[ntp:questions] Windows ntpd highest priority doesn't require admin access

Danny Mayer mayer at ntp.org
Tue Mar 10 02:39:42 UTC 2009


Dave Hart wrote:
> ntpd on Windows attempts to raise itself to the realtime priority
> class, but on many installations, it will silently fail and run in the
> high priority class instead.  This is because Windows requires a
> special privilege to raise priority to realtime, as a runaway realtime
> program can interfere with the operation of the system as a whole.  By
> default, the Administrators group has this privilege while normal
> users do not.  If you install ntp using the Meinberg installer (which
> I recommend) and follow the suggested practice of letting it create a
> restricted "ntp" user, unfortunately this user isn't granted the
> privilege needed for realtime.  I've mentioned previously you can work
> around this by adding the ntp user to the Administrators group, but
> that completely defeats the purpose of running ntpd.exe under a
> restricted user account.  Below I detail how to accomplish this until
> Meinberg's installer adds the needed privilege for us.  If you've
> previously added ntp to the administrators group, remove it:
> 
> C:\>net localgroup administrators ntp /de
> 

Why would the account even be in the adminstrators group? It shouldn't
even be in the users group since that also has too many privileges.
There are only two privileges that should be required: Logon as service
and Change system time. If you want to add Increase Scheduling priority
you can if you think it's necessary. It's not strictly necessary for ntp
from what I have seen.

Danny

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.




More information about the questions mailing list