other remady..

  49. Kelvin says:

    Thanks for reply.

    i also changed my CMOS battery but problem still exists…also cannot sync. the clock even using other software like Atomic Clock Sync., its operating system clock(BIOS cannot be saved)…

    Any other idea?

  50. Jon says:

    So the question I dont see answered is can you just allow users to change the Timezone and not the time?

    Jon: It actually came up in one of the earlier comments.  The Time/Date control panel applet will display only an error message if you don’t have permission to change the time, so if you want to use that UI, then what you’re asking for isn’t possible.  However, it should be possible to develop a custom tool to change only the timezone.  You’d need to make the registry permission changes described in this post, but you shouldn’t need to grant the time-change privilege.

    In Vista, there is a new privilege that allows a user to change the timezone.  Users have this privilege by default.  Note that the timezone is also a system-wide setting, but not with the security impact that the clock does.

    HTH

    — Aaron

  51. Carl Lindmark says:

    I’m glad you’ve already been slapped on the wrist for what you wrote to GL, and I’m glad that you’ve seen fit to apologize for that. Good on ya!

    However, there are two things I still feel you haven’t gotten:

    1) You are inconsistent. You can’t first say:

    "This is probably the #1 annoyance for people who have tried running as non-admin"

    and then turn around and say:

    "I strongly suspect it’s pain felt by a relatively small number of us"

    The majority of times a user clicks on the system clock it’s to view time/dates – not to change the same, I guarantee you. Therefore, this system clock behavior, which you called "the #1 annoyance [for non-admin users]" is a HUGE issue for users who just want to view the date/time too!

    2) "The customer is always right." It really doesn’t MATTER how many times you/Microsoft say that "this application was never meant to be used as a calendar that just DISPLAYS date/time" – this is what users – CUSTOMERS – have come to use it for (most of the time)!

    As soon as this was realized – which should have been many years ago – the decision should have been made to cater to the users’ needs according to the mantra "the customer is always right". Instead, Microsoft opted to say "the customer is wrong. The customer has not understood what the application was really for."  And to NOW, years later, say that "We agree that the system clock should have been implemented better (like in Vista), but now it’s too late to make such big changes in XP" is just… sad.

    The changes should have been made a long time ago. Not necessarily because it was the right thing to do, according to the developers at the time – but because it was what the customers wanted.

    Oh well – the past is the past… But hopefully there is a lesson learned here – for next time!

    Regards,

    Carl

  52. John S says:

    I have read comments on this site, hoping to find out how to have an auto time synch programme (such as Dimension 4) automatically update the time (Win XP Pro SP2) on my computer when I connect to the internet under my user (restricted) account.

    I gather there is a security risk if I make changes mentioned in KB 300022 at the top of this page. What I’m wondering is what would happen if I:-

    *temporarily gave my user account admin privileges

    *Installed a time synch programmes such as Dimension 4

    *Changed the account privileges back to restricted.

    I’m wondering if (a) this would work and (b) if it did work, would it introduce the security risks mentioned above?

    Cheers,  John S

    John S:  why do you need a time-synch program?  Windows automatically syncs with an Internet time server by default.  Log in as admin (or start timedate.cpl as admin), click on the Internet Time tab, and verify the time server it’s using.  All it needs to sync is an internet connection — it doesn’t matter whether anyone is logged on, or if the logged-on user isn’t an admin.

    HTH

    — Aaron

  53. Cliff says:

    Aaron,

    I have an XP Home edition desktop that I would like to be able to change the time as a limited user.  The reason is, whenever the PC connects to a time server to synchronize the time, the time becomes off by approx 2 minutes.  Instead of logging in as administrator just to reset the time, I really would like to do this as a limited user.

    I read all the tips, but I cannot discern if any of them work with XP Home.

    Thanks,  Cliff

  54. XP User says:

    Add one move vote for wanting the ability to just view the calendar as a user and not change the time.

  55. Josh Cook says:

    The issue we are having is this.. we often have remote travelers. They want to be able to change the time to their local time, but the power that be don’t want them to be able to change the actual time, just the time zone.

    The reason that they don’t want them to be able to change everything is worries that it may break Kerberos authentication for the clients. So if they can just change the time zone on a local level..

    Now we CAN just give them all the rights, but to be blunt, we don’t trust folks to do it right.

    So the question is.. can we JUST allow folks to change the time zone data.. ONLY.

    [Aaron Margosis] On Windows Vista, yes.  On Windows XP, you’d have to write a custom tool that changes only the time zone, and you’d have to make the ACL change as described in this post.  The Windows XP date/time applet won’t display if you’re not allowed to change the time.

  56. Agustin says:

    Guys, I have a server how change his time several times at day, How i can discover the user/process that is changing the time?

    Regards

  57. Kris M. says:

    You can give limited user accounts read or read/write access to the date and time by changing the security settings of timedate.cpl which is found in the system32 folder. You may need to disable Simple File Sharing to get the security tab to show up. Then you can add a user or group and modify permissions for individual files.

    [Aaron Margosis] You didn’t actually test this, did you?  If you had, you would have discovered that granting users the ability to do things to the timedate.cpl file itself does not give users the ability to change the system time, timezone, etc.

  58. KJG says:

    I had had no idea this was such an issue. Our shop is mostly open with Admin users and privileges. Recently something changed and it became a problem in our office too. I think there was a MS patch that changed the way the time Policies are pushed out from the Domain. We don’t push out any special policies.

    Our 2003 windows domain servers manage the time and everyone would sync to the controllers. The XP stations that joined the domain would have their local security “change the system time” set to local service only. The ability to change the local policy was then locked from any user. Changing registry key privileges did nothing.  I need to check the 2003, 2000 servers to see if the same thing happens.

    Adding users/admins on the domain policy allows the specific users to change the local clock can see the calendar.  This gets pushed out to the domain member computers.

    Joining a workgroup and leaving the domain also worked but is not really a solution.  

    Just sharing what I found.

    KJG

  59. MAS says:

    I am auditing the timedate.cpl file for failed attempts. I believe that after I applied the time/date patch you can no longer audit the timedate.cpl file to get failed attempts to change the date or time. Does anyone have insight on this.

    [Aaron Margosis]  timedate.cpl is an executable file (actually a renamed DLL) — it’s not a data file.  You don’t need or ever use write access to this file in order to change the time.  The only time you’d ever see failed audits for timedate.cpl is if someone were trying to open the file for “write” access.  That doesn’t happen when someone tries to change the system time or time zone.

  60. MAS says:

    Do you know what file can be audited for failed attempts to change the date and/or time.

    [Aaron Margosis] No file auditing will capture that.  Try auditing privilege use instead.

  61. levoun80 says:

    hii

    am facing a problem with this cos i wanted to change the date and time in limited user, but it wont channging, so i read yr article how to chang it from the reg. but i couldn’t, so can u help me.

    appriciated

    Levoun

  62. Gerry Peters says:

    How about this: Search your Windows/WinNT folder for the file "timedate.cpl" and place a shortcut to this file on your desktop, then whenever you want to change date/time from regular user account just right-click on the timedate.cpl shortcut and select "run as different user" (choose any account with administrator privileges to run the control panel applet on one-time basis).

  63. Helen Carey says:

    Well I have tried the NTserver tools suggestion, and have changed the registery settings to allow the user access to the time, but I still get an error message!!! Our laptops are running Windows XP SP2 and are not on a domain, and the program they are running needs to have access to change the time when they log into the program. Is there anything else preventing a user from changing the time?

    Helen Carey

  64. Cris says:

    How can i see if data & time is changed?

    Any logs?

  65. dennis says:

    A company called synergix has written an interface that will let you change the time zone and view a calendar. It still doesnt work without changing the registry but you dont have to give users the ability to change the system time with this utility. I think its a bit over priced at $50 though and the company seems to be a small mom and pop shop.

    http://www.synergix.com/v3/

  66. siadmin says:

    Synergix time zone software price dropped down to single digits.

  67. Ed B says:

    Great post about ntrights.exe – worked a charm on my wife’s PC

  68. Carl Wayne says:

    Thank you so much for this post.  I can not tell you how grateful I am.

  69. Nawar says:

    i am facing the same error, i solve it all with the local computer policy except one pc .. when i do change the change the system time and i add a group and users , it go back to empty and deleted all my groups and users i have added as administrator or power users , please help.

    thanks

  70. what? says:

    what do you mean by

    Run “Local Security Settings”??? What do I have to do?

  71. Michelle says:

    What brought me here is the damn certificate errors. I am being driven crazy 🙁