OMA-URI Settings to Allow users to change time fails!

Occasional Contributor
Used below OMA-URI Settings to allow users to change their system time and got some mixed results:
1- Group one show remediation error and users can not change the time
2- Group two, still show remediation error but they can change the time.
 
And advice?
 
./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeSystemTime
String
Users;Administrators
 
 
 
 
 
3 Replies

Hi @SamSONACA,

Yeah, the "Policy CSP - UserRights" isn't really well documented.

This is how I've used it in my test environment:
OMA-URI: ./Device/Vendor/MSFT/Policy/Config/UserRights/ChangeSystemTime

Data Type: String
Value: *S-1-5-19*S-1-5-32-544*S-1-5-32-545

As mentioned in this articleit is better to use SIDs, because strings are localized for different languages. For reference, see Well-Known SID Structures.

 

Now, you have to be careful with the special character . Johan Arwidmark has already well explained in his blog how to handle this.

The real delimiter is:  &#xF000
It has to be converted to: 

 In MEM, it will be displayed like this: 

ConvertDelimiter.png

Im my case, the end user with standard user rights can only change the time through the "timedate.cpl". The shield of UAC is still displayed, but the end user is nevertheless able to change the time:
timedate.cpl.png

@joel_grangier 

 

Fantastic! Thank you!

 

This worked.

 

Any suggestion to import all on-prem policies?

 

We are currently performing this task manually by bringing them over one by one, not sure if there is an automated way to do this.

 

 

@SamSONACA 

At this time, there is unfortunately no automated way to perform this.
You can use the Group Policy analytics as an helper. You have still to create the desired configuration profiles manually, for the most policies that you currently have.

If your goal is migrating your current on-prem environment in the cloud, you should consider to not do a 1to1 migration of your GPO's. There are for sure some policies which should no more be needed, or which doesn't make any sense anymore. It's the right time to perform a cleanup action on your policies ;-).