The Windows Time service may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack 1 (892501)


The information in this article applies to:

  • Microsoft Windows Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003, Standard Edition
    • Microsoft Windows Server 2003, Enterprise Edition
    • Microsoft Windows Server 2003, Web Edition
Important This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

SYMPTOMS

After you upgrade a Microsoft Windows Server 2003-based domain controller to Windows Server 2003 Service Pack 1 (SP1), the Windows Time service may not start. In this scenario, the following events may be logged in the Windows System log.

Message 1

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Description:
The Windows Time service terminated with the following error:
Not all privileges referenced are assigned to the caller.

For more information, see Help and Support Center at http://support.microsoft.com.

Message 2

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 46
Description:
The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.

CAUSE

This issue may occur if the Local Service account has not been granted "Change the system time" permissions. Windows Server 2003 SP1 changes the startup configuration of the Windows Time service from LocalSystem to LocalService. Therefore, the startup account that the Windows Time service uses must have "Change the system time" permissions.

By default, the LocalService account is not a member of the Administrators group and does not have "Change the system time" permissions. Therefore, the Windows Time service does not start, and event 7023 is logged in the System log.

RESOLUTION

To resolve this issue, use one of the following methods:
  • Grant "Change the system time" permissions to the LocalService account.
  • Change the Windows Time service to use an account that has "Change the system time" permissions.

Method 1: Grant "Change the system time" permissions to the LocalService account

To grant "Change the system time" permissions to the LocalService account, follow these steps on the domain controller that is experiencing this issue:
  1. Click Start, point to Administrative Tools, and then click Domain Controller Security Policy.
  2. Double-click Local Policies, and then click User Rights Assignment.
  3. In the results pane, double-click Change the system time.
  4. Click Add User or Group, type LocalService, and then click OK.
  5. Restart the server. The Service account and the affected Svchost process are currently being used and will not see the new user until you restart the server.
  6. Log on to the server.
  7. Click Start, point to Administrative Tools, and then click Services. Check to see whether the Windows Time service is started.

Method 2: Change the logon account of the Windows Time service

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall your operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.To change the logon account of the Windows Time service, you must modify the registry to separate the Windows Time service from the main Svchost process. To do this, follow these steps:
  1. Search and locate the Svchost.exe file.
  2. Make a copy of the Svchost.exe file and call it "Svchost_w32time.exe".
  3. Click Start, click Run, type regedit, and then click OK to start Registry Editor.
  4. Locate and then right-click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

  5. Modify the ImageName key so that the value is %systemroot%\System32\svchost_w32time.exe -k LocalService. (The default value is %SystemRoot%\System32\svchost.exe -k netsvcs.)
  6. Exit Registry Editor.
  7. Click Start, point to Administrative Tools, and then click Services.
  8. Right-click Windows Time, and then click Properties.
  9. On the Log On tab, click This account.
  10. Type the name of a user account that has "Change the system time" permissions, or click Browse to select an account.
  11. Type the password of the new account in the Password and Confirm password boxes, and then click OK.
  12. Right-click Windows Time, and then click Start.
If these methods do not resolve the issue, incorrect permissions that are applied to the Net Logon service or the Windows Time service from Group Policy may cause the issue. You can use the Resultant Set of Policy tool to verify the permissions, as follows:
  1. Click Start, click Run, type Rsop.msc in the Open box, and then click OK.
  2. Expand the Computer Configuration\Windows Settings\Security Settings\System Services folder.
  3. In the right pane, in the Source GPO column, locate the Group Policy that is applied to the Net Logon service.
  4. Use the Active Directory Users and Computers MMC snap-in or the Group Policy MMC snap-in to edit the Group Policy that you noted in step 3.
  5. Expand the Computer Configuration\Windows Settings\Security Settings\System Services folder.
  6. In the Service Name list, locate and double-click Net Logon.
  7. If the policy setting is defined in the template, the Edit Security button is available. Click Edit Security.

    View the list of accounts to make sure that the list is correct. Make sure that the LocalService account is added to the list of accounts and has Full Control permission.
  8. Repeat step 3 through 7 for the Windows Time service.

STATUS

This behavior is by design.
Modification Type:MajorLast Reviewed:9/20/2006
Keywords:kbtshoot kbService kbServer kberrmsg kbpolicy kbEvent kbUpgrade kbSysSettings kbSysAdmin kbPerformance kbSecurity KB892501 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.