Open tehsuk opened 6 years ago
Hi, there's a similar issue. And it looks like it's a Win32 API bug. Need to dive deeper.
https://github.com/PowerShell/Win32-OpenSSH/issues/750
The real problem is here: 'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'- can't translate fully qualified name. it is a win32 API bug. To workaround, we need to use the shortValue of the IdentityReference 'ALL APPLICATION PACKAGES' exists only on Win2k12 and Win2k16 and 'ALL RESTRICTED APPLICATION PACKAGES' exists only in Win2k16
Here is a script resource I'm using to set perms for All Application Packages with paths & rights hardcoded:
Script SetPermissionsOnProgramFilesx86CompanyProgramForApplicationPackageAuthority
{
GetScript = {
Get-ACL -Path "C:\Program Files (x86)\Company\Program"
}
TestScript = {
$PermEntries = (Get-Acl -Path "C:\Program Files (x86)\Company\Program").Access | Where-Object `
{$_.IdentityReference -eq "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES"}
if ($PermEntries) {
Foreach ($PermEntry in $PermEntries) {
if ($PermEntry.FileSystemRights -eq "ReadAndExecute, Synchronize") {
return $true
}
}
} else {
return $false
}
}
SetScript = {
$AppPackageSid = New-Object System.Security.Principal.SecurityIdentifier("S-1-15-2-1")
$FolderACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($AppPackageSid, 'ReadAndExecute', ('ContainerInherit','ObjectInherit'), 'None','Allow')
$FolderACL = Get-ACL -Path "C:\Program Files (x86)\Company\Program"
$FolderACL.AddAccessRule($FolderACE)
Set-ACL -Path "C:\Program Files (x86)\Company\Program" -ACLObject $FolderACL
}
DependsOn = "[cNtfsPermissionsInheritance]DisableInheritOnProgramFilesx86EveriNGMSServices"
}
@tehsuk, Thanks for sharing the snippet. I will look into this problem.
Sample config:
Result: