NTP in MS domains

As I understand it, clients know who their NTP server is because the master
browser tells them, so there's no need to run any net time /set or /setsntp
commands.

But I have seen people use these commands in scripts -- even in login
scripts where it shouldn't be able to do anything because they don't run
with admin rights.

Is there any reason to run these commands on clients?


--

Reply in group, but if emailing add one more
zero, and remove the last word.

Hello Tom,

If you have a domain, normally is no need for using time commands. In a domain
the Domain Controller with the PDCEmulator role is the time source for the
domain. All DC's sync with it and all member servers and workstations sync
with one available DC.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> As I understand it, clients know who their NTP server is because the
> master browser tells them, so there's no need to run any net time /set
> or /setsntp commands.
>
> But I have seen people use these commands in scripts -- even in login
> scripts where it shouldn't be able to do anything because they don't
> run with admin rights.
>
> Is there any reason to run these commands on clients?
>

In Active Directory, login scripts run with elevated rights; but even so you
are correct, the inclusion of the time command is generally superfluous in
the case of a domain-connected client.

"Tom Del Rosso" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> As I understand it, clients know who their NTP server is because the
> master
> browser tells them, so there's no need to run any net time /set or
> /setsntp
> commands.
>
> But I have seen people use these commands in scripts -- even in login
> scripts where it shouldn't be able to do anything because they don't run
> with admin rights.
>
> Is there any reason to run these commands on clients?
>
>
> --
>
> Reply in group, but if emailing add one more
> zero, and remove the last word.
>
>

"Tom Del Rosso" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> As I understand it, clients know who their NTP server is because the
> master
> browser tells them, so there's no need to run any net time /set or
> /setsntp
> commands.
>
> But I have seen people use these commands in scripts -- even in login
> scripts where it shouldn't be able to do anything because they don't run
> with admin rights.
>
> Is there any reason to run these commands on clients?


In addition to Tom and Richard's responses, you should consider to
synchronize your PDCE of your single domain with an NTP time server. That
is the only machine which needs to connect to an external time source as all
domain clients synch their time with the PDCE.

--
Todd J. Heron, MCSE
Windows NT, 2000, 2003

> Todd J. Heron, MCSE
> Windows NT, 2000, 2003

There's a name I haven't seen in a while...!

ZZZT!


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Richard G. Harper" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)
> In Active Directory, login scripts run with elevated rights; but even
> so you are correct, the inclusion of the time command is generally
> superfluous in the case of a domain-connected client.

I thought so. Thanks to you and the others.

Your point raises a couple of other questions in me.

Are rights elevated in the same way whether the login script is assigned to
users by a GPO or by the user account properties?

Which specific rights are elevated? I can't find a reference that lists
them.


--

Reply in group, but if emailing add one more
zero, and remove the last word.

"Todd J. Heron" <todd.heron_removethis_@gmail.com> wrote in message
news:(E-Mail Removed)
>
> In addition to Tom and Richard's responses, you should consider to
> synchronize your PDCE of your single domain with an NTP time server.
> That is the only machine which needs to connect to an external time
> source as all domain clients synch their time with the PDCE.

Yes. I believe SBS sets that up automatically but plain Windows Server
doesn't.

That would be with the net time /setsntp command with the time service
stopped, right?


--

Reply in group, but if emailing add one more
zero, and remove the last word.

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>> Todd J. Heron, MCSE
>> Windows NT, 2000, 2003
>
> There's a name I haven't seen in a while...!
>
> ZZZT!

Yeah, haven't been hanging out much in the last couple of years. Phil, your
comment made me remeber one of your standard colloquialisms from yesteryear
(circa 2002):

"Proxy Server doesn't do U-turns"...

"Tom Del Rosso" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Yes. I believe SBS sets that up automatically but plain Windows Server
> doesn't.
>
> That would be with the net time /setsntp command with the time service
> stopped, right?

net time \\ServerName /setsntp:TimeSource

(note: my testing worked with the time service both stopped and running)

1. All login scripts assigned by GPO, or by the local security policies,
run with Administrator rights. The logon script, and all processes it
spawns, run with Administrative rights. I don't know about the user account
script assignment as I never saw the need to assign scripts on a per-user
basis on individual computers; only per computer, or using Active Directory.

2. See #1. The logon script runs as Administrator and any processes it
spawns while running get the same. This doesn't change the user's rights,
only the logon script gets the elevation. Anything the user might do while
the script is running is done in the user's context and with the user's
rights.

"Tom Del Rosso" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Richard G. Harper" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)
>> In Active Directory, login scripts run with elevated rights; but even
>> so you are correct, the inclusion of the time command is generally
>> superfluous in the case of a domain-connected client.
>
> I thought so. Thanks to you and the others.
>
> Your point raises a couple of other questions in me.
>
> Are rights elevated in the same way whether the login script is assigned
> to
> users by a GPO or by the user account properties?
>
> Which specific rights are elevated? I can't find a reference that lists
> them.
>
>
> --
>
> Reply in group, but if emailing add one more
> zero, and remove the last word.
>
>