How can I effectively assign the privilege "Change system time" (SeSystemtimePrivilege) to a user account? According to http://support.microsoft.com/kb/225525 and other articles, this is supposed to work using secpol.msc > Security Settings > Local Policy > Assign User Rights > Change system time Meanwhile, I've added the user account and the groups "Users", "Authenticated Users", and INTERACTIVE to that privilege. The groups "Administrators" and "LOCAL SERVICE" already were members. Then I logged out and in again and I also rebooted. Still all programs that call SetLocalTime() fail with error 0x80070522 (Client does not hold a required privilege). The time command in a CMD shell fails and according to Process Explorer, all of my user account processes only have the following privileges: SeChangeNotifyPrivilege, SeIncreaseWorkingSetPrivilege, SeShutdownPrivilege, SeTimeZonePrivilege, SeUndockPrivilege That seems to be the stock equipment of processes owned by a non-elevated user account. According to MSDN, SetLocalTime() tries to enable SeSystemtimePrivilege but it cannot do so because the process does not hold that privilege (which is obviously correct). It makes sense that privileges can only be set by the security policy editor after consenting the UAC. But why doesn't this have any effect? The local security settings seem to be ignored entirely! I'm using a desktop PC with internet access via a cable TV provider; no local LAN. OS is Windows 7 Ultimate SP1

HI, By defaut, normal user is unable to change system time. So I'd like to know if user is able to change system from the right corner after applying the GP. Does this issue only happen when program that call Setlocaltime? Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, yes, the user is able to change the system time from the task bar icon but only after consenting the UAC after clicking the [Change date and time...] button with the shield. The clock control, the "time" command in a CMD window, my application that calls SetLocalTime() and any other application needs to be launched elevated in order to be allowed to change the system time. Having said that, can anybody explain to me what the SeSystemtimePrivilege is actually good for? Frank

Hi, It seems your main concerns is why Setlocaltime() cannot run. Here is a link from Development forum. http://social.msdn.microsoft.com/Forums/en-US/windowssdk/thread/9d182d7b-46ea-4f37-9fa9-678a29ee8d6a Please let me know if the issue in the link above match yours. Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

"yes, the user is able to change the system time from the task bar icon but only after consenting the UAC after clicking the [Change date and time...] button with the shield." It seems the normal user got an UAC prompt when changing system time, am I right? I have made a test in my lab, the normal user is able to change system time when applying the GPO, but I don't see any prompt. UAC is ebled in my test. In addtion, With UAC, the explorer.exe is launched by the standard user token of the administrator account. UAC is a new feature for WinVista and latest version OS. In WinVista, When an administrator logs on, the user is granted two access tokens: a full administrator access token and a "filtered" standard user access token. So UAC is designed for administrator account. Understanding and Configuring User Account Control in Windows Vista: http://technet.microsoft.com/en-us/library/cc709628(WS.10).aspx Best regards, Jason Mei Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

It seems the normal user got an UAC prompt when changing system time, am I right? I have made a test in my lab, the normal user is able to change system time when applying the GPO, but I don't see any prompt. UAC is ebled in my test. The second highest level ("Don't notify me if I change system settings") is the default UAC setting on Windows 7. This does not mean that the user can do some administrative tasks without elevation; it means that the system elevates the process without asking the user to consent. Setting the date and time is one such "system setting". This is why you did not see the UAC prompt; it wasn't gone; it was just hidden and silently answered for you. If you set the UAC to the highest level, you will always see the prompt. The distincion I made above is crucial! It implies that only some well-known processes may be launched with silent elevation, but the user still is not able to use the very same system calls in his own programs (as these will never be elevated silently). I knew about the split token and have used impersonation before. But this discussion is diverting from my core question: SeSystemtimePrivilege? What is this privilege good for and why can I assign it to users and groups in the security settings if this is obviously ignored?

I verified that removing the user from the Administrators group worked. Thank You! To summarize: 1) If the user is member of the Administrators group then he will always need to anser the UAC (if enabled on highest level) and his applications will fail with Access Denied. Privileges granted to that account in the Local Security Policies are ignored. 2) If the user is not member of the Administrators, then the Local Security Policies apply and the user account token gets all additional configured privileges. His applications work without the need to first consent the UAC. Do you know of a good reason why individual privileges cannot be assigned to members of the Administrators group? Since this silently fails without error message, I consider this a bug.

This is not a bug, this is related to UAC. Hi Jason, I don't question the importance of the UAC. The system made me waste a lot of my employers time and money by letting me play around with system settings that can never have any effect without telling me. A message like "Granting local security privileges to this user/group has no effect because this user/group is member of the Administrators group" along with some documentation somewhere on this planet would have avoided that! BTW.: On another PC running "Windows Embedded Standard 7", the solution still doesn't work; i.e. even though the account is no longer member of the Administrators group, no call to SetLocalTime() is possible. Frank