Curtail usage of Windows 'Administrators', favor SID instead

[ChefAustin]

Description

Currently there are a handful of cookbooks which leverage 'Administrators' for defining owner, group, rights, et al. This is problematic when the default language of the Windows device is not set to English.

In order to circumvent this, I believe the gilded approach would be to use SID strings instead of the actual name of the securable resource that the SID would point to (i.e. 'S-1-5-32-544' instead of 'Administrators'). Given that the SIDs for specific builtin groups don't change, methinks this would be a safer approach.

This feature was introduced in Chef Infra client v16.5.64 (See: v16.5.64 release notes under "Windows securable resources").

Chef Version

Chef-client v16.13.16

Platform Version

Windows 10

Replication Case

Setup a Windows machine in a non-English language, run a Chef recipe which relies upon the usage of 'Administrators', 'Everyone', 'SYSTEM' and you should get back errors.

Client Output

Chef::Exceptions::Win32APIError: Não foi feito mapeamento entre os nomes de conta e as identificações de segurança.

Translated to English this becomes:

Chef::Exceptions::Win32APIError: No mapping between account names and security IDs was done.

[nmcspadden]

Good catch for non-English systems especially. We set the internal rule to never allow the use of owner/group on WIndows-only resources in favor of making people use rights, but didn't think about that language issue.

[johnnyramos]

I tried this to no effect. Mind providing an example of usage?

Version 18.0.8, assumes the actual group name is the SID and doesn't understand that SID just maps to the Administrators group. 🤔

[ChefAustin]

I tried this to no effect. Mind providing an example of usage?

Version 18.0.8, assumes the actual group name is the SID and doesn't understand that SID just maps to the Administrators group. 🤔

I'm not following; do you want an example of the offensive code or the non-offensive usage of SID?