Ugh! You're writing a Windows device driver [1] and you're calling SecLookupWellKnownSid() using ID "WinAccountAdministratorSid" because you want "a SID that matches the administrator group" as the docs at https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-seclookupwellknownsid say. What you get, however, is the SID of an administrator account. WTH?

The problem is with the docs. In fact, "WinAccountAdministratorSid" is the ID for "a SID that matches the account administrator's account" per https://docs.microsoft.com/en-us/windows/win32/api/winnt/ne-winnt-well_known_sid_type . What you need to use is "WinBuiltinAdministratorsSid", which is for "a SID that matches the administrator group". Id. The docs at https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-seclookupwellknownsid erroneously switched the meanings of these two SIDs.

[1] I could stop right here and "ugh" would describe it pretty well.