When configuring an Application Manager User Rights Management (URM) Policy to add membership to a group with no local administrative rights, and Install as Trusted Owner is checked within the same URM Policy, the group may not be added as expected.
This can be checked using the "Security" tab when viewing process properties within, for example, Process Explorer.
Setting "Install as Trusted Owner" within a User Rights Policy, also requires the user to be a local administrator for the policy to apply correctly. This option is typically used when assigning the default "Builtin Elevate" policy, which adds local administrators and so no issue is seen.
If Application Manager logging is enabled, the following will be seen, in the appropriate logs:
Application Manager_AMLsaAP_* log files:
T000484 90243171 18:09:40.0768 [CTokenInfo::CreateNewToken] NTAPI_CreateToken failed. Error code = [0xc000005a]
T000484 90243171 18:09:40.0768 [CTokenInfo::CreateNewToken] CreateNewToken() failed. Last error code = . Freeing buffers
Application Manager_AGENT_* log files:
T003804 90248093 18:09:45.0690 [CLsaClientAP::TokenPipeServerHandler] Error: Token handle obtained from LSA is invalid
T002028 3409671 21:04:30.0141 [CHookCreateProcessHandler::RequestToken] RequestCustomToken failed.
T002028 3409671 21:04:30.0141 [CHookCreateProcessHandler::CompleteJob] Error, Request Token FAILED fallback to the original user token
To prevent this issue administrators can additionally add membership to the "BUILTIN\Administrators" group within the URM Policy with the "Install as Trusted Owner" option enabled.