When the S4U logon is done by a process running as SYSTEM for a user in the Administrators group the resultant token will contain full administrator rights and privileges. This is standard windows behavior.
If you want to start a process with CreateProcessAsUser that runs as a standard user then you need to use a token that does not contain administrator rights and privileges. For a user in the Administrators group use LogonUser to obtain the token or copy the token from an unelevated process already running as that user (e.g. explorer.exe).
Ordinarily, when UAC is enabled and a user that is a member of the Administrators group logs on the system creates a split token. Essentially, there are two tokens that are linked -- one that is filtered to remove administrator rights and privileges and one that is not filtered. Ordinarily, the system uses the filtered token and related processes are not elevated and run at the medium integrity level. Upon requesting elevation, the system uses the unfiltered token for the elevated process which then runs at the high integrity level.
In order for an s4u logon to succeed for a standard user account that account must be granted the log on as a batch job right. See log-on-as-a-batch-job