Problems with Windows Time service after upgrading to W2K3 SP1

As many people that have applied Windows 2003 SP1 have found, there have been a number of different things done to "harden" the operating system. These include changing some of the rights that the built-in services accounts (i.e. SERVICE, Local Service, Network Service) have to services.

Well, in some cases this has broken things. Most of the work I do is in much more security conscious environments than the average corporate environment. Generally, when we build servers, we secure the server "out of the box" with some type of improved security template. The most notorious of these (and a template to be avoided unless you are ready to some troubleshooting) is the NSA Windows security templates. After working with a number of different template configurations, I recommend just sticking with the built-in Windows security templates such as hisecdc.inf or securews.inf.

At any rate, Windows 2003 SP1 "broke" the Windows Time service on our domain controllers. This is because the Network Service account no longer had permissions to change the time on a domain controller. (This can happen on member servers and workstations, too.) Some of the errors we saw in the event log included:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7023
Description:
The Windows Time service terminated with the following error:
Not all privileges referenced are assigned to the caller.

and

Event Type: Error
Event Source: W32Time
Event Category: None
Event ID: 46
Description:
The time service encountered an error and was forced to shut down. The error was: 0x80070700: An attempt was made to logon, but the network logon service was not started.

Microsoft has a couple of fixes for this as documented in KB 892501. The approach I have taken is to add to the GPO that affects the domain controllers a new user right. In whichever GPO will affect the machines on which you are having problems, grant the SERVICE account (this is the Local Service) the right to "Change The System Time". Then give the GPO time to replicate and be applied to your machines.

There is some good information at the bottom of KB 892501 on checking and doing this for other services.

If you are messing with custom security templates in your environment, I recommend reading: Security Configuration Guidance Support.