Assigning folder permissions to "ALL APPLICATION PACKAGES" group

Question

It seems Win 8 has a new user group "ALL APPLICATION PACKAGES". This group seems to have Read permissions on all folders by default. However my requirement is to set some specific ACLs on a folder created by me. This group has no permissions on my folder currently and I wrote some code to add Read permissions for "ALL APPLICATION PACKAGES". I'm using VS 2010 and below is the trimmed down code snippet.

The SID for "ALL APPLICATION PACKAGES" as listed at http://msdn.microsoft.com/en-us/library/cc980032.aspx is ALL_APP_PACKAGES (S-1-15-2-1).

But no matter how or what value I pass as trustee Name the code below does not work. For example in the code below SetNamedSecurityInfo() fails with ERROR_INVALID_ACL. However if I use "Administrators" or "Everyone" account then it works.

Exact permission I need to assign are “Read & Execute”, “List Folder Contents”, and “Read”

#include "stdafx.h"
#include "windows.h"
#include "sddl.h"
#include "Aclapi.h"

int _tmain(int argc, _TCHAR* argv[])
{
TCHAR pszObjName[MAX_PATH] = L"C:\\Program Files\\Common Files\\Test\\";
PACL pOldDACL = NULL, pNewDACL = NULL;
PSECURITY_DESCRIPTOR pSD = NULL;
EXPLICIT_ACCESS ea;
SECURITY_INFORMATION si = DACL_SECURITY_INFORMATION;

// Get a pointer to the existing DACL (Conditionaly).
DWORD dwRes = GetNamedSecurityInfo(pszObjName, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, &pSD);

// Initialize an EXPLICIT_ACCESS structure for the new ACE. 
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
ea.grfAccessPermissions = STANDARD_RIGHTS_READ;
ea.grfAccessMode = SET_ACCESS;
ea.grfInheritance= SUB_CONTAINERS_AND_OBJECTS_INHERIT;
ea.Trustee.TrusteeForm = TRUSTEE_IS_SID;
// ea.Trustee.TrusteeType = TRUSTEE_IS_GROUP;
// Should I be using SID (S-1-15-2-1) (SetEntriesInAcl() fails) or "ALL_APP_PACKAGES" (SetEntriesInAcl() passes but SetNamedSecurityInfo() fails)
//If I use "Administrators" or "Everyone" as Trustee Name then it works fine but not with "ALL APPLICATION PACKAGES"
ea.Trustee.ptstrName = _T(" ALL_APP_PACKAGES"); 

// Create a new ACL that merges the new ACE into the existing DACL.
dwRes = SetEntriesInAcl(1, &ea, pOldDACL, &pNewDACL);
if(ERROR_SUCCESS != dwRes) 
goto Cleanup; 

// Attach the new ACL as the object's DACL.
dwRes = SetNamedSecurityInfo(pszObjName, SE_FILE_OBJECT, si, NULL, NULL, pNewDACL, NULL);
if(ERROR_SUCCESS != dwRes)  
goto Cleanup;

Cleanup:
if(pSD != NULL) 
LocalFree((HLOCAL) pSD); 
if(pNewDACL != NULL) 
LocalFree((HLOCAL) pNewDACL); 

return dwRes;
}

Answer 1

Try to set the Trustee structure this way. It works for me.

ea.Trustee.TrusteeForm = TRUSTEE_IS_NAME;
ea.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP;
ea.Trustee.ptstrName = L"ALL APPLICATION PACKAGES";