I'm looking for a nuts and bolts answer to this, so if that means digging in to SDDL (or whatever...I want to SEE the "token"), I'm ok with that.
UAC policy settings have two consent behavior options:
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode User Account Control: Behavior of the elevation prompt for standard users
How can I tell (while logged in as the user) if a user account is currently assigned an admin token so that it is not considered a standard user account or if it's an admin not in admin approval mode?