Prevent non-admin users from changing time zone in windows

Question

Back in Windows XP typical users couldn't change system's time zone. In newer versions the time zone can be changed even by non-admin users. I can understand the reason they added this ability, but it can really mess up with one of our time logging apps. So we decided to provide our users an option to disable this.

In "Local Security Policy" the key "Local Policies/User Rights Assignment/Change the time zone" contains the value "LOCAL SERVICE,Administrators,Users".

To make it short, we need a way our app (written in C#) to be able to remove or add the "Users" part from the above policy. Our app includes a system service so it has elevated rights.

We could use windows command prompt or free-to-distribute third party tools.

(PS: No server is involved, no DC, AD, etc. Just standalone PCs.)

Answer 1

This can be accomplished via the command line (and therefore an easy process launch from code) using NTRights, which is part of the Windows Server 2003 Resource Kit Tools bundle. ntrights.exe is invoked with -u followed by the group or user name and +r or -r to add or remove (respectively) the following privilege.

Therefore, ntrights -u Users +r SeTimeZonePrivilege grants the privilege to change the time zone and ntrights -u Users -r SeTimeZonePrivilege (note the -r) revokes it.

Further reading: More on privileges, a list of common privileges

Answer 2

After a long search during the last 3 days i found a free-to-redistribute tool that can easily manage security policies. It's called "Grant". The creator's (Andreas Hansson) site and bussiness no longer exist, but i found a copy at wayback machine, including the file to download: https://web.archive.org/web/20150113021825/http://franzo.co.nz/hansson/grant.htm

Usage examples:

grant add SeSystemtimePrivilege Users

grant add SeServiceLogonRight myDomain\ServiceAccount