(#10299) Use CheckTokenMembership to see if user has admin rights
Previously, on Windows 2003 and earlier, Puppet.features.root? was
implemented by checking if the current user is a member of the local
Administrators group. However, many accounts, e.g. LocalSystem, are
implicit members of this group, so Puppet.features.root? would
incorrectly return false. This led to puppet not being able to find
its default configuration directory, among other things.
Conversely, a process can be executing using a restricted token, so
while the user may be a member of the Administrators group, the
process will be running with less privileges, and
Puppet.features.root? would incorrectly return true.
This commit uses CheckTokenMembership to determine if the local
Administrators group SID is both present and enabled in the calling
thread's access token.
The behavior on Vista/2008 is unchanged. The calling thread's token
must be currently elevated.