Bug: Administrators group lookup fails on non-English Windows → ACL setup breaks, service crashes

[bieberjz]

On non-English Windows systems (e.g. German), Icinga for Windows fails during ACL setup because built-in security principals are resolved by hard-coded English names.

This affects both:

• the built-in Administrators group
• the service account NT AUTHORITY\NetworkService

On German Windows these are localized (e.g. Administratoren, NT-AUTORITÄT\NETZWERKDIENST) and therefore cannot be resolved by name.

As a result, ACL configuration fails and the Icinga PowerShell Framework cache is not writable, causing the PowerShell service to crash at runtime.

The framework repeatedly errors with:
[Error]: The local Administrators group does not exist or is invalid

As a result:

• ACLs are not applied correctly
• The PowerShell framework cache is not writable
• The Icinga PowerShell Service crashes at runtime
• Follow-up errors occur (e.g. failure to create cache\dll)

This appears to be caused by hard-coded usage of the English group name Administrators instead of resolving the group via SID.

Environment

• OS: Windows (German locale)
• Icinga for Windows Framework: 1.13.5
• Icinga PowerShell Plugins: 1.13.1
• Icinga Agent: 2.15.2
• Service account: NT AUTHORITY\NetworkService
• PowerShell: Windows PowerShell 5.1 (x64)

Installation Log (excerpt)

[Notice]: Installing component "agent" with version "2.15.2"
[Error]: The local Administrators group does not exist or is invalid
[Error]: The local Administrators group does not exist or is invalid
[Error]: The local Administrators group does not exist or is invalid

Runtime Errors

New-Item : Access to the path "dll" is denied
Path:
C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache\dll

and later:

The Icinga for Windows PowerShell instance assigned to this service is no longer present.
It either crashed or was terminated by the user. Stopping service.

Root Cause

• The framework tries to resolve:

• Administrators
• NT AUTHORITY\NetworkService

• These names do not exist on non-English Windows installations
• ACLs are therefore not applied
• Required cache paths are not writable by the service user

Workaround

Manually granting permissions via well-known SIDs works reliably:

# NetworkService
icacls "<framework cache path>" /grant "*S-1-5-20:(OI)(CI)M" /T

# Administrators
icacls "<framework cache path>" /grant "*S-1-5-32-544:(OI)(CI)F" /T

Suggested Fix

• Resolve built-in principals via well-known SIDs:

• S-1-5-32-544 → Administrators
• S-1-5-20 → NetworkService

• Avoid hard-coded English principal names
• Ensure ACL setup is fully locale-independent

[LordHepipud]

Thank you for the report. Could you please test the linked PR?
This should resolve the issue.

[bieberjz]

Warnings during installation/migrations: “Domain Admins group does not exist or is invalid” + system SID warning (German Windows)

Description

During installation / applying pending migrations, ACL permissions are set successfully, but several warnings are printed:

• SID S-1-5-20 detected as system SID → permission update skipped
• Domain group Domain Admins reported as missing/invalid (host-001\Domain Admins) multiple times
  Despite the warnings, ACL configuration appears to complete successfully for the affected directories.

Steps to reproduce

1. Install Icinga for Windows / run installation that triggers migrations (v1.13.3 → v1.14.0 shown in output)
2. Observe output during migrations / ACL setup

Environment

• OS: Windows (German locale)
• Icinga for Windows migrations reported: v1.13.3 and v1.14.0

[Notice]: Applying pending migrations required for Icinga for Windows v1.13.3
[Notice]: Successfully set the icinga2 service to delayed autostart
[Notice]: Applying pending migrations required for Icinga for Windows v1.14.0
[Warning]: It seems the provided SID "S-1-5-20" is a system SID. Skipping permission update
[Warning]: The Domain Admins group does not exist or is invalid: host-001\Domain Admins
[Notice]: Disabled inheritance for directory C:\ProgramData\icinga2\etc
[Notice]: Cleared existing ACL entries for directory C:\ProgramData\icinga2\etc
[Notice]: Configured new ACL entries for directory C:\ProgramData\icinga2\etc
[Notice]: Permissions for directory "C:\ProgramData\icinga2\etc" successfully configured for owner "NT-AUTORITÄT\SYSTEM" and full access users (NT AUTHORITY\NetworkService) and groups (Administrators)
[Warning]: The Domain Admins group does not exist or is invalid: host-001\Domain Admins
[Notice]: Disabled inheritance for directory C:\ProgramData\icinga2\var
[Notice]: Cleared existing ACL entries for directory C:\ProgramData\icinga2\var
[Notice]: Configured new ACL entries for directory C:\ProgramData\icinga2\var
[Notice]: Permissions for directory "C:\ProgramData\icinga2\var" successfully configured for owner "NT-AUTORITÄT\SYSTEM" and full access users (NT AUTHORITY\NetworkService) and groups (Administrators)
[Warning]: The Domain Admins group does not exist or is invalid: host-001\Domain Admins
[Notice]: Disabled inheritance for directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache
[Notice]: Cleared existing ACL entries for directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache
[Notice]: Configured new ACL entries for directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache
[Notice]: Permissions for directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\cache" successfully configured for owner "NT-AUTORITÄT\SYSTEM" and full access users (NT AUTHORITY\NetworkService) and groups (Administrators)
[Warning]: The Domain Admins group does not exist or is invalid: host-001\Domain Admins
[Notice]: Disabled inheritance for directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config
[Notice]: Cleared existing ACL entries for directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config
[Notice]: Configured new ACL entries for directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config
[Notice]: Permissions for directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\config" successfully configured for owner "NT-AUTORITÄT\SYSTEM" and full access users (NT AUTHORITY\NetworkService) and groups (Administrators)
[Warning]: The Domain Admins group does not exist or is invalid: host-001\Domain Admins
[Notice]: Disabled inheritance for directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate
[Notice]: Cleared existing ACL entries for directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate
[Notice]: Configured new ACL entries for directory C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate
[Notice]: Permissions for directory "C:\Program Files\WindowsPowerShell\Modules\icinga-powershell-framework\certificate" successfully configured for owner "NT-AUTORITÄT\SYSTEM" and full access users (NT AUTHORITY\NetworkService) and groups (Administrators)
``

[LordHepipud]

Thanks, that seems fine. The Domain groups are not that important, especially on non-domain systems.
the SID skip for permission updates is also fine, as this is just required for the security catalog.