How can I allow users to log on to the domain when their machine's date is weeks or maybe even years behind? We have a one-week training lab that requires the domain time to be set to the week of March 24, 2003. This barrier prevents us from installing the base image on the Friday before training and having a script that sets the machine's time to the domain's time whenever the trainees log on. Kerberos will not allow the trainee to log on and authenticate so the script can set the time. Start-up scripts will not work because the machine needs flexibility in its role.
It is in general not a good idea to have any machine whose clock is out of sync, even deliberately. There are several reasons for this, one of which is that the authentication of security certificates -- some of which are created at install time -- are tracked through the system clock. If the system clock is heavily desynchronized, then certain security verifications become impossible because the computer has no idea if any of its root certificates are still valid. This is by design.
Dig deeper on Windows Operating System Management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.