Well... couple of notes. #1) UAC seems to have 0 effect. I just turned it off on one machine and during logon it still fails to detect admin.

#2) The API error I reported earlier gets tripped when @PRIV is referenced OR InGroup(@WKSTA + '\' + SIDtoName('S-1-5-32-544')) is used. But only during the logon. If I run the script after it's logged on I get no API error and the result is as expected.