uses
  Winapi.Windows; // <= die wird Minimum benötigt

function IsUserAdmin: Boolean;
var
  b: BOOL;
  AdministratorsGroup: PSID;
begin
  {
    This function returns true if you are currently running with admin privileges.
    In Vista and later, if you are non-elevated, this function will return false
    (you are not running with administrative privileges).
    If you *are* running elevated, then IsUserAdmin will return true, as you are
    running with admin privileges.

    Windows provides this similar function in Shell32.IsUserAnAdmin.
    But the function is deprecated, and this code is lifted
    from the docs for CheckTokenMembership:
      http://msdn.microsoft.com/en-us/library/aa376389.aspx
  }

  {
    Routine Description: This routine returns TRUE if the callers
    process is a member of the Administrators local group. Caller is NOT
    expected to be impersonating anyone and is expected to be able to
    open its own process and process token.
      Arguments: None.
      Return Value:
        TRUE - Caller has Administrators local group.
        FALSE - Caller does not have Administrators local group.
  }
  b := AllocateAndInitializeSid(
      SECURITY_NT_AUTHORITY,
      2, //2 sub-authorities
      SECURITY_BUILTIN_DOMAIN_RID, //sub-authority 0
      DOMAIN_ALIAS_RID_ADMINS, //sub-authority 1
      0, 0, 0, 0, 0, 0, //sub-authorities 2-7 not passed
      AdministratorsGroup);
  if (b) then
  begin
    if not CheckTokenMembership(0, AdministratorsGroup, b) then
      b := False;
      FreeSid(AdministratorsGroup);
  end;

  Result := b;
end;

unit Unit3;

interface

function IsUserAdmin: Boolean;

implementation

uses
  Winapi.Windows,
  System.SysUtils;

Const
 SECURITY_NT_AUTHORITY: TSIDIdentifierAuthority = (Value: (0, 0, 0, 0, 0, 5));
 SECURITY_BUILTIN_DOMAIN_RID = $00000020;
 DOMAIN_ALIAS_RID_ADMINS = $00000220;
 DOMAIN_ALIAS_RID_USERS = $00000221;
 DOMAIN_ALIAS_RID_GUESTS = $00000222;
 DOMAIN_ALIAS_RID_POWER_USERS= $00000223;

function CheckTokenMembership(TokenHandle: THandle; SidToCheck: PSID; var IsMember: BOOL): BOOL; stdcall; external advapi32;

function IsUserAdmin: Boolean;
var
  IsMember : BOOL;
  AdministratorsGroup: PSID;
begin
  Win32Check( AllocateAndInitializeSid(
    {} SECURITY_NT_AUTHORITY,
    {} 2, // 2 sub-authorities
    {} SECURITY_BUILTIN_DOMAIN_RID, // sub-authority 0
    {} DOMAIN_ALIAS_RID_ADMINS, // sub-authority 1
    {} 0, 0, 0, 0, 0, 0, // sub-authorities 2-7 not passed
    {} AdministratorsGroup ) );
  try
    Win32Check( CheckTokenMembership( 0, AdministratorsGroup, IsMember ) );
  finally
    FreeSid( AdministratorsGroup );
  end;
  Result := IsMember;
end;

end.

type
  TPrivilegeLevel = (plLimited, plAdmin, plAdminElevated);

function QueryPrivilegeLevel(const UseThreadToken: Boolean): TPrivilegeLevel;

function GetAdminSid: PSID;
const
  SECURITY_NT_AUTHORITY: TSIDIdentifierAuthority = (Value: (0, 0, 0, 0, 0, 5));
  SECURITY_BUILTIN_DOMAIN_RID: DWord = $00000020;
  DOMAIN_ALIAS_RID_ADMINS : DWord = $00000220;
begin
  Result := nil;
  AllocateAndInitializeSid(SECURITY_NT_AUTHORITY, 2, SECURITY_BUILTIN_DOMAIN_RID,
    DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, Result);
end;

const
  SE_GROUP_USE_FOR_DENY_ONLY = $00000010;

