How can I effectively assign the privilege "Change system time" (SeSystemtimePrivilege) to a user account? According to http://support.microsoft.com/kb/225525 and other articles, this is supposed to work using secpol.msc > Security Settings > Local Policy > Assign User Rights > Change system time Meanwhile, I've added the user account and the groups "Users", "Authenticated Users", and INTERACTIVE to that privilege. The groups "Administrators" and "LOCAL SERVICE" already were members. Then I logged out and in again and I also rebooted. Still all programs that call SetLocalTime() fail with error 0x80070522 (Client does not hold a required privilege). The time command in a CMD shell fails and according to Process Explorer, all of my user account processes only have the following privileges: SeChangeNotifyPrivilege, SeIncreaseWorkingSetPrivilege, SeShutdownPrivilege, SeTimeZonePrivilege, SeUndockPrivilege That seems to be the stock equipment of processes owned by a non-elevated user account. According to MSDN, SetLocalTime() tries to enable SeSystemtimePrivilege but it cannot do so because the process does not hold that privilege (which is obviously correct). It makes sense that privileges can only be set by the security policy editor after consenting the UAC. But why doesn't this have any effect? The local security settings seem to be ignored entirely! I'm using a desktop PC with internet access via a cable TV provider; no local LAN. OS is Windows 7 Ultimate SP1

HI, By defaut, normal user is unable to change system time. So I'd like to know if user is able to change system from the right corner after applying the GP. Does this issue only happen when program that call Setlocaltime? Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, yes, the user is able to change the system time from the task bar icon but only after consenting the UAC after clicking the [Change date and time...] button with the shield. The clock control, the "time" command in a CMD window, my application that calls SetLocalTime() and any other application needs to be launched elevated in order to be allowed to change the system time. Having said that, can anybody explain to me what the SeSystemtimePrivilege is actually good for? Frank

Hi, It seems your main concerns is why Setlocaltime() cannot run. Here is a link from Development forum. http://social.msdn.microsoft.com/Forums/en-US/windowssdk/thread/9d182d7b-46ea-4f37-9fa9-678a29ee8d6a Please let me know if the issue in the link above match yours. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Jason, that particular article discusses ways to start a process with the secondary logon token in order to acquire the missing privilege. So it discusses how to implement "RunAsAdmin" on Vista+. I am asking how to assign a single privilege to a user account that is running with its primary logon token (without elevation). Frank

"yes, the user is able to change the system time from the task bar icon but only after consenting the UAC after clicking the [Change date and time...] button with the shield." It seems the normal user got an UAC prompt when changing system time, am I right? I have made a test in my lab, the normal user is able to change system time when applying the GPO, but I don't see any prompt. UAC is ebled in my test. In addtion, With UAC, the explorer.exe is launched by the standard user token of the administrator account. UAC is a new feature for WinVista and latest version OS. In WinVista, When an administrator logs on, the user is granted two access tokens: a full administrator access token and a "filtered" standard user access token. So UAC is designed for administrator account. Understanding and Configuring User Account Control in Windows Vista: http://technet.microsoft.com/en-us/library/cc709628(WS.10).aspx Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

It seems the normal user got an UAC prompt when changing system time, am I right? I have made a test in my lab, the normal user is able to change system time when applying the GPO, but I don't see any prompt. UAC is ebled in my test. The second highest level ("Don't notify me if I change system settings") is the default UAC setting on Windows 7. This does not mean that the user can do some administrative tasks without elevation; it means that the system elevates the process without asking the user to consent. Setting the date and time is one such "system setting". This is why you did not see the UAC prompt; it wasn't gone; it was just hidden and silently answered for you. If you set the UAC to the highest level, you will always see the prompt. The distincion I made above is crucial! It implies that only some well-known processes may be launched with silent elevation, but the user still is not able to use the very same system calls in his own programs (as these will never be elevated silently). I knew about the split token and have used impersonation before. But this discussion is diverting from my core question: SeSystemtimePrivilege? What is this privilege good for and why can I assign it to users and groups in the security settings if this is obviously ignored?

