This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer's time setting is changed, logged events reflect the new time, not the actual time that the events occurred. Note: Discrepancies between the time on the local computer and on the domain controllers in your environment may cause problems for the Kerberos authentication protocol, which could make it impossible for users to log on to the domain or obtain authorization to access domain resources after they are logged on. Also, problems will occur when Group Policy is applied to client computers if the system time is not synchronized with the domain controllers. Countermeasure: Restrict the Change the system time user right to users with a legitimate need to change the system time, such as members of the IT team. Potential Impact: There should be no impact, because time synchronization for most organizations should be fully automated for all computers that belong to the domain. Computers that do not belong to the domain should be configured to synchronize with an external source.

[list_of_users_followed_by_comma]

(1) GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Change the system time (2) REG: ### (3) WMI: root\rsop\computer#RSOP_UserPrivilegeRight#AccountList#UserRight='SeSystemtimePrivilege' and precedence=1