var
  TokenHandle: THandle;
  ReturnLength: DWORD;
  TokenInformation: PTokenGroups;
  AdminSid: PSID;
  Loop: Integer;
begin
  Result := plLimited;
  if (UseThreadToken) then
  begin
    if not OpenThreadToken(GetCurrentThread, TOKEN_QUERY, true, TokenHandle) then Exit;
  end else
  begin
    if not OpenProcessToken(GetCurrentProcess, TOKEN_QUERY, TokenHandle) then Exit;
  end;
  if (TokenHandle <> 0) then
  try
    ReturnLength := 0;
    GetTokenInformation(TokenHandle, TokenGroups, nil, 0, ReturnLength);
    TokenInformation := GetMemory(ReturnLength);
    if Assigned(TokenInformation) then
    try
      if GetTokenInformation(TokenHandle, TokenGroups, TokenInformation, ReturnLength,
        ReturnLength) then
      begin
        AdminSid := GetAdminSid;
        for Loop := 0 to TokenInformation^.GroupCount - 1 do
        begin
          if EqualSid(TokenInformation^.Groups[Loop].Sid, AdminSid) then
          begin
            if ((TokenInformation^.Groups[Loop].Attributes and SE_GROUP_USE_FOR_DENY_ONLY) =
              SE_GROUP_USE_FOR_DENY_ONLY) then
            begin
              Result := plAdmin;
            end else
            begin
              Result := plAdminElevated;
            end;
            Break;
          end;
        end;
        FreeSid(AdminSid);
      end;
    finally
      FreeMemory(TokenInformation);
    end;
  finally
    CloseHandle(TokenHandle);
  end;
end;

function IsRunAsAdmin: Boolean;
const
  WinBuiltinAdministratorsSid = 26;
var
  sidlen: Cardinal;
  sid: PSID;
  isAdmin: BOOL;
begin
  Result := false;

  CreateWellKnownSid(WinBuiltinAdministratorsSid, nil , nil, @sidlen);
  GetMem(sid, sidlen);
  try
    if CreateWellKnownSid(WinBuiltinAdministratorsSid, nil , sid, @sidlen) then
    begin
      try
      if CheckTokenMembership(0, Sid, isAdmin) then
        Result := isAdmin;
      finally
        FreeSid(sid);
      end;
    end
  finally
    FreeMem(sid);
  end;
end;

program TestAdmin;

{$IFDEF FPC}
  {$mode objfpc}{$H+}
{$ELSE}
  {$APPTYPE CONSOLE}
{$ENDIF}

uses
  SysUtils,
  Windows,
  Classes;

Const
 SECURITY_NT_AUTHORITY: TSIDIdentifierAuthority = (Value: (0, 0, 0, 0, 0, 5));
 SECURITY_BUILTIN_DOMAIN_RID = $00000020;
 DOMAIN_ALIAS_RID_ADMINS = $00000220;
 DOMAIN_ALIAS_RID_USERS = $00000221;
 DOMAIN_ALIAS_RID_GUESTS = $00000222;
 DOMAIN_ALIAS_RID_POWER_USERS= $00000223;

 function CheckTokenMembership(TokenHandle: THandle; SidToCheck: PSID; var IsMember: BOOL): BOOL; stdcall; external advapi32;

 function UserInGroup(Group :DWORD) : Boolean;
 var
  pIdentifierAuthority :TSIDIdentifierAuthority;
  pSid : Windows.PSID;
  IsMember : BOOL;
 begin
  pIdentifierAuthority := SECURITY_NT_AUTHORITY;
  Result := AllocateAndInitializeSid(pIdentifierAuthority,2, SECURITY_BUILTIN_DOMAIN_RID, Group, 0, 0, 0, 0, 0, 0, pSid);
  try
    if Result then
      if not CheckTokenMembership(0, pSid, IsMember) then //passing 0 means which the function will be use the token of the calling thread.
         Result:= False
      else
         Result:=IsMember;
  finally
     FreeSid(pSid);
  end;
 end;

begin
 Writeln(Format('Current user is Admin %s',
[BoolToStr(UserInGroup(DOMAIN_ALIAS_RID_ADMINS),True)]));
 Writeln(Format('Current user is Guest %s',
[BoolToStr(UserInGroup(DOMAIN_ALIAS_RID_GUESTS),True)]));
 Writeln(Format('Current user is Power User %s',
[BoolToStr(UserInGroup(DOMAIN_ALIAS_RID_POWER_USERS),True)]));
 readln;
end.