HI, The UAC in my lab is set to highest level. When a domain standard user tried to change the system, he doesn't get the UAC prompt. After joining the domain standard user to the local administrators group, he get UAC prompt as below when changing system time. UAC configuration is only used for an administrator. When an administrator logs on to a Windows Server 2008-based computer, the administrator is assigned two separate access tokens. So i think this issue may be related to UAC. Here is some articles for your reference. SetSystemTime (http://msdn.microsoft.com/en-us/library/ms724942(VS.85).aspx) SetLocalTime (http://msdn.microsoft.com/en-us/library/ms724936(VS.85).aspx) SetSystemTimeAdjustment (http://msdn.microsoft.com/en-us/library/ms724943(VS.85).aspx) timeBeginPeriod (http://msdn.microsoft.com/en-us/library/dd757624%28VS.85%29.aspx) The first 2 public APIs will change the system time and date directly, and the 3nd public API can be used to set the specify number of 100-nanosecond units added to the time-of-day clock at each clock interrupt. An application needs the SeSystemTimePrivilege to call these 3 public APIs. In addition, when any of these 3 public APIs is called by an application, Windows will log the following event if "audit privilege use" is enabled. The 4th API timeBeginPeriod sets minimum timer resolution, in milliseconds, for the application or device driver. Although it is a Windows Multimedia API and it does not require the SeSystemTimePrivilege, this API affects a global Windows setting. Frequent calls of this API can significantly affect the system clock. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

HI, The UAC in my lab is set to highest level. When a domain standard user tried to change the system, he doesn't get the UAC prompt. After joining the domain standard user to the local administrators group, he get UAC prompt as below when changing system time. UAC configuration is only used for an administrator. When an administrator logs on to a Windows Server 2008-based computer, the administrator is assigned two separate access tokens. So i think this issue may be related to UAC. Here is some articles for your reference. SetSystemTime (http://msdn.microsoft.com/en-us/library/ms724942(VS.85).aspx) SetLocalTime (http://msdn.microsoft.com/en-us/library/ms724936(VS.85).aspx) SetSystemTimeAdjustment (http://msdn.microsoft.com/en-us/library/ms724943(VS.85).aspx) timeBeginPeriod (http://msdn.microsoft.com/en-us/library/dd757624%28VS.85%29.aspx) The first 2 public APIs will change the system time and date directly, and the 3nd public API can be used to set the specify number of 100-nanosecond units added to the time-of-day clock at each clock interrupt. An application needs the SeSystemTimePrivilege to call these 3 public APIs. In addition, when any of these 3 public APIs is called by an application, Windows will log the following event if "audit privilege use" is enabled. The 4th API timeBeginPeriod sets minimum timer resolution, in milliseconds, for the application or device driver. Although it is a Windows Multimedia API and it does not require the SeSystemTimePrivilege, this API affects a global Windows setting. Frequent calls of this API can significantly affect the system clock. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I verified that removing the user from the Administrators group worked. Thank You! To summarize: 1) If the user is member of the Administrators group then he will always need to anser the UAC (if enabled on highest level) and his applications will fail with Access Denied. Privileges granted to that account in the Local Security Policies are ignored. 2) If the user is not member of the Administrators, then the Local Security Policies apply and the user account token gets all additional configured privileges. His applications work without the need to first consent the UAC. Do you know of a good reason why individual privileges cannot be assigned to members of the Administrators group? Since this silently fails without error message, I consider this a bug.

HI, This is not a bug, this is related to UAC. In the area of computer security, malicious programs or people might be able to perform unwanted actions on our computer. Some of these actions might include the following: Using system resources Malicious programs might use CPU, memory, disk, and network resources to perform their tasks. Tampering with critical system files or data In some cases, the data might simply be destroyed. In other cases, it might be transmitted to other computers. Attempting to obtain personal information such as credit card numbers, user names, and passwords Often, this data is then transmitted to a remote computer, where it might be used for actions such as identity theft. Tracking system usage Software that is commonly referred to as spyware often runs in the background on a computer, unknown to users. It collects information such as Web sites that are visited and then reports this information back to the distributor of the software. Apart from violating security, this can lead to system slowdowns and instability. Displaying unwanted advertisements It is a common practice for applications to include additional software that is installed with little or no warning to the user. The additional code can perform operations such as automatically loading content from Web sites. If we enable UAC feature, As a result, if an application requires an administrator access token, we will receive an message to remind me if we really want to do this operation and it will reduce potential safety hazard. Why UAC: http://msdn.microsoft.com/en-us/library/bb756993.aspx Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

This is not a bug, this is related to UAC. Hi Jason, I don't question the importance of the UAC. The system made me waste a lot of my employers time and money by letting me play around with system settings that can never have any effect without telling me. A message like "Granting local security privileges to this user/group has no effect because this user/group is member of the Administrators group" along with some documentation somewhere on this planet would have avoided that! BTW.: On another PC running "Windows Embedded Standard 7", the solution still doesn't work; i.e. even though the account is no longer member of the Administrators group, no call to SetLocalTime() is possible. Frank