by Michael S. Kaplan, published on 2008/06/11 03:01 -04:00, original URI: http://blogs.msdn.com/b/michkap/archive/2008/06/11/8590956.aspx
Regular readers may well remember previous blog posts like Administrator vs. Administrateur, et. al. and What's in a name? (once more).
It would seem that one cannot even find a week going by without someone looking at documentation topics like Setting Up Windows Service Accounts (and in particular its section entitled Localized Service Names) which are so completely misleading on this topic, saying things like
The following table shows service names used by localized version of Microsoft Windows.
Totally ignoring all of the issues I mentioned in this comment:
Well, the Books Online article is telling the truth about the fact that some of these service names are localized, and you cannot use MUI to test out whether this is the case, since they are not localized in the MUI version when it is installed atop English as this post indicates.
But perhaps in the localized versions where this is an issue either (1) the code is smart enough to accept both names, or (2) the localized names are just for display within the UI but would never be used in code, or (3) the CreateService et. al. docs are wrong.
And then mix with this the fact that (4) in Vista every version of Windows is in its on way an MUI version which may change the lay of the land here entirely....
Then, consider the fact that (5) the results may be different across different versions.
Finally, (6) the rename issue may still be an issue here.
Given all of these issues, it seems until the whole issue is clarified that one should either:
a) be willing to test all of these scenarios in localized versions of NT4, Win2000, Winxp, and Vista, or
b) one should use the SIDs for self-defensive purposes.
But I agree that the docs are very unclear about this issue and should be clarified to avoid the confusion. I will stand by my advice as the guaranteed way to avoid problems in light of unclear documentation, but I much prefer to push things as pure best practices rather than scare tactics/fear of the unknown....
I wonder whether we can get that topic changed eventually to dig in a little but deeper given the real usability, accuracy, and security concerns it does not help with in this section on localized account names?
This post brought to you by А (U+0410, CYRILLIC CAPITAL LETTER A)
# Mike Dimmick on 11 Jun 2008 9:33 AM:
It's probably OK in the context of 'what do I enter in this box', because the user will have to enter the localized name for it to be translated back to its SID. (Windows Installer certainly requires user accounts for created services to be given by name rather than by SID, which begs the question of whether it requires the localized or language-neutral name.) CreateWellKnownSid is a relatively new API and I think before it existed you had to use AllocateAndInitializeSid. I'd think Windows Installer just uses LookupAccountSid, but that means you have to provide the correct localized name.
My recollection of WiX is that some of the custom actions translate names into their SIDs and the language-neutral (i.e. English!) names are directly translated, with LookupAccountSid being used for anything not recognized. (WiX supports extended permission sets through custom actions where the the native Windows Installer functionality is weak.)
# Michael S. Kaplan on 11 Jun 2008 10:33 AM:
All very true -- and I am not against the name table being around -- it is more to do with all of the things that aren't there, which lead to problems in expectation.
There are also functionality problems -- why not allow SIDs there in the dialog and/or include a lot of the names that are used on a particular machine -- like do the lookups and put them in a list? Both of THOSE solutions allow people to work within the problem space *without* misleading them, or forcing bad documentation....
referenced by
2008/06/12 The SID, and the name, and the SID