3

I realize that this title instantly sounds like a bad idea, so I'll justify the need in addition to describing the problem.

The need to change system time

I've recently set up a Windows Server 2012 Essentials system for a client, for the first time implementing a domain-based structure to a medical services office that previously had passwordless computers. It's a big change, and somewhat disruptive. They have 3 workstations, 6-8 employees, depending, and some flux of people moving through. The workstation I replaced is the one that is the best spot for their bookkeeper to post transactions, and in order to do so with the least pain, she's been changing the system time, until now. In the interest of not imposing a new workflow, I'd like to allow her to do so for the next few months, until they've moved off the system that requires that workflow.

Currently, only one other computer is domain joined - the other computer is running Windows XP Home, and will be domain joined when it is replaced. I fully understand the wisdom of not changing domain controller time willy nilly, but think not allowing it will be more disruptive to their business right now. Since they aren't an enterprise environment and are a small business trying to use its resources, I consider it pretty safe. Feel free to prove me wrong if I'm about to commit a true disaster.

The problem

My understanding is that the best way to give the bookkeeper this ability is to make her a part of the Server Operators group, since they have the Change the System Time permission in Group Policy. I thought about handing out that permission as a one-off, but the Server Operators group seemed like a good fit for this office since people will need some of the other permissions assigned to it (rebooting, etc).

The problem is, it doesn't seem to work, and I can't find any documentation as to why. I've verified she's a member of the group, run gpupdate /FORCE, rebooted the server, and she still can't change the time (but my admin account can). Other permissions related to the group (changing the timezone) seem to work as expected and she can do those functions. I've also verified that server operators have that permission in group policy on the default domain controllers policy, which seems to be applied. A UAC prompt asking for credentials continues to pop up when she tries to change the time.

As a result, I'm assuming I'm missing something and that I've not applied something correctly, something in the chain somewhere isn't set by default and I've assumed it is, or that something is forbidding that action, overriding the original permission.

The alternative that some may consider, since I'm already talking about giving her the ability to change the time, is to give her a secondary admin account to change time with. But I'm not willing to do that yet, since I believe a better, more secure, option exists, and part of the reason I went with the domain model in this office was because they'd previously made poor choices with admin credentials. I'd very much like to find a solution or workaround that doesn't give them any more permissions than they need to do their jobs effectively.

Does anyone have experience with this problem? Is the Server Operators group the correct route to be taking? Thanks for your help.

Edit: Long response to questions below. I do understand it can make basic functions fail. Mostly, they tend to log in once at the beginning of the day and stay logged in. My hope is that it won't interfere with other computers. If it does, we'll find a different workaround with them understanding the situation better. My understanding of the posting process is that they have to be posted with the same date as the day of service, but the bookkeeper is only in a few days a week. We're transitioning to a system that lets her set the time in the posting instead of systemwide.

