Check that a given user has a given privilege
Access tokens do not have information about rights, only about privileges.
What you need to do is this:
- Find the IIS worker process that corresponds to your app pool. Since you know the app pool identity that should be easy by enumerating all the processes with the worker process name, and filtering the one that has the identity. If there are more than one, you can use any.
- Use GetTokenInformation with TokenGroup information class, not the TokenPrivilege on the process token. The result will give you all the transitive groups the identity belongs too. This means even indirect ones.
- Now you can loop through these groups and call LsaEnumerateAccountRights on each one and collate the information. This will give you what you want.
The above relies on the existence of the process (and token) corresponding to the account identity. In your scenario this should not be a problem. In scenarios when this is a problem, you can try and use Active Directory lookup for Token-Groups computed attribute. This article lists a few approaches how to pull this off.