diff --git a/ntoskrnl/se/token.c b/ntoskrnl/se/token.c
index 061c907957a..51ba71f8e22 100644
--- a/ntoskrnl/se/token.c
+++ b/ntoskrnl/se/token.c
@@ -1196,6 +1196,20 @@ SepDuplicateToken(
             if (AccessToken->UserAndGroups[GroupsIndex].Attributes == 0 ||
                 (AccessToken->UserAndGroups[GroupsIndex].Attributes & SE_GROUP_ENABLED) == 0)
             {
+                /*
+                 * If this group is an administrators group
+                 * and the token belongs to such group,
+                 * we've to take away TOKEN_HAS_ADMIN_GROUP
+                 * for the fact that's not enabled and as
+                 * such the token no longer belongs to
+                 * this group.
+                 */
+                if (RtlEqualSid(SeAliasAdminsSid,
+                                &AccessToken->UserAndGroups[GroupsIndex].Sid))
+                {
+                    AccessToken->TokenFlags &= ~TOKEN_HAS_ADMIN_GROUP;
+                }
+
                 /*
                  * A group is not enabled, it's time to remove
                  * from the token and update the groups index
@@ -1203,6 +1217,7 @@ SepDuplicateToken(
                  */
                 SepRemoveUserGroupToken(AccessToken, GroupsIndex);
                 GroupsIndex--;
+                continue;
             }
         }
 
@@ -1228,6 +1243,7 @@ SepDuplicateToken(
                  */
                 SepRemovePrivilegeToken(AccessToken, PrivilegesIndex);
                 PrivilegesIndex--;
+                continue;
             }
         }
     }