Category: At least Windows Server 2003 operating systems or Windows XP Professional

This policy setting allows you to specify whether the Windows NTP Server is enabled. If you enable this policy setting for the Windows NTP Server your computer can service NTP requests from other computers. If you disable or do not configure this policy setting your computer cannot service NTP requests from other computers.

This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. If you enable this policy setting you can specify the following Clock discipline General and RODC parameters for this service. If you disable or do not configure this policy setting Windows Time service uses the defaults of each of the following parameters. Several of the following values are scalar which means that they only have meaning in relation to one another and are not defined by specific unit measurements. FrequencyCorrectRateThis parameter controls the rate at which the W32time corrects the local clock’s frequency. Lower values cause slower corrections; larger values cause more frequent corrections. Values that are too low can lead to overcorrection and instability. Values that are too high can lead to slow synchronization. Default: 4 (scalar). HoldPeriodThis parameter indicates how many potentially accurate time samples the client computer must receive in a series before subsequent time samples are evaluated as potential spikes. After a period of not receiving any usable time samples a time client ceases to evaluate time samples for spikes as soon as the first potentially accurate time sample is received. When a series of time samples (as indicated by HoldPeriod) is received the time client evaluates subsequent time samples for spikes. A time sample is considered to be a spike when the time difference between a time sample and the client computer’s local clock is greater than that of the LargePhaseOffset value. Default: Five time samples. LargePhaseOffsetThis parameter specifies the time variation from the client computer’s local clock (phase offset) that a time sample must have to be considered a spike. Time samples that have time variations larger than the LargePhaseOffset value are considered spikes. Default: 50000000 100-nanosecond units (ns) which is five seconds. MaxAllowedPhaseOffsetThis parameter controls how W32time corrects the clock based on the size of the calculated time variation between the time sample and the client computer’s local clock. If a response is received that has a time variation that is larger than this value W32time sets the client computer’s local clock immediately to the time that is accepted as accurate from the Network Time Protocol (NTP) server. If the time variation is less than this value the client computer’s local clock is corrected gradually. Default: 300 seconds. MaxNegPhaseCorrectionThis parameter controls the maximum allowable clock correction that can be made in a reverse direction. If a time sample is received that indicates a time in the past (as compared to the client computer’s local clock) that has a time difference that is greater than the MaxNegPhaseCorrection value the time sample is discarded. If this happens the Windows Time source logs an event in the System log of Event Viewer. Default: 172800 seconds. MaxPosPhaseCorrectionThis parameter controls the maximum allowable clock correction that can be made in a forward direction. If a time sample is received that indicates a time in the future (as compared to the client computer’s local clock) that has a time difference greater than the MaxPosPhaseCorrection value the time sample is discarded. Default: 172800 seconds. PhaseCorrectRateThis parameter controls how quickly W32time corrects the client computer’s local clock difference to match time samples that are accepted as accurate from the NTP server. Lower values cause the clock to correct more slowly; larger values cause the clock to correct more quickly. Default: 7 (scalar). PollAdjustFactorThis parameter controls how quickly W32time changes polling intervals. When responses are considered to be accurate the polling interval lengthens automatically. When responses are considered to be inaccurate the polling interval shortens automatically. Default: 5 (scalar). SpikeWatchPeriodThis parameter specifies the amount of time that suspicious time samples are received from a time source before these time samples are accepted as accurate. Time samples are considered suspicious when the time difference between the time sample and the client computer’s local clock is larger than the value of LargePhaseOffset. SpikeWatchPeriod is used in conjunction with HoldPeriod to help eliminate sporadic inaccurate time samples that are returned from a peer. Default: 900 seconds. UpdateIntervalThis parameter specifies the amount of time that W32time waits between corrections when the clock is being corrected gradually. When it makes a gradual correction the service adjusts the clock slightly waits this amount of time and then checks to see if another adjustment is needed until the correction is finished. Default: 100 1/100th second units which is 1 second. General parameters:AnnounceFlagsThis parameter is a bitmask value that controls how time service availability is advertised through NetLogon. Default: 0x0a hexadecimal. See the NtpClient -> EventLogFlags Subkey documentation on Microsoft’s TechNet Library for possible values. EventLogFlagsThis parameter controls special events that may be logged to the Event Viewer System log. Default: 0x02 hexadecimal bitmask. See the NtpClient -> EventLogFlags Subkey documentation on Microsoft’s TechNet Library for possible values. LocalClockDispersionThis parameter indicates the maximum error in seconds that is reported by the NTP server to clients that are requesting a time sample. (Applies only when the NTP server is using the time of the local CMOS clock. ) Default: 10 seconds. MaxPollIntervalThis parameter controls the maximum polling interval which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2 which is 1024 seconds. (Should not be set higher than 15. )MinPollIntervalThis parameter controls the minimum polling interval that defines the minimum amount of time between polls of a peer. Default: 6 in log base-2 which is 64 seconds. RequireSecureTimeSyncRequestsThis parameter controls whether or not the the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1) the DC will not respond to requests using such protocols. Default: 0 Boolean. RODC parameters:ChainEntryTimeoutThis parameter specifies the maximum amount of time that an entry can remain in the chaining table before the entry is considered to be expired. Expired entries may be removed when the next request or response is processed. Default: 16 seconds. ChainMaxEntriesThis parameter controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed any incoming requests are discarded. Default: 128 entries. ChainMaxHostEntriesThis parameter controls the maximum number of entries that are allowed in the chaining table for a particular host. Default: 4 entries. ChainDisableThis parameter controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0) the RODC can synchronize with any domain controller but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. Default: 0 Boolean. ChainLoggingRateThis parameter controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. Default: 30 minutes.

