Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows 2008, "Error adjusting system time: A required privilege is not held by the client"

Posted on 2011-09-27
4
Medium Priority
?
1,861 Views
Last Modified: 2012-05-12
We use an application to synchronise the clocks between the servers in our data centre.

As a result of a recent security review we have set "Deny this user permission to logon to Terminal Server" on the domain administrator account and now only use it for installations and running services. Also we have created a 2nd domain administrator account for day to day operation via RDP and we routinely change it's password.

This new arrangement using the 2nd domain admin account works fine on our Windows 2003 servers but we cannot update the system clock on a  Windows 2008 SP2 64bit terminal server as follows:
- clock application GUI error message: "Error adjusting system time: A required privilege is not held by the client"
- TIME command line error message: "A required privilege is not held by the client"

The Windows 2008 server is setup as follows:
- "Domain Admins" were already in the local Administrator group
- "Domain Admins" was added to the following without improvement:
   Local Security Poilicy/ Local Policies/ User Rights Assignment/ Change the system time

The AD is Windows 2008 not R2.
0
Comment
Question by:Edge IT Systems
  • 2
  • 2
4 Comments
 

Author Comment

by:Edge IT Systems
ID: 36708602
I have also noticed that even with "Deny this user permission to logon to Terminal Server" set for the original domain administrator account we can still use that account to RDP onto the Windows 2008 server but not onto the Windows 2003 servers.

This might be connected ?
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 1000 total points
ID: 36710695
Why do you have an application running instead of the native windows time service?

You are possibly being blocked by UAC. What happens if you run the application elevated?
0
 

Author Comment

by:Edge IT Systems
ID: 36711121
For historical reasons we use 1st Atomic Clock.

Thank you, UAC was the answer, plus the following to disable the prompts:

- Start/ Run/ secpol.smc
- Local Policies/ Security Options/
  User Access Control: Run all administrators in Admin Approval Mode = disabled
- Local Policies/ Security Options/
  User Access Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36711841
FWIW, disabling UAC reduces your security posture, and I would flag that as an auditor.
0

Featured Post

Learn Veeam advantages over legacy backup

Every day, more and more legacy backup customers switch to Veeam. Technologies designed for the client-server era cannot restore any IT service running in the hybrid cloud within seconds. Learn top Veeam advantages over legacy backup and get Veeam for the price of your renewal

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question