Allow Active Directory users to disable datetime sync

I have recently migrated my company to Active Directory. With it comes a default setting that will force time synchronization to be enabled.

Trouble is, some users need to change their datetime settings for testing purposes, but automatic sync will restore the actual time value. The option to disable time sync is greyed out. The user in question is trusted and a member of the local admins group on his computer.

I have tried to find a way to let users enable and disable this setting at will, but I only found a global enable/disable.

I would like to know if it is possible to leave this setting (enabling/disabling time sync) to the users' discretion.

Thank you everyone

EDIT for more precisions: The user has the rights to modify system time (rigths defined in a GPO). The user is able to change time, only it will automatically be changed back a few minutes later. It is this behaviour I wish to disable. Disabling Windows Time service (w32time) does not help.


As pointed out by @MDMarra, using a VM is a great way to go because blocking time synchronization can cause significant problems for authentication, TLS certificate validity, etc. However, for true testing, you probably will want to test this on a machine that is joined to the domain as it would be in a "real world" case. Either way, it is always helpful to be familiar with the configuration of time settings in a Windows domain.

The built-in W32TM command should be the answer to your challenge. The following two command strings will prevent your test machines from automatically resetting their time:

w32tm /config /syncfromflags:no /update
net stop w32time && net start w32time

To restore proper operation after your testing is complete, run these two command strings:

w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time

This will tell the computer to synchronize its time from the Active Directory domain controllers and then restart the time service.

Additional references:

  • TechNet: Configure a client computer for automatic domain time synchronization
  • SS64: W32TM.exe

Edit with additional info: These commands assume what the question has already stated--that the person running the commands has local admin privileges.

I'll also borrow a tip from another fantastic SF Q&A about configuring time. This is a direct quote of the answer that is now a community wiki:

9.If you have been playing around with the Windows Time Service before now, or you inherited this network from someone else, it is probably a good idea to reset w32time to the default settings before you start re-configuring it. Run the following commands on your domain controllers, starting with the PDCe.

net stop w32time
w32tm /unregister  <-- If you get an Access Denied message, reboot.
w32tm /register
net start w32time

I recommend you reboot the server 1-2 times after running these commands and make sure the Windows Time Service is present, set to Automatic, and started. I have seen situations where the /unregister command did not take effect until the following reboot. Then you have a surprise when you reboot after doing Windows patches and the w32time service is suddenly missing!


You really don't want to do this. Time sync is critical to Kerberos functioning properly. Unless you want authentication failures, you'll leave the system clocks where they are.

Perhaps a non-domain joined VM running inside of client Hyper-V is a better solution.