This policy setting specifies a set of parameters for controlling the Windows NTP Client. If you enable this policy setting you can specify the following parameters for the Windows NTP Client. If you disable or do not configure this policy setting the WIndows NTP Client uses the defaults of each of the following parameters. NtpServerThe Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of “”dnsNameflags”” where “”flags”” is a hexadecimal bitmask of the flags for that host. For more information see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is “”time. windows. com0x09″”. TypeThis value controls the authentication that W32time uses. The default value is NT5DS. CrossSiteSyncFlagsThis value expressed as a bitmask controls how W32time chooses time sources outside its own site. The possible values are 0 1 and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexadecimal). ResolvePeerBackoffMinutesThis value expressed in minutes controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes. ResolvePeerBackoffMaxTimesThis value controls how many times W32time attempts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails the amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts. SpecialPollIntervalThis NTP client value expressed in seconds controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting the client uses the value that is set as the SpecialPollInterval instead of the MinPollInterval and MaxPollInterval values to determine how frequently to poll the time source. The default value is 3600 seconds (1 hour). EventLogFlagsThis value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged.

This policy setting specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use a third-party time provider. If you enable this policy setting you can set the local computer clock to synchronize time with NTP servers. If you disable or do not configure this policy setting the local computer clock does not synchronize time with NTP servers.

This setting determines if roaming user profiles are available on a particular computer. By default when roaming profile users log on to a computer their roaming profile is copied down to the local computer. If they have already logged on to this computer in the past the roaming profile is merged with the local profile. Similarly when the user logs off this computer the local copy of their profile including any changes they have made is merged with the server copy of their profile. Using the setting you can prevent users configured to use roaming profiles from receiving their profile on a specific computer. If you enable this setting the following occurs on the affected computer: At first logon the user receives a new local profile rather than the roaming profile. At logoff changes are saved to the local profile. All subsequent logons use the local profile. If you disable this setting or do not configure it the default behavior occurs as indicated above. If you enable both the “Prevent Roaming Profile changes from propagating to the server” setting and the “Only allow local user profiles” setting roaming profiles are disabled. Note: This setting only affects roaming profile users.

This policy setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile. By default when a user with a roaming profile logs on to a computer the roaming profile is copied down to the local computer. If the user has logged on to the computer in the past the roaming profile is merged with the local profile. Similarly when the user logs off the computer the local copy of their profile including any changes is merged with the server copy of the profile. Using this policy setting you can prevent changes made to a roaming profile on a particular computer from being persisted. If you enable this policy setting changes a user makes to their roaming profile aren’t merged with the server (roaming) copy when the user logs off. If you disable or not configure this policy setting the default behavior occurs as indicated above. Note: This policy setting only affects roaming profile users.

This policy setting adds the Administrator security group to the roaming user profile share. Once an administrator has configured a user’s roaming profile the profile will be created at the user’s next login. The profile is created at the location that is specified by the administrator. For the Windows XP Professional and Windows 2000 Professional operating systems the default file permissions for the newly generated profile are full control or read and write access for the user and no file access for the administrators group. By configuring this policy setting you can alter this behavior. If you enable this policy setting the administrator group is also given full control to the user’s profile folder. If you disable or do not configure this policy setting only the user is given full control of their user profile and the administrators group has no file system access to this folder. Note: If the policy setting is enabled after the profile is created the policy setting has no effect. Note: The policy setting must be configured on the client computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile at creation time. Note: In the default case administrators have no file access to the user’s profile but they may still take ownership of this folder to grant themselves file permissions. Note: The behavior when this policy setting is enabled is exactly the same behavior as in Windows NT 4. 0.

This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state running programs are kept active even though the user is no longer actively connected. By default these disconnected sessions are maintained for an unlimited time on the server. If you enable this policy setting disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time select Never. If you have a console session disconnected session time limits do not apply. If you disable or do not configure this policy setting this policy setting is not specified at the Group Policy level. Be y default Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured the Computer Configuration policy setting takes precedence.

This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects which allows the user to press a key or move the mouse to keep the session active. If you have a console session idle session time limits do not apply. If you disable or do not configure this policy setting the time limit is not specified at the Group Policy level. By default Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached you can configure the policy setting Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Session Time Limits -> End session when time limits are reached. Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured the Computer Configuration policy setting takes precedence.