I don't mean adding Joe the Administrators group rather the process you started with LsaLogonUser runs with admin permissions!

I thought that (zw)NTCreateToken was no longer possible in Vista

Please look at my sample again, the way I understand your question it's does precisely what you want! Make it a service so you don't have to give a user SeTcbPrivilege...