Happy bug hunt - windows security anomalies

Out for the weekend, hunting!

Experts, maybe someone would like to verify and analyse this strange behavior (seen on win7/8.x/10, UAC on):
You will be able to reproduce this on any win10 or win8.1 system, most probably also on win7, but I have only tested those two.

1 open secpol.msc, and grant the privilege "change the system time" to user "testuser"

2 login as testuser and try to change the time - works. Logoff.

3 add testuser to another privileged local group, for example "network configuration operators"

4 login as testuser, try to change the time... Access is denied.

Strange, isn't it? But as with all bugs in security matters, we need to analyze it. The same happens if in step 3 we use the group "power users". It does not happen for any other local groups, though, just these two.
(posted the same on technet, no one helpful over there)
LVL 65
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
Is the privilege denied for NCOs?   A deny will take precedence over any grant.
McKnifeAuthor Commented:
No. Defaults on clean systems. Take a minute and reproduce this.
McKnifeAuthor Commented:
I proceeded and found out the following:
When either in the groups network configuration operators or power users, the user gets a split-token at logon. People who are familiar with UAC will know what I am talking about, others, please stand clear of this question.

The problem is: until they activate their full token by elevating, they also lose the privilege to set the system time. This can be verified using the command
to set the time once on a normal cmd and again on an elevated cmd - different results!

For whatever reason, the GUI that let's us set the time is not correctly using UAC. It brings up a UAC prompt, but it doesn't accept the user's own credentials but will only accept those of an admin.
On the command line this works.

So it is definitely a bug in the GUI. I will report it to microsoft.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeAuthor Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.