Microsoft KB Archive/892501

= The Windows Time service may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack 1 =

Article ID: 892501

Article Last Modified on 3/23/2007

-

APPLIES TO

 Microsoft Windows Server 2003 Service Pack 1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)

 Microsoft Windows Server 2003, Web Edition 

-

<div class="notice_section">

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows registry

<div class="symptoms_section">

SYMPTOMS
After you upgrade a Microsoft Windows Server 2003-based domain controller to Windows Server 2003 Service Pack 1 (SP1), the Windows Time service may not start. In this scenario, the following events may be logged in the Windows System log.

Message 1
Event Type: Error

Event Source: Service Control Manager

Event Category: None

Event ID: 7023

Description:

The Windows Time service terminated with the following error:

Not all privileges referenced are assigned to the caller.

For more information, see Help and Support Center at http://support.microsoft.com.

Message 2
Event Type: Error

Event Source: W32Time

Event Category: None

Event ID: 46

Description:

The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.

Additionally, when you try to start the Windows Time service manually, you may receive one of the following error messages:

Error 1083: The executable program that this service is configured to run in does not implement the service.

Error 1079: The account specified for this service is different from the account specified for other services running in the same process.

<div class="cause_section">

CAUSE
This issue may occur if the Local Service account has not been granted &quot;Change the system time&quot; permissions. Windows Server 2003 SP1 changes the startup configuration of the Windows Time service from Network Service account to Local Service account. Therefore, the startup account that the Windows Time service uses must have &quot;Change the system time&quot; permissions.

By default, the Local Service account is not a member of the Administrators group and does not have &quot;Change the system time&quot; permissions. Therefore, the Windows Time service does not start, and event 7023 is logged in the System log.

<div class="resolution_section">

RESOLUTION
To resolve the issue, use one or more of the following methods:

Method 1: Grant &quot;Change the system time&quot; permissions to the LocalService account
To grant &quot;Change the system time&quot; permissions to the LocalService account, follow these steps on the domain controller that is experiencing this issue:
 * 1) Click Start, point to Administrative Tools, and then click Domain Controller Security Policy.
 * 2) Double-click Local Policies, and then click User Rights Assignment.
 * 3) In the details pane, double-click Change the system time.
 * 4) Click Add User or Group, type LocalService, and then click OK.
 * 5) Restart the server. The Service account and the affected Svchost process are currently being used and will not see the new user until you restart the server.
 * 6) Log on to the server.
 * 7) Click Start, point to Administrative Tools, and then click Services. Check whether the Windows Time service is started.

Method 2: Change the logon account of the Windows Time service
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.To change the logon account of the Windows Time service, you must modify the registry to separate the Windows Time service from the main Svchost process. To do this, follow these steps: <ol> Search and locate the Svchost.exe file.</li> Make a copy of the Svchost.exe file and call it “Svchost_w32time.exe”.</li> Click Start, click Run, type regedit, and then click OK to start Registry Editor.</li> Locate and then right-click the following registry subkey:

 

</li> Modify the ImageName key so that the value is %systemroot%\System32\svchost_w32time.exe -k LocalService. (The default value is %SystemRoot%\System32\svchost.exe -k netsvcs.)</li> Exit Registry Editor.</li> Click Start, point to Administrative Tools, and then click Services.</li> Right-click Windows Time, and then click Properties.</li> On the Log On tab, click This account.</li> Type the name of a user account that has &quot;Change the system time&quot; permissions, or click Browse to select an account.</li> Type the password of the new account in the Password and Confirm password boxes, and then click OK.</li> Right-click Windows Time, and then click Start.</li></ol>

If these methods do not resolve the issue, incorrect permissions that are applied to the Net Logon service or the Windows Time service from Group Policy may cause the issue. You can use the Resultant Set of Policy tool to verify the permissions, as follows:
 * 1) Click Start, click Run, type Rsop.msc in the Open box, and then click OK.
 * 2) Expand the Computer Configuration\Windows Settings\Security Settings\System Services folder.
 * 3) In the details pane, in the Source GPO column, locate the Group Policy that is applied to the Net Logon service.
 * 4) Use the Active Directory Users and Computers MMC snap-in or the Group Policy MMC snap-in to edit the Group Policy that you noted in step 3.
 * 5) Expand the Computer Configuration\Windows Settings\Security Settings\System Services folder.
 * 6) In the Service Name list, locate and double-click Net Logon.
 * 7) If the policy setting is defined in the template, the Edit Security button is available. Click Edit Security.

View the list of accounts to make sure that the list is correct. Make sure that the LocalService account is added to the list of accounts and has Full Control permission.
 * 1) Repeat step 3 through 7 for the Windows Time service.

Keywords: kbtshoot kbservice kbserver kberrmsg kbpolicy kbevent kbupgrade kbsyssettings kbsysadmin kbperformance kbsecurity KB892501

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.