group-policypowershellwindows-server-2012
In windows computer, system is using "time.windows.com" to sync the time. I need o modify the time server for windows user on its logon and want to enforce using group policy.
Case: we have windows server 2012, with 10 users on that domain. The system should update time of each user computer when user logon to system.
First thing's first. This GPO you reference is a custom GPO. You can't find it for Server 2012 because someone built that option special, and packaged it up into an administrative template for group policy. Therefore, your best option for recreating this as a GPO you can toggle like you have it is to copy the custom admx file and edit in in a text editor with the new settings. Hopefully you know how to make/modify a custom admx, because that's a little beyond the scope of this question. (If you don't, you can use a Group Policy Preference to achieve the same thing.)
Second thing, I assume you're talking about the icon displayed below.
The presence of this icon is controlled by a registry DWORD value, named Attributes at:
HKEY_CLASSES_ROOT\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\ShellFolder
The numerical value of that DWORD determines what the icon displays as... or if it displays at all. Its default value of b0040064 gives the default icon you see above. Changing that value to b0940064 will hide the icon (after logging off and back on again).
Assuming you don't know how, or don't want to go to the hassle of wrapping this into an admx for use as you did before, the quick and dirty way of applying this by Group Policy is to use a Group Policy Preference registry item, at Computer Configuration and/or User Configuration -> Preferences -> Windows Settings -> Registry. Create a new Registry Item and configure it to update that DWORD to the desired value.
The registry key and values are the same for Windows 7/Server 2008 R2 and Windows 8/Server 2012 (and I believe for Vista/Server 2008 and XP/Server2003 as well), so you can use this to create an admx or GPP that applies to all the operating systems you're concerned with.
Officially, you cannot. (On Server 2012 R2 as of the time of this writing.)
Unofficially? Maybe...
The "MSS" Group Policy settings are not and never have been included with a default, out-of-the-box installation of Active Directory. They were an add-on developed by a consulting group out in the field, and the settings were deemed so useful that they were included with the "Solution Accelerator" known as Security Compliance Manager. (It's been known under various similar names previously, such as "Windows 7 Security Compliance Management Toolkit.")
The problem is, the Security Compliance Manager comes with a whole bunch of junk that you do not want, such as a SQL Express instance. Junk that you really do not want to install on a domain controller. You only want to extract from it just the piece that you want, which is the "LocalGPO.msi" package.
The next problem is that Security Compliance Manager was never updated for 2012 R2. 2012, yes. 2012 R2, no.
That being said, you might still be able to get it to work on 2012 R2, but beware - doing so might put your server in an unsupportable state.
Download the Security Compliance Manager installation. Run it on your server.
Run the .exe, but do not continue with the installation. The installer deflates some files into a temp directory on the hard drive, such as C:\a1b2c3d4e5f6a0b1c2 or D:\a1b2c3d4e5f6a0b1c2. In that directory you will find a data.cab file. Open that file, and extract the file named GPOMSI and rename that file to LocalGPO.msi. Now cancel the SCM installer and it will delete the temp files.
Install LocalGPO.msi on your server. Then launch the new "LocalGPO Command-line" shortcut that you will find in your Start Screen. Run it as Administrator. Type cscript LocalGPO.wsf /ConfigSCE.
You will get an error that you are not running a supported operating system.
Open LocalGPO.wsf in notepad and comment out the ChkOSVer procedure in the script so that it will not check your version. Now run the above command again.
I have seen multiple reports of this working for other people, however it did not work for me. I still got a VBscript error at line 2245 of the script, at a WriteLine statement. I haven't bothered to debug any deeper, resigning myself to the fact that it simply has not been updated for 2012 R2.
Edit 4/11/2016: The version that is hosted on this Microsoft blog written by Aaron Margosis contains a download link to a version of the MSS Extension that works for me with 2012 R2 with no 'hacking' required. That's a link to a zip file. Inside the zip file, you will see a directory named 'Local_Script'. Inside that folder, you will find a subfolder named 'MSS_Extension'. Simply transfer that MSS_Extension directory to your 2012 R2 domain controller. Then open a command prompt and browse to that directory. Then run:
Cscript LocalGPO.wsf /ConfigSCE
Best Answer
best practice is secure ntp on domain . For client of the domain ad give the ntp source to ad client .
To setup on the server the source use that command (for 2008+ server): w32tm /config /manualpeerlist:0.fr.pool.ntp.org
change manualpeerlist for your timezone (check ntp project : http://www.pool.ntp.org/en/use.html )