Can't set group policy settings on PC's with different language settings

Question

In my program, I have to set the group policy setting of certain files to ALL APPLICATION PACKAGES. To accomplish this, I'm using the following function which takes the FilePath to a file and sets the ALL APPLICATION PACKAGES group policy on that file:

DWORD AdjustGroupPolicy(std::wstring wstrFilePath)
{
    PACL pOldDACL = NULL, pNewDACL = NULL;
    PSECURITY_DESCRIPTOR pSD = NULL;
    EXPLICIT_ACCESS eaAccess;
    SECURITY_INFORMATION siInfo = DACL_SECURITY_INFORMATION;
    DWORD dwResult = ERROR_SUCCESS;

    dwResult = GetNamedSecurityInfo(wstrFilePath.c_str(), SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, &pSD);
    if (dwResult != ERROR_SUCCESS)
    {
        if (pSD != NULL)
            LocalFree((HLOCAL)pSD);
    }

    ZeroMemory(&eaAccess, sizeof(EXPLICIT_ACCESS));
    eaAccess.grfAccessPermissions = GENERIC_READ | GENERIC_EXECUTE;
    eaAccess.grfAccessMode = SET_ACCESS;
    eaAccess.grfInheritance = SUB_CONTAINERS_AND_OBJECTS_INHERIT;
    eaAccess.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
    eaAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
    eaAccess.Trustee.ptstrName = L"ALL APPLICATION PACKAGES";

    dwResult = SetEntriesInAcl(1, &eaAccess, pOldDACL, &pNewDACL);
    if (ERROR_SUCCESS != dwResult)
    {
        if (pSD != NULL)
            LocalFree((HLOCAL)pSD);
        if (pNewDACL != NULL)
            LocalFree((HLOCAL)pNewDACL);
    }

    dwResult = SetNamedSecurityInfo((LPWSTR)wstrFilePath.c_str(), SE_FILE_OBJECT, siInfo, NULL, NULL, pNewDACL, NULL);
    if (ERROR_SUCCESS != dwResult)
    {
        if (pSD != NULL)
            LocalFree((HLOCAL)pSD);
        if (pNewDACL != NULL)
            LocalFree((HLOCAL)pNewDACL);
    }

    return dwResult;
}

The problem is, some users are reporting that this function is failing for some reason. After digging into the issue a bit, I found that on PC's with languages settings other than English, the function fails at SetEntiresInAcl with the error code 1332 (0x534). In the MSDN documentation, the error code corresponds to the error ERROR_NONE_MAPPED, with the description:

No mapping between account names and security IDs was done.

My guess is that the error is thrown because ALL APPLICATION PACKAGES is named something differently depending on the language settings and thus Windows can't find the security ID for it; however, I'm unsure of how to fix this error. How could I go about fixing this error so that the function works reliably regardless of the users language settings?

Answer 1

I'm relatively new to access control policies in Windows and never had to deal with it before my current project. I've learned a lesson that I shouldn't set the Trustee by name since you can't rely on the name being the same across systems, even if it's a well-known group.

I ended up fixing it by adding the following code to the function:

PSID pSID;
ConvertStringSidToSid(L"S-1-15-2-1", &pSID); // S-1-15-2 is the SID for ALL_APP_PACKAGES

Later when I set the Trustee info, I changed the code to:

eaAccess.Trustee.TrusteeForm = TRUSTEE_IS_SID;
eaAccess.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
eaAccess.Trustee.ptstrName = (LPTSTR)pSID;

ConvertStringSidToSid takes the string-format SID and returns a pointer to the corresponding SID struct. I can then use that SID instead of using it's name, which avoids the translation issue I was having before.