I have code that checks a group membership of a token obtained from LogonUserEx(): res = ImpersonateLoggedOnUser((HANDLE)userToken); if (!res) { return false; } HANDLE hThreadToken = NULL; res = OpenThreadToken(GetCurrentThread(), TOKEN_DUPLICATE|TOKEN_QUERY, TRUE, &hThreadToken); if (res) { // Check token membership (it is critical that the ThreadToken is used here) res = ADSConfig::_pfnCheckTokenMembership->Run(hThreadToken, groupSID, &isMemberLocal); if (!res) { return false; } } RevertToSelf(); return isMemberLocal; This code is, in some cases, returning TRUE when I check whether the user is a member of BUILTIN\Administrators. Is this the right approach, or should I be using GetTokenInformation and walking through the TokenGroup SIDs instead?
Nevermind. The system was configured with NT AUTHORITY\INTERACTIVE as a member of the Administrators group... so the code was working correctly.
