Merge pull request #856 from Icinga:fix/acl_handling_for_non_englisch_windows_versions

Fix: ACL handling on non-english Windows versions

Fixes an issue with ACL permission handling on non-english Windows versions by looking up the correct names by their underlying SID

doc/100-General/10-Changelog.md

@@ -31,6 +31,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 * [#845](https://github.com/Icinga/icinga-powershell-framework/issues/845) Fixes a bunch of issues present in the New-IcingaCheck component, resulting in non-desired output value
 * [#851](https://github.com/Icinga/icinga-powershell-framework/pull/851) Fixes an issue with user updates on domain controllers, which included the domain besides the user name, causing the user updates to fail
 * [#854](https://github.com/Icinga/icinga-powershell-framework/pull/854) Fixes an issue with the renew certificate job, which updated file permissions with the wrong user `NT Authority\NetworkService` instead of the correct assigned user
+* [#855](https://github.com/Icinga/icinga-powershell-framework/issues/855) Fixes an issue with ACL permission handling on non-english Windows versions by looking up the correct names by their underlying SID
 
 ### Enhancements
 

lib/core/icingaagent/setters/Set-IcingaAcl.psm1

@@ -35,7 +35,7 @@ function Set-IcingaAcl()
 {
     param (
         [string]$Directory    = $null,
-        [string]$Owner        = 'NT AUTHORITY\SYSTEM',
+        [string]$Owner        = (Get-IcingaUsernameFromSID -SID 'S-1-5-18'),
         [string[]]$IcingaUser = (Get-IcingaServiceUser),
         [string]$DomainName   = ($env:USERDOMAIN).ToLower()
     );
@@ -66,10 +66,13 @@ function Set-IcingaAcl()
         }
     }
 
+    # Local Administrators group SID
+    [string]$AdminGroup = Get-IcingaUsernameFromSID -SID 'S-1-5-32-544';
+
     # Validate if the local Administrators group exists (shouldn't happen anyway)
     try {
-        $adminGroup = New-Object System.Security.Principal.NTAccount('Administrators');
-        $adminGroup.Translate([System.Security.Principal.SecurityIdentifier]) | Out-Null;
+        $adminGroupTest = New-Object System.Security.Principal.NTAccount($AdminGroup);
+        $adminGroupTest.Translate([System.Security.Principal.SecurityIdentifier]) | Out-Null;
     } catch {
         Write-IcingaConsoleError -Message 'The local Administrators group does not exist or is invalid' -Objects $null;
         return;
@@ -98,7 +101,7 @@ function Set-IcingaAcl()
 
         # Update the owner of the folder to "Administrators" first, to ensure we don't
         # run into any exceptions
-        $acl.SetOwner((New-Object System.Security.Principal.NTAccount('Administrators'))) | Out-Null;
+        $acl.SetOwner((New-Object System.Security.Principal.NTAccount($AdminGroup))) | Out-Null;
 
         Write-IcingaConsoleNotice -Message 'Disabled inheritance for directory {0}' -Objects $Directory;
 
@@ -124,7 +127,7 @@ function Set-IcingaAcl()
 
         # Add local Administrators group (Full Control)
         $adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule(
-            'Administrators',
+            $AdminGroup,
             'FullControl',
             'ContainerInherit, ObjectInherit',
             'None',
@@ -160,7 +163,7 @@ function Set-IcingaAcl()
                 # As our parent or current Acl might be owned by SYSTEM,
                 # we need to set the owner to Administrators here as well to fix exceptions
                 # for SYSTEM user not being allowed to own this file
-                $childAcl.SetOwner((New-Object System.Security.Principal.NTAccount('Administrators'))) | Out-Null;
+                $childAcl.SetOwner((New-Object System.Security.Principal.NTAccount($AdminGroup))) | Out-Null;
 
                 Set-Acl -Path $_.FullName -AclObject $childAcl | Out-Null;
             } catch {