Can't set perms for APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES

[tehsuk]

Sample config:

Configuration TestAppPackagePerms
{
    Import-DscResource -ModuleName "cNtfsAccessControl"
    Import-DscResource -ModuleName "PSDesiredStateConfiguration"
	File CreateTestFolder
	{
		Type = "Directory"
		DestinationPath = "C:\Program Files\Test"
		Ensure = "Present"
	}

	cNtfsPermissionsInheritance DisableInheritOnProgramFilesTest
	{
		Path = "C:\Program Files\Test"
		Enabled = $false
		PreserveInherited = $false
		DependsOn = "[File]CreateTestFolder"
	}

	cNtfsPermissionEntry SetPermsOnCTestForApplicationPackageAuthority
	{
		Ensure = "Present"
		Path = "C:\Program Files\Test"
		# For Principal, same results using the following:
		# "ALL APPLICATION PACKAGES"
		# "S-1-15-2-1"
		Principal = "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES" 
		AccessControlInformation = @(
			cNtfsAccessControlInformation
			{
				AccessControlType = "Allow"
				FileSystemRights = "ReadAndExecute"
				Inheritance = "ThisFolderSubfoldersAndFiles"
			}
        )
        DependsOn = "[cNtfsPermissionsInheritance]DisableInheritOnProgramFilesTest"
	}
}

TestAppPackagePerms -Verbose
Start-DscConfiguration -Path .\TestAppPackagePerms -Wait -Verbose -Force

Result:

VERBOSE: [SERVER]: LCM:  [ Start  Resource ]  [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority]
VERBOSE: [SERVER]: LCM:  [ Start  Test     ]  [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority]
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Ensure                   : 'Present'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Path                     : 'C:\Program Files\Test'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Principal                : 'APPLICATION PACKAGE AU
THORITY\ALL APPLICATION PACKAGES'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] AccessControlInformation : 'cNtfsAccessControlInfo
rmation'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Verbose                  : 'True'
VERBOSE: [SERVER]:                            [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority] Resolving identity reference 'APPLICATION PACKAGE 
AUTHORITY\ALL APPLICATION PACKAGES'.
VERBOSE: [SERVER]: LCM:  [ End    Test     ]  [[cNtfsPermissionEntry]SetPermsOnCTestForApplicationPackageAuthority]  in 0.0780 seconds.
PowerShell DSC resource cNtfsPermissionEntry  failed to execute Test-TargetResource functionality with error message: The running command stopped because the preference 
variable "ErrorActionPreference" or common parameter is set to Stop: Could not resolve identity reference 'APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES': 
'Exception calling "Translate" with "1" argument(s): "Some or all identity references could not be translated."'. 
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : ProviderOperationExecutionFailure
    + PSComputerName        : localhost
 
VERBOSE: [SERVER]: LCM:  [ End    Set      ]
The SendConfigurationApply function did not succeed.
    + CategoryInfo          : NotSpecified: (root/Microsoft/...gurationManager:String) [], CimException
    + FullyQualifiedErrorId : MI RESULT 1
    + PSComputerName        : localhost
 
VERBOSE: Operation 'Invoke CimMethod' complete.
VERBOSE: Time taken for configuration job to complete is 0.8 seconds
`

[SNikalaichyk]

Hi, there's a similar issue. And it looks like it's a Win32 API bug. Need to dive deeper.

PowerShell/Win32-OpenSSH#750

The real problem is here:
'APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES'- can't translate fully qualified name. it is a win32 API bug. To workaround, we need to use the shortValue of the IdentityReference
'ALL APPLICATION PACKAGES' exists only on Win2k12 and Win2k16 and 'ALL RESTRICTED APPLICATION PACKAGES' exists only in Win2k16

[tehsuk]

Here is a script resource I'm using to set perms for All Application Packages with paths & rights hardcoded:

Script SetPermissionsOnProgramFilesx86CompanyProgramForApplicationPackageAuthority
        {
            GetScript = {
                Get-ACL -Path "C:\Program Files (x86)\Company\Program"
            }
            TestScript = {
                $PermEntries = (Get-Acl -Path "C:\Program Files (x86)\Company\Program").Access | Where-Object `
                {$_.IdentityReference -eq "APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES"}
                if ($PermEntries) {
                    Foreach ($PermEntry in $PermEntries) {
                        if ($PermEntry.FileSystemRights -eq "ReadAndExecute, Synchronize") {
                            return $true
                        }
                    }
                } else {
                    return $false
                }
            }
            SetScript = {
                $AppPackageSid = New-Object System.Security.Principal.SecurityIdentifier("S-1-15-2-1")
                $FolderACE = New-Object System.Security.AccessControl.FileSystemAccessRule ($AppPackageSid, 'ReadAndExecute', ('ContainerInherit','ObjectInherit'), 'None','Allow')
                $FolderACL = Get-ACL -Path "C:\Program Files (x86)\Company\Program"
                $FolderACL.AddAccessRule($FolderACE)
                Set-ACL -Path "C:\Program Files (x86)\Company\Program" -ACLObject $FolderACL
            }
            DependsOn = "[cNtfsPermissionsInheritance]DisableInheritOnProgramFilesx86EveriNGMSServices"
        }

[SNikalaichyk]

@tehsuk,
Thanks for sharing the snippet. I will look into this problem.