August 20, 2014

Localized Names of Users and Groups in Windows

You know the “Authenticated Users” group in Windows? Microsoft decided to localize its name. For example, in a german Windows it is called “Authentifizierte Benutzer”. While I don’t want to criticize the decision to localize the name, I want to criticize the way it is implemented in some parts of Windows.

If you take a look at icacls, you can write a script that does not depend on the locale of the installed system. Instead of “Everyone” you would just use its SID S-1-5-11 (which does not depend on the locale) according to the list of well-known SIDs in Windows.

That’s ok. Now suppose you want to create a network share using net share. Additionally, you want to restrict access to that share to the “Authenticated Users” group (using the grant argument). Well. No. It is just impossible to do that in a way that does not depend on the locale. The grant argument will only accept the Name of a group, but not the SID. (Additionally, it will fail with a not very helpful error 1332 “No mapping between account names and security IDs was done” if you pass a SID…).

With the help of Google you can find a solution (german) that uses wmic to get the localized name and this is what I used in the end:

set AuthenticatedUsersSid=S-1-5-11
for /f "tokens=2 delims==" %%a in ('"wmic path win32_account where SID='%AuthenticatedUsersSid%' get name /value"') do (
set AuthenticatedUsersName=%%a
goto :loop_end
echo Found Authenticated Users localized name: %AuthenticatedUsersName%

But anyway, why doesn’t that work consistently?

Powered by Hugo & Kiss.