You forgot to use CreateEnvironmentBlock to set the correct env. for the user.

The function LsaLogonUser is helpful for adding the user to a group for this session. But is it possible without using CreateToken to change privileges?

Its nearly the same code I produced some days ago without knowing yours
However I wrapped the LSA functions in my Security Library classes so its easier to use. I will publish it when the time is right.