[NTOS:SE] Mark the token as no longer belonging to admin group upon effective duplication

A scenario where it happens that an access token belongs to an administrators group but it's disabled (that is, SeAliasAdminsSid has no attributes or it doesn't have SE_GROUP_ENABLED turn ON), the function removes this group from the token but still has TOKEN_HAS_ADMIN_GROUP flag which can lead to erratic behavior across the kernel and security modules -- implying that the token still belongs to administrators group.

This is an oversight from my part.

ntoskrnl/se/token.c

@@ -1196,6 +1196,20 @@ SepDuplicateToken(
             if (AccessToken->UserAndGroups[GroupsIndex].Attributes == 0 ||
                 (AccessToken->UserAndGroups[GroupsIndex].Attributes & SE_GROUP_ENABLED) == 0)
             {
+                /*
+                 * If this group is an administrators group
+                 * and the token belongs to such group,
+                 * we've to take away TOKEN_HAS_ADMIN_GROUP
+                 * for the fact that's not enabled and as
+                 * such the token no longer belongs to
+                 * this group.
+                 */
+                if (RtlEqualSid(SeAliasAdminsSid,
+                                &AccessToken->UserAndGroups[GroupsIndex].Sid))
+                {
+                    AccessToken->TokenFlags &= ~TOKEN_HAS_ADMIN_GROUP;
+                }
+
                 /*
                  * A group is not enabled, it's time to remove
                  * from the token and update the groups index
@@ -1203,6 +1217,7 @@ SepDuplicateToken(
                  */
                 SepRemoveUserGroupToken(AccessToken, GroupsIndex);
                 GroupsIndex--;
+                continue;
             }
         }
 
@@ -1228,6 +1243,7 @@ SepDuplicateToken(
                  */
                 SepRemovePrivilegeToken(AccessToken, PrivilegesIndex);
                 PrivilegesIndex--;
+                continue;
             }
         }
     }