EPFL > VPSI > IT > EXAPP - Site d'information: WinAD (Windows Active Directory)
 

  Affiche tous les articles

 Mode d'emploi du moteur de recherche  Rechercher : 
Moteur de recherche
Home page
Accréditation
Activation MS
AD c'est quoi ?
AD PowerShell
Authentifications
Autorisations DHCP
bugs
Conseils AD
DCs Sécurité
Délégations OUs
Domaine SC
Gaspar
GPO
Grp-Staff
KMS
Migrations
Outils
Procès verbaux
Profiles Itinérants
PWAD
Règles de nommage
Restaurations DC Fac
ServerAD2003
· Updates Support Tools Windows Server 2003 Service Pack 2
· Planning des Mises à jours AD Windows2003-SP2 R2 "fac".Intranet.epfl.ch
· Windows Server 2003 Service Pack 2
· Intégration GPOs Vista
· DFS Windows Server 2003 R2
· Planning des Mises à jours AD2003 R2 "fac".Intranet.epfl.ch
· Windows Server 2003 R2
· Le service de temps Windows peut générer l'événement ID 7023 après la mise à niveau vers Windows Server 2003 Service Pack 1
· Windows Server 2003 Service Pack 1 application compatibility
· Problème mise à jour MS05-019
· Windows Server 2003 Service Pack 1 list of updates
· Windows Server 2003 Service Pack 1 Support Tools
· Nouvelles fonctionnalités Active Directory Win2003
· Windows Server 2003 en matière de développement
· Déploiement et administration de Windows Server 2003
· Active Directory avec Windows Server 2003
· Mise à jour éditeur GPO
· Planning des Mises à jours AD2000 à AD2003 "fac".Intranet.epfl.ch
· Configuration de Windows Server 2003
· Interopérabilité Server AD 2000/2003 Administration Tools
ServerAD2008
Seven
Students
synchro
toto1
Trucs et Astuces
Win 8.1
WinAD
Windows 10
Windows 8
Windows Server
Wins
Work Shop
  Afficher une version imprimable de ce document dans une nouvelle fenêtre
 
Le service de temps Windows peut générer l'événement ID 7023 après la mise à niveau vers Windows Server 2003 Service Pack 1
 

SYMPTOMS

After you upgrade a Microsoft Windows Server 2003-based domain controller to Windows Server 2003 Service Pack 1 (SP1), the Windows Time service may not start. In this scenario, the following events may be logged in the Windows System log:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Description:
The Windows Time service terminated with the following error:
Not all privileges referenced are assigned to the caller.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 46
Description:
The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.

 

CAUSE

This issue may occur if the Local Service account has not been granted "Change the system time" permissions. Windows Server 2003 SP1 changes the startup configuration of the Windows Time service from LocalSystem to LocalService. Therefore, the startup account that the Windows Time service uses must have "Change the system time" permissions.

By default, the LocalService account is not a member of the Administrators group and does not have "Change the system time" permissions. Therefore, the Windows Time service does not start, and event 7023 is logged in the System log.
 

RESOLUTION

To resolve this issue, use one of the following methods:
Grant "Change the system time" permissions to the LocalService account.
Change the Windows Time service to use an account that has "Change the system time" permissions.
 

Method 1: Grant "Change the system time" permissions to the LocalService account

To grant "Change the system time" permissions to the LocalService account, follow these steps on the domain controller that is experiencing this issue:
1. Click Start, point to Administrative Tools, and then click Domain Controller Security Policy.
2. Double-click Local Policies, and then click User Rights Assignment.
3. In the results pane, double-click Change the system time.
4. Click Add User or Group, type Service, and then click OK.
5. Click Start, point to Administrative Tools, and then click Services.
6. Right-click Windows Time, and then click Start.
 

Method 2: Change the logon account of the Windows Time service

To change the logon account of the Windows Time service, follow these steps:
1. Click Start, point to Administrative Tools, and then click Services.
2. Right-click Windows Time, and then click Properties.
3. On the Log On tab, click This account.
4. Type the name of a user account that has "Change the system time" permissions, or click Browse to select an account.
5. Type the password of the new account in the Password and Confirm password boxes, and then click OK.
6. Right-click Windows Time, and then click Start.
If these methods do not resolve the issue, incorrect permissions that are applied to the Net Logon service or the Windows Time service from Group Policy may cause the issue. You can use the Resultant Set of Policy tool to verify the permissions, as follows:
1. Click Start, click Run, type rsop.msc in the Open box, and then click OK.
2. Expand the Computer Configuration\Windows Settings\Security Settings\System Services folder.
3. In the Service Name list, double-click Net Logon.
4. If the policy setting is defined in the template, the Edit Security button is available. Click Edit Security.

View the list of accounts to make sure that the list is correct. Make sure that the Local Service account has Full Control permissions.
5. Repeat step 3 and step 4 for the Windows Time service.
 

STATUS

This behavior is by design.
 

APPLIES TO
Microsoft Windows Server 2003 Service Pack 1, when used with:
    Microsoft Windows Server 2003, Standard Edition
    Microsoft Windows Server 2003, Enterprise Edition
    Microsoft Windows Server 2003, Web Edition

Article N° 104, du 09.08.2005, par Alain Gremaud
URL de cet article : http://winad.epfl.ch/?article=104

© 2017 VPSI - EXAPP - TC