I believe the only way to do this is to use either LsaEnumerateAccountsWithUserRight
or LsaEnumerateAccountRights
to query the LSA policy.
Since rights need not be assigned directly (i.e., they could be assigned to a group, or to a security primitive such as Everyone
or INTERACTIVE USERS
) you'll need to enumerate the SIDs in the user's token and cross-reference this with the LSA policy.