防止非管理员用户更改 Windows 中的时区

防止非管理员用户更改 Windows 中的时区

Back in Windows XP typical users couldn't change system's time zone. In newer versions the time zone can be changed even by non-admin users. I can understand the reason they added this ability, but it can really mess up with one of our time logging apps. So we decided to provide our users an option to disable this.

In "Local Security Policy" the key "Local Policies/User Rights Assignment/Change the time zone" contains the value "LOCAL SERVICE,Administrators,Users".

To make it short, we need a way our app (written in C#) to be able to remove or add the "Users" part from the above policy. Our app includes a system service so it has elevated rights.

We could use windows command prompt or free-to-distribute third party tools.

(PS: No server is involved, no DC, AD, etc. Just standalone PCs.)

答案1

This can be accomplished via the command line (and therefore an easy process launch from code) using NTRights, which is part of the Windows Server 2003 Resource Kit Tools bundle. ntrights.exe is invoked with -u followed by the group or user name and +r or -r to add or remove (respectively) the following privilege.

Therefore, ntrights -u Users +r SeTimeZonePrivilege grants the privilege to change the time zone and ntrights -u Users -r SeTimeZonePrivilege (note the -r) revokes it.

Further reading: More on privileges, a list of common privileges

答案2

After a long search during the last 3 days i found a free-to-redistribute tool that can easily manage security policies. It's called "Grant". The creator's (Andreas Hansson) site and bussiness no longer exist, but i found a copy at wayback machine, including the file to download: https://web.archive.org/web/20150113021825/http://franzo.co.nz/hansson/grant.htm

使用示例:

授予添加 SeSystemtimePrivilege 用户权限

授予添加 SeServiceLogonRight myDomain\ServiceAccount

相关内容