Allow Active Directory users to disable datetime sync

As pointed out by @MDMarra, using a VM is a great way to go because blocking time synchronization can cause significant problems for authentication, TLS certificate validity, etc. However, for true testing, you probably will want to test this on a machine that is joined to the domain as it would be in a "real world" case. Either way, it is always helpful to be familiar with the configuration of time settings in a Windows domain.

The built-in W32TM command should be the answer to your challenge. The following two command strings will prevent your test machines from automatically resetting their time:

w32tm /config /syncfromflags:no /update
net stop w32time && net start w32time

To restore proper operation after your testing is complete, run these two command strings:

w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time

This will tell the computer to synchronize its time from the Active Directory domain controllers and then restart the time service.

Additional references:

  • TechNet: Configure a client computer for automatic domain time synchronization
  • SS64: W32TM.exe

Edit with additional info: These commands assume what the question has already stated--that the person running the commands has local admin privileges.

I'll also borrow a tip from another fantastic SF Q&A about configuring time. This is a direct quote of the answer that is now a community wiki:

9.If you have been playing around with the Windows Time Service before now, or you inherited this network from someone else, it is probably a good idea to reset w32time to the default settings before you start re-configuring it. Run the following commands on your domain controllers, starting with the PDCe.

net stop w32time
w32tm /unregister  <-- If you get an Access Denied message, reboot.
w32tm /register
net start w32time

I recommend you reboot the server 1-2 times after running these commands and make sure the Windows Time Service is present, set to Automatic, and started. I have seen situations where the /unregister command did not take effect until the following reboot. Then you have a surprise when you reboot after doing Windows patches and the w32time service is suddenly missing!


You really don't want to do this. Time sync is critical to Kerberos functioning properly. Unless you want authentication failures, you'll leave the system clocks where they are.

Perhaps a non-domain joined VM running inside of client Hyper-V is a better solution.