We use an application to synchronise the clocks between the servers in our data centre.
As a result of a recent security review we have set "Deny this user permission to logon to Terminal Server" on the domain administrator account and now only use it for installations and running services. Also we have created a 2nd domain administrator account for day to day operation via RDP and we routinely change it's password.
This new arrangement using the 2nd domain admin account works fine on our Windows 2003 servers but we cannot update the system clock on a Windows 2008 SP2 64bit terminal server as follows:
- clock application GUI error message: "Error adjusting system time: A required privilege is not held by the client"
- TIME command line error message: "A required privilege is not held by the client"
The Windows 2008 server is setup as follows:
- "Domain Admins" were already in the local Administrator group
- "Domain Admins" was added to the following without improvement:
Local Security Poilicy/ Local Policies/ User Rights Assignment/ Change the system time
The AD is Windows 2008 not R2.