Windows 2008, "Error adjusting system time: A required privilege is not held by the client"

We use an application to synchronise the clocks between the servers in our data centre.

As a result of a recent security review we have set "Deny this user permission to logon to Terminal Server" on the domain administrator account and now only use it for installations and running services. Also we have created a 2nd domain administrator account for day to day operation via RDP and we routinely change it's password.

This new arrangement using the 2nd domain admin account works fine on our Windows 2003 servers but we cannot update the system clock on a  Windows 2008 SP2 64bit terminal server as follows:
- clock application GUI error message: "Error adjusting system time: A required privilege is not held by the client"
- TIME command line error message: "A required privilege is not held by the client"

The Windows 2008 server is setup as follows:
- "Domain Admins" were already in the local Administrator group
- "Domain Admins" was added to the following without improvement:
   Local Security Poilicy/ Local Policies/ User Rights Assignment/ Change the system time

The AD is Windows 2008 not R2.
Edge IT SystemsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Edge IT SystemsAuthor Commented:
I have also noticed that even with "Deny this user permission to logon to Terminal Server" set for the original domain administrator account we can still use that account to RDP onto the Windows 2008 server but not onto the Windows 2003 servers.

This might be connected ?
0
kevinhsiehCommented:
Why do you have an application running instead of the native windows time service?

You are possibly being blocked by UAC. What happens if you run the application elevated?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Edge IT SystemsAuthor Commented:
For historical reasons we use 1st Atomic Clock.

Thank you, UAC was the answer, plus the following to disable the prompts:

- Start/ Run/ secpol.smc
- Local Policies/ Security Options/
  User Access Control: Run all administrators in Admin Approval Mode = disabled
- Local Policies/ Security Options/
  User Access Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode = Elevate without prompting
0
kevinhsiehCommented:
FWIW, disabling UAC reduces your security posture, and I would flag that as an auditor.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.