The domain controller is being used as a workstation out of necessity. They don't have money for lots of computers, but I think they benefit from some of the advantages of having a domain, etc. It was a carefully considered tradeoff even though I understand it's well against best practices.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Nick
  • 183
  • 1
  • 7
  • 6
    If the client's and domain controller's clock differ too much, it will actually make basic things like logins fail. Why exactly does the process of posting transactions involve changing the system time? And why is a domain controller being used as a workstation? – user1686 Oct 14 '13 at 15:40
  • Also… does `whoami /all` mention SeSystemtimePrivilege at all? – user1686 Oct 14 '13 at 15:47
  • @grawity thanks for the questions. I responded to the first batch in an edit in the post body. I'll respond to the second next time she comes in. Thanks for the suggestion. – Nick Oct 14 '13 at 16:29
  • 2
    If you 'hope' anything you can pretty much guarantee to be disappointed several times a day. – user9517 Oct 14 '13 at 16:33
  • @Iain. If I get disappointed, we'll change course, but they'll have buy-in and understanding that we have a problem instead of having to just trust me. – Nick Oct 14 '13 at 16:36
  • 5
    If the answer is "have an end user change the system time on a DC several times a day" then you are, without a doubt, asking all the wrong questions. – Rob Moir Oct 14 '13 at 16:51
  • 9
    If the system clock changes more than 5 minutes, it will cause Kerberos to fail to issue/authenticate tickets. This can cause authentication failures, not just for logon, but for access to shares, printers, and anything else that uses Kerberos. Really, this shouldn't even be considered as an option ever. – MDMarra Oct 14 '13 at 16:53
  • @MDMarra. Thanks for clarifying. From what I've seen elsewhere, I know it'd affect shares, but for the time being, that'd even be ok. There is only one computer that is domain joined at the moment, and it is independent for the time being, with a few exceptions that they could prepare for. I understand the consequences and that it's very much against best practices. This isn't a typical domain environment though. – Nick Oct 14 '13 at 17:43
  • @Nick If only one computer is domain-joined and no one is taking advantage of any Active directory features, why on earth is that server a Domain Controller? – MDMarra Oct 14 '13 at 17:45
  • @MDMarra. Good question. It's brand new. It'll be relied on more in the future for all of the features it can provide (print and file services, etc), but by then, nobody will need to change the time. – Nick Oct 14 '13 at 17:48
  • 1
    @RobM. Could you elaborate on what the right questions are then? Telling me I'm asking the wrong questions doesn't convince me that there's a better way to handle this particular problem. Right now it's more of a DC in name than practice in a small business. It's their hardware and their business. I can advise them on what they should do, but ultimately, their needs are paramount. I'm open to other solutions, but I don't have any myself. Since the domain isn't integral to their workflow yet, I'm starting there. – Nick Oct 14 '13 at 17:51
  • If they need to change the time on that workstation more than they need their DC to actually work _at all_ then the first question I would ask is "Do I need to make this a DC *yet*" or even "Do they need a domain *at all*?". Or "Would the time and, ultimately, money spent sorting out the chaos that this idea is caused really going to be less than just buying a cheap workstation?" (as users shouldn't be logging on to DCs interactively *at all* let alone futzing with things like the system time). You don't need to create a DC to support File and Print services, for example. – Rob Moir Oct 14 '13 at 20:32
  • So, just for posterity, **WHY** do end users need to change the clock? – tylerl Oct 15 '13 at 21:10
  • @tylerl from the bottom section of the question: `My understanding of the posting process is that they have to be posted with the same date as the day of service, but the bookkeeper is only in a few days a week. We're transitioning to a system that lets her set the time in the posting instead of systemwide.` – MDMarra Oct 15 '13 at 21:18
  • 4
    Ok, so basically the answeer now requires faking business documents? Whow. Great process. – TomTom Oct 15 '13 at 22:09

1 Answers1

7

I was hoping that this would die on SU, but since it's moved here, I will give you my professional opinion on the situation.

If an end user needs to log into this server, it should not be a domain controller. Period. Nevermind the whole time nonsense and everything else, which only reinforces this statement. End users should not log into servers that are not properly configured terminal servers. No server should have the time arbitrarily changed when it is a member of a domain or a domain controller. No end users should have the rights to perform these actions.

Buy a cheap workstation for this user that they can run this software on, or let them use this server but demote it so that it isn't a DC. Give them a VM that they can RDP into to run this software. There are plenty of options. Really honestly do anything other than what you're doing right now.

Edit: I'll also point out that using RDP for end users to execute applications on a server without Remote Desktop Services (formerly Terminal Services) licensing is a violation of the EULA and you would likely fail a license audit and be smacked with a fine by Microsoft were they ever to find out. The two RDP sessions to a server that are allowed for "free" are for remote administration of the server, not for using it as a workstation for daily work.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • 1
    I completely agree. For an office this size (upto 10 concurrent users/PC's) a workgroup of Win7 or Win8 workstations (with one of them, or a small NAS unit, acting as file/print-server) will do nicely. A DC and the server licenses is just overkill. Messing with the time in any AD deployment is just about the worst thing you can do to the domain. – Tonny Oct 15 '13 at 21:16
  • @Tonny I think that there are benefits to AD, even in a 10 PC office, but definitely not worth it if you're going to implement it like this! – MDMarra Oct 15 '13 at 21:17
  • There can be benefits, I agree, but in general how often do they outweigh the effort/cost in such a small office ? 99 times out of a 100 not in my experience... This definitely looks like one of those 99 to me. – Tonny Oct 15 '13 at 21:28
  • Actually they do for a 10 people office. It depends on what you do. Not how big you are. I know a small 7 people company with about 50 computers in multiple locations all tied into the central control of an ad domain. The "cost" is irrelevant to those people - they are all not beggars. – TomTom Oct 15 '13 at 22:12
  • @Tonny, I went back and forth about whether to implement AD here. Ultimately, I went with it because the set of long-term needs outweighed the cost here. Had I known that they were changing the system time on the previous workstation, I would have done this differently up front (as says in the question, "do I need to make this a DC yet?" Apparently not, but I do think they'll see benefits from it in the long run). – Nick Oct 16 '13 at 02:13
  • @MDMarra Ok. I'm convinced to do something else (probably a VM). I'll mark this as an answer since I appreciate that you spent time to assist. – Nick Oct 16 '13 at 02:29