diff --git a/dlls/advapi32/tests/security.c b/dlls/advapi32/tests/security.c
index 2669c13748b..43709352560 100644
--- a/dlls/advapi32/tests/security.c
+++ b/dlls/advapi32/tests/security.c
@@ -7376,23 +7376,19 @@ static void test_token_security_descriptor(void)
     defaulted = TRUE;
     ret = GetSecurityDescriptorDacl(sd2, &present, &acl2, &defaulted);
     ok(ret, "GetSecurityDescriptorDacl failed with error %lu\n", GetLastError());
-    todo_wine
     ok(present, "DACL not present\n");
 
-    if (present)
-    {
-        ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
-        ok(!defaulted, "DACL defaulted\n");
+    ok(acl2 != (void *)0xdeadbeef, "DACL not set\n");
+    ok(!defaulted, "DACL defaulted\n");
 
-        index = 0;
-        found = FALSE;
-        while (GetAce(acl2, index++, (void **)&ace))
-        {
-            if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
-                found = TRUE;
-        }
-        ok(!found, "Access allowed ACE was inherited\n");
+    index = 0;
+    found = FALSE;
+    while (GetAce(acl2, index++, (void **)&ace))
+    {
+        if (ace->Header.AceType == ACCESS_ALLOWED_ACE_TYPE && EqualSid(&ace->SidStart, psid))
+            found = TRUE;
     }
+    ok(!found, "Access allowed ACE was inherited\n");
 
     free(sd2);
 
diff --git a/server/process.c b/server/process.c
index 733b0288f72..66f90fb80c4 100644
--- a/server/process.c
+++ b/server/process.c
@@ -735,12 +735,6 @@ struct process *create_process( int fd, struct process *parent, unsigned int fla
     if (!process->handles || !process->token) goto error;
     process->session_id = token_get_session_id( process->token );
 
-    /* Assign a high security label to the token. The default would be medium
-     * but Wine provides admin access to all applications right now so high
-     * makes more sense for the time being. */
-    if (!token_assign_label( process->token, &high_label_sid ))
-        goto error;
-
     set_fd_events( process->msg_fd, POLLIN );  /* start listening to events */
     return process;
 
diff --git a/server/security.h b/server/security.h
index 58ab1594eae..f4dff679179 100644
--- a/server/security.h
+++ b/server/security.h
@@ -50,7 +50,6 @@ extern const struct sid local_system_sid;
 extern const struct sid builtin_users_sid;
 extern const struct sid builtin_admins_sid;
 extern const struct sid domain_users_sid;
-extern const struct sid high_label_sid;
 
 struct ace
 {
diff --git a/server/token.c b/server/token.c
index f23013103dd..da7f0bb7ff2 100644
--- a/server/token.c
+++ b/server/token.c
@@ -72,7 +72,6 @@ struct sid_attrs
 
 const struct sid world_sid = { SID_REVISION, 1, SECURITY_WORLD_SID_AUTHORITY, { SECURITY_WORLD_RID } };
 const struct sid local_system_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_LOCAL_SYSTEM_RID } };
-const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };
 const struct sid local_user_sid = { SID_REVISION, 5, SECURITY_NT_AUTHORITY, { SECURITY_NT_NON_UNIQUE, 0, 0, 0, 1000 } };
 const struct sid builtin_admins_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS } };
 const struct sid builtin_users_sid = { SID_REVISION, 2, SECURITY_NT_AUTHORITY, { SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_USERS } };
@@ -82,6 +81,7 @@ static const struct sid local_sid = { SID_REVISION, 1, SECURITY_LOCAL_SID_AUTHOR
 static const struct sid interactive_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_INTERACTIVE_RID } };
 static const struct sid anonymous_logon_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_ANONYMOUS_LOGON_RID } };
 static const struct sid authenticated_user_sid = { SID_REVISION, 1, SECURITY_NT_AUTHORITY, { SECURITY_AUTHENTICATED_USER_RID } };
+static const struct sid high_label_sid = { SID_REVISION, 1, SECURITY_MANDATORY_LABEL_AUTHORITY, { SECURITY_MANDATORY_HIGH_RID } };
 
 static struct luid prev_luid_value = { 1000, 0 };
 
@@ -649,6 +649,24 @@ struct token *token_duplicate( struct token *src_token, unsigned primary,
     if (sd) default_set_sd( &token->obj, sd, OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION |
                             DACL_SECURITY_INFORMATION | SACL_SECURITY_INFORMATION );
 
+    if (src_token->obj.sd)
+    {
+        const struct acl *sacl;
+        const struct ace *ace;
+        unsigned int i;
+        int present;
+
+        sacl = sd_get_sacl( src_token->obj.sd, &present );
+        if (present)
+        {
+            for (i = 0, ace = ace_first( sacl ); i < sacl->count; i++, ace = ace_next( ace ))
+            {
+                if (ace->type != SYSTEM_MANDATORY_LABEL_ACE_TYPE) continue;
+                token_assign_label( token, (const struct sid *)(ace + 1) );
+            }
+        }
+    }
+
     return token;
 }
 
@@ -785,6 +803,15 @@ struct token *token_create_admin( unsigned primary, int impersonation_level, int
     /* we really need a primary group */
     assert( token->primary_group );
 
+    /* Assign a high security label to the token. The default would be medium
+     * but Wine provides admin access to all applications right now so high
+     * makes more sense for the time being. */
+    if (!token_assign_label( token, &high_label_sid ))
+    {
+        release_object( token );
+        return NULL;
+    }
+
     free( default_dacl );
     return token;
 }