Accessing security information from an authentication provider

Hopefully, this isn't a hard question.

I'm writing a new authentication provider. What I want to know is, once
I know a user's username and domain, and have validated with our own
means that the user is who they say they are, I need to provide
information in the token like:

- The user's SID.
- What groups they belong to.
- Their primary group.
- What privileges they have.
- A default DACL.

and so on. How can I get this information? I'm not interested in
implementing an alternate user account database; I just have a different
way of authenticating that the user really is who they say they are. I'd
like the decision of their groups, privileges, and so on to continue to
be made by the same means it always is.

Do I have to write code to look these things up in the Active Directory
server and/or the SAM database? If so, is there good documentation
somewhere on where all this stuff is stored?

--
Chris Smith
.