Check that a given user has a given privilege

windows permissions users windows-server-2008-r2

Access tokens do not have information about rights, only about privileges.

What you need to do is this:

  • Find the IIS worker process that corresponds to your app pool. Since you know the app pool identity that should be easy by enumerating all the processes with the worker process name, and filtering the one that has the identity. If there are more than one, you can use any.
  • Use GetTokenInformation with TokenGroup information class, not the TokenPrivilege on the process token. The result will give you all the transitive groups the identity belongs too. This means even indirect ones.
  • Now you can loop through these groups and call LsaEnumerateAccountRights on each one and collate the information. This will give you what you want.

The above relies on the existence of the process (and token) corresponding to the account identity. In your scenario this should not be a problem. In scenarios when this is a problem, you can try and use Active Directory lookup for Token-Groups computed attribute. This article lists a few approaches how to pull this off.

Related

How to use IIS URL Rewrite with gzip compression
Accessing Supermicro IPMI via SSH
Phones on some switches cannot complete DHCP process
How to disable perf subsystem in Linux kernel?
How to start a program when CPU percent reaches X
SSH connection stuck in 'Local version string'
Prevent IE10 from creating WebCache through Group Policy
VHD network file transfer fails consistently at 4GB
Cannot reattach to a screen session after SSH connection was dropped
Password Management System for multiple SysAdmins?
Restricting the network access of Docker container
Is there a way to create a copy-on-write copy of a directory?