diff --git a/configuration/upstart.nix b/configuration/upstart.nix
index 46e6ea3aa6ab..e3e2dabadcc9 100644
--- a/configuration/upstart.nix
+++ b/configuration/upstart.nix
@@ -84,7 +84,7 @@ import ../upstart-jobs/gather.nix {
   # NTP daemon.
   ++ optional ["services" "ntp" "enable"]
     (import ../upstart-jobs/ntpd.nix {
-      inherit (pkgs) ntp glibc pwdutils writeText;
+      inherit (pkgs) ntp kernel module_init_tools glibc pwdutils writeText;
       servers = config.get ["services" "ntp" "servers"];
     })
 
diff --git a/upstart-jobs/ntpd.nix b/upstart-jobs/ntpd.nix
index 3f1d12b3c044..2f66ac4e8a1a 100644
--- a/upstart-jobs/ntpd.nix
+++ b/upstart-jobs/ntpd.nix
@@ -1,4 +1,4 @@
-{ntp, glibc, pwdutils, writeText, servers}:
+{ntp, kernel, module_init_tools, glibc, pwdutils, writeText, servers}:
 
 let
 
@@ -12,6 +12,8 @@ let
     ${toString (map (server: "server " + server + "\n") servers)}
   ";
 
+  ntpFlags = "-c ${config} -u ${ntpUser}:nogroup";
+
 in
 
 {
@@ -34,13 +36,15 @@ start script
     mkdir -m 0755 -p ${stateDir}
     chown ${ntpUser} ${stateDir}
 
-    date
-    ${ntp}/bin/ntpd -c ${config} -q -g
-    date
+    # Needed to run ntpd as an unprivileged user.
+    export MODULE_DIR=${kernel}/lib/modules/
+    ${module_init_tools}/sbin/modprobe capability
+
+    ${ntp}/bin/ntpd -q -g ${ntpFlags}
     
 end script
 
-respawn ${ntp}/bin/ntpd -n -c ${config}
+respawn ${ntp}/bin/ntpd -n ${ntpFlags}
   ";
   
 }