Windows 2008, "Error adjusting system time: A required privilege is not held by the client"

Posted on 2011-09-27
Last Modified: 2012-05-12
We use an application to synchronise the clocks between the servers in our data centre.

As a result of a recent security review we have set "Deny this user permission to logon to Terminal Server" on the domain administrator account and now only use it for installations and running services. Also we have created a 2nd domain administrator account for day to day operation via RDP and we routinely change it's password.

This new arrangement using the 2nd domain admin account works fine on our Windows 2003 servers but we cannot update the system clock on a  Windows 2008 SP2 64bit terminal server as follows:
- clock application GUI error message: "Error adjusting system time: A required privilege is not held by the client"
- TIME command line error message: "A required privilege is not held by the client"

The Windows 2008 server is setup as follows:
- "Domain Admins" were already in the local Administrator group
- "Domain Admins" was added to the following without improvement:
   Local Security Poilicy/ Local Policies/ User Rights Assignment/ Change the system time

The AD is Windows 2008 not R2.
Question by:Edge IT Systems
  • 2
  • 2

Author Comment

by:Edge IT Systems
ID: 36708602
I have also noticed that even with "Deny this user permission to logon to Terminal Server" set for the original domain administrator account we can still use that account to RDP onto the Windows 2008 server but not onto the Windows 2003 servers.

This might be connected ?
LVL 42

Accepted Solution

kevinhsieh earned 250 total points
ID: 36710695
Why do you have an application running instead of the native windows time service?

You are possibly being blocked by UAC. What happens if you run the application elevated?

Author Comment

by:Edge IT Systems
ID: 36711121
For historical reasons we use 1st Atomic Clock.

Thank you, UAC was the answer, plus the following to disable the prompts:

- Start/ Run/ secpol.smc
- Local Policies/ Security Options/
  User Access Control: Run all administrators in Admin Approval Mode = disabled
- Local Policies/ Security Options/
  User Access Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting
LVL 42

Expert Comment

ID: 36711841
FWIW, disabling UAC reduces your security posture, and I would flag that as an auditor.

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
A procedure for exporting installed hotfix details of remote computers using powershell
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now