From 4df1dff5dd69324850c59cafc5f00f6f05bcb3c3 Mon Sep 17 00:00:00 2001 From: Lord Hepipud Date: Mon, 9 Feb 2026 08:48:45 +0100 Subject: [PATCH] Fixes ACL handling on non-english Windows versions --- doc/100-General/10-Changelog.md | 1 + lib/core/icingaagent/setters/Set-IcingaAcl.psm1 | 15 +++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md index e8af00c..4dc98b6 100644 --- a/doc/100-General/10-Changelog.md +++ b/doc/100-General/10-Changelog.md @@ -31,6 +31,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic * [#845](https://github.com/Icinga/icinga-powershell-framework/issues/845) Fixes a bunch of issues present in the New-IcingaCheck component, resulting in non-desired output value * [#851](https://github.com/Icinga/icinga-powershell-framework/pull/851) Fixes an issue with user updates on domain controllers, which included the domain besides the user name, causing the user updates to fail * [#854](https://github.com/Icinga/icinga-powershell-framework/pull/854) Fixes an issue with the renew certificate job, which updated file permissions with the wrong user `NT Authority\NetworkService` instead of the correct assigned user +* [#855](https://github.com/Icinga/icinga-powershell-framework/issues/855) Fixes an issue with ACL permission handling on non-english Windows versions by looking up the correct names by their underlying SID ### Enhancements diff --git a/lib/core/icingaagent/setters/Set-IcingaAcl.psm1 b/lib/core/icingaagent/setters/Set-IcingaAcl.psm1 index 1462443..0fb0f6c 100644 --- a/lib/core/icingaagent/setters/Set-IcingaAcl.psm1 +++ b/lib/core/icingaagent/setters/Set-IcingaAcl.psm1 @@ -35,7 +35,7 @@ function Set-IcingaAcl() { param ( [string]$Directory = $null, - [string]$Owner = 'NT AUTHORITY\SYSTEM', + [string]$Owner = (Get-IcingaUsernameFromSID -SID 'S-1-5-18'), [string[]]$IcingaUser = (Get-IcingaServiceUser), [string]$DomainName = ($env:USERDOMAIN).ToLower() ); @@ -66,10 +66,13 @@ function Set-IcingaAcl() } } + # Local Administrators group SID + [string]$AdminGroup = Get-IcingaUsernameFromSID -SID 'S-1-5-32-544'; + # Validate if the local Administrators group exists (shouldn't happen anyway) try { - $adminGroup = New-Object System.Security.Principal.NTAccount('Administrators'); - $adminGroup.Translate([System.Security.Principal.SecurityIdentifier]) | Out-Null; + $adminGroupTest = New-Object System.Security.Principal.NTAccount($AdminGroup); + $adminGroupTest.Translate([System.Security.Principal.SecurityIdentifier]) | Out-Null; } catch { Write-IcingaConsoleError -Message 'The local Administrators group does not exist or is invalid' -Objects $null; return; @@ -98,7 +101,7 @@ function Set-IcingaAcl() # Update the owner of the folder to "Administrators" first, to ensure we don't # run into any exceptions - $acl.SetOwner((New-Object System.Security.Principal.NTAccount('Administrators'))) | Out-Null; + $acl.SetOwner((New-Object System.Security.Principal.NTAccount($AdminGroup))) | Out-Null; Write-IcingaConsoleNotice -Message 'Disabled inheritance for directory {0}' -Objects $Directory; @@ -124,7 +127,7 @@ function Set-IcingaAcl() # Add local Administrators group (Full Control) $adminRule = New-Object System.Security.AccessControl.FileSystemAccessRule( - 'Administrators', + $AdminGroup, 'FullControl', 'ContainerInherit, ObjectInherit', 'None', @@ -160,7 +163,7 @@ function Set-IcingaAcl() # As our parent or current Acl might be owned by SYSTEM, # we need to set the owner to Administrators here as well to fix exceptions # for SYSTEM user not being allowed to own this file - $childAcl.SetOwner((New-Object System.Security.Principal.NTAccount('Administrators'))) | Out-Null; + $childAcl.SetOwner((New-Object System.Security.Principal.NTAccount($AdminGroup))) | Out-Null; Set-Acl -Path $_.FullName -AclObject $childAcl | Out-Null; } catch {