Solved

Windows 2008, "Error adjusting system time: A required privilege is not held by the client"

Posted on 2011-09-27
4
1,672 Views
Last Modified: 2012-05-12
We use an application to synchronise the clocks between the servers in our data centre.

As a result of a recent security review we have set "Deny this user permission to logon to Terminal Server" on the domain administrator account and now only use it for installations and running services. Also we have created a 2nd domain administrator account for day to day operation via RDP and we routinely change it's password.

This new arrangement using the 2nd domain admin account works fine on our Windows 2003 servers but we cannot update the system clock on a  Windows 2008 SP2 64bit terminal server as follows:
- clock application GUI error message: "Error adjusting system time: A required privilege is not held by the client"
- TIME command line error message: "A required privilege is not held by the client"

The Windows 2008 server is setup as follows:
- "Domain Admins" were already in the local Administrator group
- "Domain Admins" was added to the following without improvement:
   Local Security Poilicy/ Local Policies/ User Rights Assignment/ Change the system time

The AD is Windows 2008 not R2.
0
Comment
Question by:Edge IT Systems
  • 2
  • 2
4 Comments
 

Author Comment

by:Edge IT Systems
ID: 36708602
I have also noticed that even with "Deny this user permission to logon to Terminal Server" set for the original domain administrator account we can still use that account to RDP onto the Windows 2008 server but not onto the Windows 2003 servers.

This might be connected ?
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 250 total points
ID: 36710695
Why do you have an application running instead of the native windows time service?

You are possibly being blocked by UAC. What happens if you run the application elevated?
0
 

Author Comment

by:Edge IT Systems
ID: 36711121
For historical reasons we use 1st Atomic Clock.

Thank you, UAC was the answer, plus the following to disable the prompts:

- Start/ Run/ secpol.smc
- Local Policies/ Security Options/
  User Access Control: Run all administrators in Admin Approval Mode = disabled
- Local Policies/ Security Options/
  User Access Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 36711841
FWIW, disabling UAC reduces your security posture, and I would flag that as an auditor.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now