This office runs an active directory on windows servers. Some 2003 DCs some 2008 R2 DCs
A user (The QA analyst) requested that he is able to change his time and it not be changed back after 5-10 minutes. The reason is he needs to see different time states for our website.
First off a couple issues spring to mind...
What happens if he forgets to change it back?
Will he be able to continue to use the resources of the domain if his time and date are out of sync? Exchange, shares, even to log on....?
What are some solutions to this issue I am sure this has come up many times in the past. I can see his user account or workstation computer in it's own OU with its own GPO but I am unsure where to go from there.
If the time is off authentication to Network Resources will fail. If the user logs off with the time out of sync all domain authentication for that computer will fail. In order to get back in you would have to unplug from the network and log in using cached credentials.
Cleanest way would probably be to have the user test from a workstation that is not on the domain.
As long as he is not making changes to active directory the impact to the environment will be minimal. The user may have problems getting group policy updates and may have issues authenticating (but that can be fixed with a time reset and reboot) You will have to:
you can keep the users machine in sync and allow him to have a time difference on a virtual machine rather than his workstation (windows virtual machine will allow this)
The protocols used to contact domain controllers (specifically Kerberos) are based on the computer's time. All sorts of authentication errors can result from messing with the time. generally, a time skew of more than 5 minutes will give you problems.
More info on how Kerberos works here: http://en.wikipedia.org/wiki/Kerberos_%28protocol%29