Resolve linked token.

[Varbin]

It might be desirable adding a configuration parameter to do group lookup over the TokenLinkedToken. This contains the "elevated" token, if the UAC filtered the direct token.

Using the default, filtered token (as introduced by this PR) should remain the default, as this is the default for Windows applications (e.g. when using Powershell Remoting). At the same time, if developers want to e.g. allow login depending on administrative rights, using the linked token might be useful.

Shall I open a new PR for:

1. Improved documentation, describing why groups might be missing and differences between previous lookup.
2. A configuration parameter for toggling between using the regular and the linked token.

Oh, and I could do #4 at the same time.

[quasoft]

Sure, sound good.

Feel free to go ahead with adding a new config parameter for checking the TOKEN_LINKED_TOKEN, and/or adding the missing example on enumeration of groups.

As a next step I would remove enumeration with NetUserGetGroups altogether. Since that would change existing behavior, it would need a bump of major version (the module is already used by at least one other project - https://github.com/go-gitea/gitea).