Q

Can users log on to a domain when a system clock is desynchronized?

How can I allow users to log on to the domain when their machine's date is weeks or maybe even years behind? We have a one-week training lab that requires the domain time to be set to the week of March 24, 2003. This barrier prevents us from installing the base image on the Friday before training and having a script that sets the machine's time to the domain's time whenever the trainees log on. Kerberos will not allow the trainee to log on and authenticate so the script can set the time. Start-up scripts will not work because the machine needs flexibility in its role.
It is in general not a good idea to have any machine whose clock is out of sync, even deliberately. There are several reasons for this, one of which is that the authentication of security certificates -- some of which are created at install time -- are tracked through the system clock. If the system clock is heavily desynchronized, then certain security verifications become impossible because the computer has no idea if any of its root certificates are still valid. This is by design.
This was first published in January 2004

Dig deeper on Windows Operating System Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close