Creating a Group Policy using Microsoft PowerShell to Configure the Authoritative Time Server
In my 10 Things in AD… presentations, I talk about the importance of having the domain controller that holds the Primary Domain Controller Emulator (PDCe) role configured as the authoritative time source for the forest. In the PDF that accompanies the presentations, I include a link to a Microsoft Ask the Directory Service Team blog article. The main problem with that article is there is not enough detail for a lot of people. Now that Server 2008 and later include PowerShell cmdlets for Group Policy, I thought I would add some detail on creating the Group Policy with PowerShell.
There is no way to use the in-the-box Group Policy PowerShell cmdlets to create WMI Filters. For that, there is a Group Policy WMI filter cmdlet module available. I downloaded the module and placed it in my scripts folder, c:\webster. There was an issue for me and I had to change one line in the module.
I had to change line 70 from:
$msWMIAuthor = (Get-ADUser $env:USERNAME).UserPrincipalName
$msWMIAuthor = (Get-ADUser $env:USERNAME).Name
Without that change, I received an error on line 97 with a Null value in the $Attr array defined in line 80. I traced the Null value to the msWMI-Author value in the array.
The script to create the Group Policy:
Set-StrictMode -Version 2 #Carl Webster, CTP and independent consultant #email@example.com #@carlwebster on Twitter #http://www.CarlWebster.com #With help from Michael B. Smith - <a href="https://www.essential.exchange/blog/" target="_blank" rel="noopener">https://www.essential.exchange/blog/</a> # load required modules Import-Module ActiveDirectory Import-Module GroupPolicy #the following module is available for download from #http://gallery.technet.microsoft.com/scriptcenter/Group-Policy-WMI-filter-38a188f3 #assuming the module is in the same folder as the script Import-Module ( Join-Path ( Split-Path $MyInvocation.MyCommand.Path -Parent) GPWmiFilter.psm1 ) #define variables specific to an AD environment $GPOName = 'Set PDCe as Authoritative Time Server' $defaultNC = ( [ADSI]"LDAP://RootDSE" ).defaultNamingContext.Value $TargetOU = 'OU=Domain Controllers,' + $defaultNC $TimeServer = 'north-america.pool.ntp.org,0x1' $WMIFilterName = 'PDCe Role Filter' #the GPWmiFilter module said to put this in the main code new-itemproperty "HKLM:\System\CurrentControlSet\Services\NTDS\Parameters" ` -name "Allow System Only Change" -value 1 -propertyType dword -EA 0 #create WMI Filter $filter = New-GPWmiFilter -Name $WMIFilterName ` -Expression 'Select * from Win32_ComputerSystem where DomainRole = 5' ` -Description 'Queries for the Domain Controller that holds the PDCe FSMO Role' ` -PassThru #create new GPO shell $GPO = New-GPO -Name $GPOName #add WMI filter $GPO.WmiFilter = $Filter #set the three registry keys in the Preferences section of the new GPO Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer ` -Key 'HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Config' ` -Type DWord -ValueName 'AnnounceFlags' -Value 5 | out-null Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer ` -Key 'HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' ` -Type String -ValueName 'NtpServer' -Value $TimeServer | out-null Set-GPPrefRegistryValue -Name $GPOName -Action Update -Context Computer ` -Key 'HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters' ` -Type String -ValueName 'Type' -Value 'NTP' | out-null #link the new GPO to the Domain Controllers OU New-GPLink -Name $GPOName ` -Target $TargetOU | out-null
My Group Policy Management Console (GPMC) before running the script is shown in Figure 1 showing no WMI Filters exist.
The script is processed and then I ran the Get-GPO cmdlet to verify the GPO was created (Figure 2).
After a refresh, a look back in the GPMC (Figure 3) showing the new WMI Filter and GPO.
Selecting the new WMI Filter in the GPMC shows all the settings are correct: Filter Name, Description, and Query as shown in Figure 4.
Another look in the GPMC at the Domain Controllers OU shows the new GPO is linked properly as shown in Figure 5.
And Figure 6 shows all the registry keys are set properly.
The current registry keys are shown in Figures 7 and 8.
After a GPUPDATE /FORCE, the registry keys are shown in Figures 9 and 10.
What happens on a domain controller that is not the PDCe? That is shown in Figure 11. As you can see, the new GPO was denied because of the WMI Filter.
There you go. Now you can automate creating the Group Policy to set the Forest Root Domain’s PDCe as the authoritative time server for your AD Forest.
You can always find the most current script by going to https://carlwebster.com/where-to-get-copies-of-the-documentation-scripts/