Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. The Windows Time service may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack 1

The Windows Time service may generate event ID 7023 after you upgrade to Windows Server 2003 Service Pack 1

Symptoms

After you upgrade a Microsoft Windows Server 2003-based domain controller to Windows Server 2003 Service Pack 1 (SP1), the Windows Time service may not start. In this scenario, the following events may be logged in the Windows System log.

Message 1

Message 2

Additionally, when you try to start the Windows Time service manually, you may receive one of the following error messages:
Error 1083: The executable program that this service is configured to run in does not implement the service.
Error 1079: The account specified for this service is different from the account specified for other services running in the same process.

↑ Back to the top

Cause

This issue may occur if the Local Service account has not been granted "Change the system time" permissions. Windows Server 2003 SP1 changes the startup configuration of the Windows Time service from Network Service account to Local Service account. Therefore, the startup account that the Windows Time service uses must have "Change the system time" permissions.

By default, the Local Service account is not a member of the Administrators group and does not have "Change the system time" permissions. Therefore, the Windows Time service does not start, and event 7023 is logged in the System log.

↑ Back to the top

Resolution

To resolve the issue, use one or more of the following methods:

Method 1: Grant "Change the system time" permissions to the LocalService account

To grant "Change the system time" permissions to the LocalService account, follow these steps on the domain controller that is experiencing this issue:
  1. Click Start, point to Administrative Tools, and then click Domain Controller Security Policy.
  2. Double-click Local Policies, and then click User Rights Assignment.
  3. In the details pane, double-click Change the system time.
  4. Click Add User or Group, type LocalService, and then click OK.
  5. Restart the server. The Service account and the affected Svchost process are currently being used and will not see the new user until you restart the server.
  6. Log on to the server.
  7. Click Start, point to Administrative Tools, and then click Services. Check whether the Windows Time service is started.

Method 2: Change the logon account of the Windows Time service

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To change the logon account of the Windows Time service, you must modify the registry to separate the Windows Time service from the main Svchost process. To do this, follow these steps:
  1. Search and locate the Svchost.exe file.
  2. Make a copy of the Svchost.exe file and call it “Svchost_w32time.exe”.
  3. Click Start, click Run, type regedit, and then click OK to start Registry Editor.
  4. Locate and then right-click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time
  5. Modify the ImageName key so that the value is %systemroot%\System32\svchost_w32time.exe -k LocalService. (The default value is %SystemRoot%\System32\svchost.exe -k netsvcs.)
  6. Exit Registry Editor.
  7. Click Start, point to Administrative Tools, and then click Services.
  8. Right-click Windows Time, and then click Properties.
  9. On the Log On tab, click This account.
  10. Type the name of a user account that has "Change the system time" permissions, or click Browse to select an account.
  11. Type the password of the new account in the Password and Confirm password boxes, and then click OK.
  12. Right-click Windows Time, and then click Start.
If these methods do not resolve the issue, incorrect permissions that are applied to the Net Logon service or the Windows Time service from Group Policy may cause the issue. You can use the Resultant Set of Policy tool to verify the permissions, as follows:
  1. Click Start, click Run, type Rsop.msc in the Open box, and then click OK.
  2. Expand the Computer Configuration\Windows Settings\Security Settings\System Services folder.
  3. In the details pane, in the Source GPO column, locate the Group Policy that is applied to the Net Logon service.
  4. Use the Active Directory Users and Computers MMC snap-in or the Group Policy MMC snap-in to edit the Group Policy that you noted in step 3.
  5. Expand the Computer Configuration\Windows Settings\Security Settings\System Services folder.
  6. In the Service Name list, locate and double-click Net Logon.
  7. If the policy setting is defined in the template, the Edit Security button is available. Click Edit Security.

    View the list of accounts to make sure that the list is correct. Make sure that the LocalService account is added to the list of accounts and has Full Control permission.
  8. Repeat step 3 through 7 for the Windows Time service.

↑ Back to the top

Keywords: kbtshoot, kbservice, kbserver, kberrmsg, kbpolicy, kbevent, kbsyssettings, kbsysadmin, kbperformance, kbsecurity, kbentirenet, kb, kbupgrade

↑ Back to the top

Article Info
Article ID : 892501
Revision : 6
Created on : 8/20/2020
Published on : 8/20/2020
Exists online : False
Views : 117