The Windows Time Service terminated with the following error - Event ID 7023 & 46

After you upgrade a Microsoft Windows Server 2003-based domain controller to Windows Server 2003 Service Pack 1 (SP1), the Windows Time service may not start. In this scenario, the following events may be logged in the Windows System log.

Message 1
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023

Description:
The Windows Time service terminated with the following error:

Not all privileges referenced are assigned to the caller.

For more information, see Help and Support Center at http://support.microsoft.com.

Message 2
Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 46
Description: The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.

Additionally, when you try to start the Windows Time service manually, you may receive one of the following error messages:

Error 1083: The executable program that this service is configured to run in does not implement the service.

Error 1079: The account specified for this service is different from the account specified for other services running in the same process.

Cause:
This issue may occur if the Local Service account has not been granted "Change the system time" permissions. Windows Server 2003 SP1 changes the startup configuration of the Windows Time service from Network Service account to Local Service account. Therefore, the startup account that the Windows Time service uses must have "Change the system time" permissions.

By default, the Local Service account is not a member of the Administrators group and does not have "Change the system time" permissions. Therefore, the Windows Time service does not start, and event 7023 is logged in the System log.

Resolution:

Method 1: Grant "Change the system time" permissions to the LocalService account

To grant "Change the system time" permissions to the LocalService account, follow these steps on the domain controller that is experiencing this issue:

Click Start, point to Administrative Tools, and then click Domain Controller Security Policy.

Double-click Local Policies, and then click User Rights Assignment.

In the details pane, double-click Change the system time.

Click Add User or Group, type LocalService, and then click OK.

Restart the server. The Service account and the affected Svchost process are currently being used and will not see the new user until you restart the server.

Log on to the server.

Click Start, point to Administrative Tools, and then click Services. Check whether the Windows Time service is started.




Method 2: Change the logon account of the Windows Time service

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the

Microsoft Knowledge Base:
322756 (http://support.microsoft.com/kb/322756/ ) How to back up and restore the registry in Windows

To change the logon account of the Windows Time service, you must modify the registry to separate the Windows Time service from the main Svchost process. To do this, follow these steps:

Search and locate the Svchost.exe file.

Make a copy of the Svchost.exe file and call it “Svchost_w32time.exe”.

Click Start, click Run, type regedit, and then click OK to start Registry Editor.

Locate and then right-click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time

Modify the ImageName key so that the value is %systemroot%\System32\svchost_w32time.exe -k LocalService. (The default value is %SystemRoot%\System32\svchost.exe -k netsvcs.)

Exit Registry Editor.

Click Start, point to Administrative Tools, and then click Services.

Right-click Windows Time, and then click Properties.

On the Log On tab, click This account.

Type the name of a user account that has "Change the system time" permissions, or click Browse to select an account.

Type the password of the new account in the Password and Confirm password boxes, and then click OK.

Right-click Windows Time, and then click Start.

If these methods do not resolve the issue, incorrect permissions that are applied to the Net Logon service or the Windows Time service from Group Policy may cause the issue. You can use the Resultant Set of Policy tool to verify the permissions, as follows:

Click Start, click Run, type Rsop.msc in the Open box, and then click OK.
Expand the Computer Configuration\Windows Settings\Security Settings\System Services folder.

In the details pane, in the Source GPO column, locate the Group Policy that is applied to the Net Logon service.

Use the Active Directory Users and Computers MMC snap-in or the Group Policy MMC snap-in to edit the Group Policy that you noted in step 3.

Expand the Computer Configuration\Windows Settings\Security Settings\System Services folder.

In the Service Name list, locate and double-click Net Logon.
If the policy setting is defined in the template, the Edit Security button is available. Click Edit Security.

View the list of accounts to make sure that the list is correct. Make sure that the LocalService account is added to the list of accounts and has Full Control permission.

Repeat step 3 through 7 for the Windows Time service.

Subscribe and get updates via email

Enter your email address:

Delivered by FeedBurner