IsUserAnAdmin()is the fast and easy way, but MSDN warns that it might go away in the future, so you might want to call CheckTokenMembership()on your thread/process token instead (Comparing with a well known sidfor the admin group)

IsUserAnAdmin()是一种快速而简单的方法，但 MSDN 警告说它可能会在未来消失，所以你可能想要在你的线程/进程令牌上调用CheckTokenMembership()（与一个众所周知的 sid为 admin 组比较）

At work we were using the way Anders sugested but a few month ago our system failed because of that function. Now we are using this:

在工作中，我们使用了 Anders sugested 的方式，但几个月前我们的系统由于该功能而失败。现在我们正在使用这个：

bool IsUserAdmin ()
{
    struct Data
    {
        PACL   pACL;
        PSID   psidAdmin;
        HANDLE hToken;
        HANDLE hImpersonationToken;
        PSECURITY_DESCRIPTOR     psdAdmin;
        Data() : pACL(NULL), psidAdmin(NULL), hToken(NULL),
            hImpersonationToken(NULL), psdAdmin(NULL)
        {}
        ~Data()
        {
            if (pACL) 
                LocalFree(pACL);
            if (psdAdmin) 
                LocalFree(psdAdmin);
            if (psidAdmin) 
                FreeSid(psidAdmin);
            if (hImpersonationToken) 
                CloseHandle (hImpersonationToken);
            if (hToken) 
                CloseHandle (hToken);
        }
    } data;

BOOL   fReturn         = FALSE;
Dword  dwStatus;
Dword  dwAccessMask;
Dword  dwAccessDesired;
Dword  dwACLSize;
Dword  dwStructureSize = sizeof(PRIVILEGE_SET);

PRIVILEGE_SET   ps;
GENERIC_MAPPING GenericMapping;
SID_IDENTIFIER_AUTHORITY SystemSidAuthority = SECURITY_NT_AUTHORITY;

const DWORD ACCESS_READ  = 1;
const DWORD ACCESS_WRITE = 2;

if (!OpenThreadToken (GetCurrentThread(), TOKEN_DUPLICATE|TOKEN_QUERY, TRUE, &data.hToken))
{
    if (GetLastError() != ERROR_NO_TOKEN)
        return false;

    if (!OpenProcessToken(GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_QUERY, &data.hToken))
        return false;
}

if (!DuplicateToken (data.hToken, SecurityImpersonation, &data.hImpersonationToken))
    return false;

if (!AllocateAndInitializeSid(&SystemSidAuthority, 2,
                            SECURITY_BUILTIN_DOMAIN_RID,
                            DOMAIN_ALIAS_RID_ADMINS,
                            0, 0, 0, 0, 0, 0, &data.psidAdmin))
    return false;

data.psdAdmin = LocalAlloc(LPTR, SECURITY_DESCRIPTOR_MIN_LENGTH);
if (data.psdAdmin == NULL)
    return false;

if (!InitializeSecurityDescriptor(data.psdAdmin, SECURITY_DESCRIPTOR_REVISION))
    return false;

// Compute size needed for the ACL.
dwACLSize = sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + GetLengthSid(data.psidAdmin) - sizeof(DWORD);

data.pACL = (PACL)LocalAlloc(LPTR, dwACLSize);
if (data.pACL == NULL)
    return false;

if (!InitializeAcl(data.pACL, dwACLSize, ACL_REVISION2))
    return false;

dwAccessMask = ACCESS_READ | ACCESS_WRITE;

if (!AddAccessAllowedAce(data.pACL, ACL_REVISION2, dwAccessMask, data.psidAdmin))
    return false;

if (!SetSecurityDescriptorDacl(data.psdAdmin, TRUE, data.pACL, FALSE))
    return false;

// AccessCheck validates a security descriptor somewhat; set the group
// and owner so that enough of the security descriptor is filled out 
// to make AccessCheck happy.

SetSecurityDescriptorGroup(data.psdAdmin, data.psidAdmin, FALSE);
SetSecurityDescriptorOwner(data.psdAdmin, data.psidAdmin, FALSE);

if (!IsValidSecurityDescriptor(data.psdAdmin))
    return false;

dwAccessDesired = ACCESS_READ;

GenericMapping.GenericRead    = ACCESS_READ;
GenericMapping.GenericWrite   = ACCESS_WRITE;
GenericMapping.GenericExecute = 0;
GenericMapping.GenericAll     = ACCESS_READ | ACCESS_WRITE;

if (!AccessCheck(data.psdAdmin, data.hImpersonationToken, dwAccessDesired,
                &GenericMapping, &ps, &dwStructureSize, &dwStatus,
                &fReturn))
{
    return false;
}

return fReturn;
}