Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to check if the system time has been changed

Cyber forensics rely on time stamps across log files to determine an accurate sequencing pattern and correlation of events. This is a challenge when log files across geographical locations have to be correlated to study events. Reliable monitoring and real-time alerts depend on synchronized time across log files. Even the slightest time lapse, by a few seconds, could cause you to overlook some suspicious event that took place in your network. So it is imperative for administrators to be alerted of any system time changes that have taken place.

In this article you'll learn how to use native AD tools to monitor system time changes. Alternatively the ADAudit Plus solution also offers you a faster way to do this with an intuitive graphic interface, analysis charts and pre-configured reports.

Download for Free
Free, fully functional 30-day trial

  • With Native AD Auditing

  • With ADAudit Plus

  • How to track changes to system time with ADAudit Plus.

  • To track scheduled tasks, you will have to enable auditing of your Active Directory. (See Step 1 of the Native AD Audit Tab).

  • In the ADAudit Plus console, go to 'Reports' tab and navigate to ' Server Audit Reports' on the left pane. This provides a list of pre-configured reports on process activity within AD.

  • You can select the 'System Time Changed' report to see if there was any change made in the system time.

  • You can also create custom reports and export reports in CSV, PDF, XSL, HTML formats.

  • Active Directory Auditing just got easier!

  • ADAudit Plus comes bundled with more than 300 predefined reports that makes AD auditing easier. The solution also generates real-time alerts for critical events to help you secure your network from threats and boost your IT security posture. Check out the capabilities of ADAudit Plus here.

  • Download ADAudit Plus

  • Step 1: Enable GPO Auditing

  • Launch the 'Server Manager' and open the Group Policy Management Console (GPMC).

  • In the left pane, expand the 'Forest' and 'Domains' nodes to reveal the specified domain you want to track the changes for.

  • Expand the domain and right-click 'Default Domain Policy'. You can also choose a domain policy that is universal throughout the domain, or create a new GPO and link it to the Default Domain Policy.

  • Click on 'Edit' of the desired group policy, to open up the Group Policy Management Editor.

  • Expand 'Computer Configuration'--->Policies---->Windows Settings----->Security Settings----->Advanced Policy Configurations----->Audit Policy------>Systems-----Other system events.

  • Enable audit for 'success' and 'failure' events. Exit the Group Policy Management

    how-to-check-system-time-change-1

  • In the GPMC, choose the modified GPO, and click 'Add' in the 'Security' section on the right pane. Type 'everyone' in the text box and click 'Check Names' to include the value. Exit the GPMC.

  • To enforce these changes throughout the domain, run the command 'gupdate /force', in the "Run" console.

  • Step 2: Allow AD Auditing through ADSI Edit

  • From your 'Server Manager' go to 'Tools' and select 'ADSI Edit'.

  • Right click 'ADSI Edit' node from the left pane and select 'Connect to' option. This pulls up the 'Connection Settings' window.

  • Select the 'Default Naming Context' option from the 'Select a well-known Naming Context' drop down list.

    how-to-check-system-time-change-2

  • Click 'Okay' and return to the ADSI Edit window. Expand 'Default Naming Context' and select the associated 'DC' subnode. Right-click this subnode and click 'Properties'.

  • In the 'Properties' window, go to the 'Security' tab and select 'Advanced'. After that select 'Auditing' tab and click 'Add'.

    how-to-check-system-time-change-3

  • Click on ' Select a principle'. This will bring up a 'Select User, Computer or Group' Window. Type 'Everyone' in the textbox and verify it with 'Check Names'.

  • The 'Principle' in the 'Auditing Entry' window now shows 'Everyone'. In the 'Type' drop-down select 'All' to audit for both 'success' and 'failure' events.

  • In the 'Select' drop-down choose 'This object and all descendant object's. Select 'Full Control' in the 'Permissions' section.

  • This selects all the checkboxes available. Unselect the following check boxes:

    1. Full Control

    2. List Contents

    3. Read all properties

    4. Read permissions

    how-to-check-system-time-change-4
  • Step 3: View Events in Event Viewer

  • You can view events by accessing 'Security Logs' in the 'Event Viewer'. You can filter your log to look for the following event.

  • Event ID: 4616 describes an event where the system time was changed.

    how-to-check-system-time-change-5

Does native auditing become a little too much?

Simplify system event auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Email Download Link