SE_SYSTEMTIME_NAME privilege, admin under UAC
I have used SecPol.msc to give all users the right to change the system time. Indeed, an ordinary user can now change the system time (e.g., with CMD's TIME command) with no hassle. But an administrator running under UAC cannot. He sees: v:\> time The current time is: 22:12:20.90 Enter the new time: 22:12:21 A required privilege is not held by the client. In fact an administrator running under UAC cannot obtain the SE_SYSTEMTIME_NAME privilege (AdjustTokenPrivileges()) which ordinary users now have by default. How can I rectify this and allow an administrator running under UAC to change the system time without hassle? Thanks.
March 19th, 2012 10:15pm

Hi, Please right click Command Prompt, run it as administrator and see how it works. This is because that an administrator account performs as a standard user account if User Account Control is turned on. For more information, please refer to What is User Account Control? Hope this helps. If a post solved your problem, click Mark as Answer on the post. If a post helped you, click "Vote As Helpful" on the left side of post.
Free Windows Admin Tool Kit Click here and download it now
March 20th, 2012 11:23pm

Hi, Please right click Command Prompt, run it as administrator and see how it works. This is because that an administrator account performs as a standard user account if User Account Control is turned on. For more information, please refer to What is User Account Control? Hope this helps. If a post solved your problem, click Mark as Answer on the post. If a post helped you, click "Vote As Helpful" on the left side of post. Of course it works run elevated. But a "standard user" can change the system time (because I used SecPol to give everyone the privilege). And a non-evevated admin CAN NOT change the system time. So a non-elevated admin seems to be somewhat less than an "ordinary user" in this respect ... and that local security policy is not consulted when an admin gets a limited security token. I would like an admin under UAC to be able to change the system time as easily as an ordinary user can (that is without any hassle).
March 21st, 2012 12:31am

Hi, Please refer to User Account Control Overview for IT Professionals. And note, When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token can start standard user applications but cannot start applications that perform administrative tasks.. It means that although when an administrator account perform as a standard user account, it not a member of Users Group. Hope this can explain for you. If a post solved your problem, click Mark as Answer on the post. If a post helped you, click "Vote As Helpful" on the left side of post.
Free Windows Admin Tool Kit Click here and download it now
March 28th, 2012 6:00am

Hi, Please refer to User Account Control Overview for IT Professionals. And note, When an administrator logs on, two separate access tokens are created for the user: a standard user access token and an administrator access token. The standard user access token contains the same user-specific information as the administrator access token, but the administrative Windows privileges and SIDs are removed. The standard user access token can start standard user applications but cannot start applications that perform administrative tasks.. It means that although when an administrator account perform as a standard user account, it not a member of Users Group. Hope this can explain for you. If a post solved your problem, click Mark as Answer on the post. If a post helped you, click "Vote As Helpful" on the left side of post. I have come to understand that. Apparently UAC will simply not consult Local Security Policy (where "Everyone" has been given permission to change the system time). But is there not a way to adjust the limited token which members of the administrative group get ... or (equivalently) to adjust which privileges are stripped from the adminisrtator token? I would find it very hard to believe that the answer is simply "no".
March 28th, 2012 11:29am

Hi, I'm afraid there is no workaround to get over it. When you use the account under Administrator group, if you don't use "Run as admin" mode, CMD will be running under Standard User Token. Please note, access token is added when a user logs on. Normal users are granted the privilege at the time they log on, so does the Administrator. (this privillege is granted to the admin token, not the standard user token) Due to UAC, Admin privileges are cut off, you run CMD using Stardard User Token. the following picture will help you understand: Being an end user myself, I do understand UAC is somewhat annoying, but convenience and security is contradictory. UAC does help help mitigate the impact of malicious programs. So, if you are 100% certain your system is secure, you could turn UAC off. For normal users, we'd better enable it. Thanks, BrianPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 30th, 2012 1:07am

Doesn't the TOKEN_PRIVILEGES structure for this "Standard User" exists somewhere; and can't it be edited? Is there a SID for "Standard User" and is that SID listed in HKLM\SECURITY\Policy\Accounts.
April 15th, 2012 9:01pm

As I expalined in the previous post, no workaround to get over it, no reg, no policy for configuring this account. Thanks, BrianPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
April 18th, 2012 6:18am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics