LogonUser function in Windows 8

Question

we are using this VB.NET code inside a class since many years for testing if a given user is an administrator (shortened for clarity, error checking removed):

Private Declare Auto Function LogonUser Lib "advapi32.dll" (ByVal lpszUsername As String, ByVal lpszDomain As String, ByVal lpszPassword As String, ByVal dwLogonType As UInteger, ByVal dwLogonProvider As UInteger, ByRef phToken As IntPtr) As Boolean

Private token As IntPtr
Private identity As WindowsIdentity
Private principal As WindowsPrincipal

LogonUser(username, domain, password, LOGON32_LOGON_INTERACTIVE, LOGON32_PROVIDER_DEFAULT, token)
identity = New WindowsIdentity(token)
principal = New WindowsPrincipal(identity)

Return principal.IsInRole(ApplicationServices.BuiltInRole.Administrator)

This code returns True for administrator credentials. This code works in Windows XP, Vista and Windows 7. We are aware of the fact that this code is not compatible with UAC turned on. So for this code to work in Windows Vista and 7, we turn off UAC. In Windows 8, however, even when turning off UAC, administrator credentials are still recognized as restricted token (part of BuiltInRole.User). So we cant impersonate the administrator with "identity.Impersonate".

Any ideas what why this code has been broken on Windows 8?

Thanks Alex

Answer 1

I don't know why you want to impersonate a user to check membership of a group. I think that the following will work with UAC on or off:

Public Shared Function IsLocalAdmin(ByVal userName As String) As Boolean
    Dim MyIdentity = New System.Security.Principal.WindowsIdentity(userName)
    Dim MyPrincipal = New System.Security.Principal.WindowsPrincipal(MyIdentity)
    Return MyPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole.Administrator)
End Function

It should not be a pre-requisite of your program to turn UAC off.