[ADVAPI32]
[reactos.git] / reactos / dll / win32 / advapi32 / wine / security.c
index c3364a9..87afe5f 100644 (file)
@@ -115,26 +115,28 @@ static const WELLKNOWNSID WellKnownSids[] =
     { {'S','I'}, WinSystemLabelSid, { SID_REVISION, 1, { SECURITY_MANDATORY_LABEL_AUTHORITY}, { SECURITY_MANDATORY_SYSTEM_RID } } },
 };
 
+/* these SIDs must be constructed as relative to some domain - only the RID is well-known */
 typedef struct WELLKNOWNRID
 {
+    WCHAR wstr[2];
     WELL_KNOWN_SID_TYPE Type;
     DWORD Rid;
 } WELLKNOWNRID;
 
 static const WELLKNOWNRID WellKnownRids[] = {
-    { WinAccountAdministratorSid,    DOMAIN_USER_RID_ADMIN },
-    { WinAccountGuestSid,            DOMAIN_USER_RID_GUEST },
-    { WinAccountKrbtgtSid,           DOMAIN_USER_RID_KRBTGT },
-    { WinAccountDomainAdminsSid,     DOMAIN_GROUP_RID_ADMINS },
-    { WinAccountDomainUsersSid,      DOMAIN_GROUP_RID_USERS },
-    { WinAccountDomainGuestsSid,     DOMAIN_GROUP_RID_GUESTS },
-    { WinAccountComputersSid,        DOMAIN_GROUP_RID_COMPUTERS },
-    { WinAccountControllersSid,      DOMAIN_GROUP_RID_CONTROLLERS },
-    { WinAccountCertAdminsSid,       DOMAIN_GROUP_RID_CERT_ADMINS },
-    { WinAccountSchemaAdminsSid,     DOMAIN_GROUP_RID_SCHEMA_ADMINS },
-    { WinAccountEnterpriseAdminsSid, DOMAIN_GROUP_RID_ENTERPRISE_ADMINS },
-    { WinAccountPolicyAdminsSid,     DOMAIN_GROUP_RID_POLICY_ADMINS },
-    { WinAccountRasAndIasServersSid, DOMAIN_ALIAS_RID_RAS_SERVERS },
+    { {'L','A'}, WinAccountAdministratorSid,    DOMAIN_USER_RID_ADMIN },
+    { {'L','G'}, WinAccountGuestSid,            DOMAIN_USER_RID_GUEST },
+    { {0,0}, WinAccountKrbtgtSid,           DOMAIN_USER_RID_KRBTGT },
+    { {0,0}, WinAccountDomainAdminsSid,     DOMAIN_GROUP_RID_ADMINS },
+    { {0,0}, WinAccountDomainUsersSid,      DOMAIN_GROUP_RID_USERS },
+    { {0,0}, WinAccountDomainGuestsSid,     DOMAIN_GROUP_RID_GUESTS },
+    { {0,0}, WinAccountComputersSid,        DOMAIN_GROUP_RID_COMPUTERS },
+    { {0,0}, WinAccountControllersSid,      DOMAIN_GROUP_RID_CONTROLLERS },
+    { {0,0}, WinAccountCertAdminsSid,       DOMAIN_GROUP_RID_CERT_ADMINS },
+    { {0,0}, WinAccountSchemaAdminsSid,     DOMAIN_GROUP_RID_SCHEMA_ADMINS },
+    { {0,0}, WinAccountEnterpriseAdminsSid, DOMAIN_GROUP_RID_ENTERPRISE_ADMINS },
+    { {0,0}, WinAccountPolicyAdminsSid,     DOMAIN_GROUP_RID_POLICY_ADMINS },
+    { {0,0}, WinAccountRasAndIasServersSid, DOMAIN_ALIAS_RID_RAS_SERVERS },
 };
 
 static const SID sidWorld = { SID_REVISION, 1, { SECURITY_WORLD_SID_AUTHORITY} , { SECURITY_WORLD_RID } };
@@ -226,46 +228,12 @@ static const char * debugstr_sid(PSID sid)
     return "(too-big)";
 }
 
-static const ACEFLAG AceRights[] =
-{
-    { SDDL_GENERIC_ALL,     GENERIC_ALL },
-    { SDDL_GENERIC_READ,    GENERIC_READ },
-    { SDDL_GENERIC_WRITE,   GENERIC_WRITE },
-    { SDDL_GENERIC_EXECUTE, GENERIC_EXECUTE },
-
-    { SDDL_READ_CONTROL,    READ_CONTROL },
-    { SDDL_STANDARD_DELETE, DELETE },
-    { SDDL_WRITE_DAC,       WRITE_DAC },
-    { SDDL_WRITE_OWNER,     WRITE_OWNER },
-
-    { SDDL_READ_PROPERTY,   ADS_RIGHT_DS_READ_PROP},
-    { SDDL_WRITE_PROPERTY,  ADS_RIGHT_DS_WRITE_PROP},
-    { SDDL_CREATE_CHILD,    ADS_RIGHT_DS_CREATE_CHILD},
-    { SDDL_DELETE_CHILD,    ADS_RIGHT_DS_DELETE_CHILD},
-    { SDDL_LIST_CHILDREN,   ADS_RIGHT_ACTRL_DS_LIST},
-    { SDDL_SELF_WRITE,      ADS_RIGHT_DS_SELF},
-    { SDDL_LIST_OBJECT,     ADS_RIGHT_DS_LIST_OBJECT},
-    { SDDL_DELETE_TREE,     ADS_RIGHT_DS_DELETE_TREE},
-    { SDDL_CONTROL_ACCESS,  ADS_RIGHT_DS_CONTROL_ACCESS},
-
-    { SDDL_FILE_ALL,        FILE_ALL_ACCESS },
-    { SDDL_FILE_READ,       FILE_GENERIC_READ },
-    { SDDL_FILE_WRITE,      FILE_GENERIC_WRITE },
-    { SDDL_FILE_EXECUTE,    FILE_GENERIC_EXECUTE },
-
-    { SDDL_KEY_ALL,         KEY_ALL_ACCESS },
-    { SDDL_KEY_READ,        KEY_READ },
-    { SDDL_KEY_WRITE,       KEY_WRITE },
-    { SDDL_KEY_EXECUTE,     KEY_EXECUTE },
-    { NULL, 0 },
-};
-
 /* set last error code from NT status and get the proper boolean return value */
 /* used for functions that are a simple wrapper around the corresponding ntdll API */
 static __inline BOOL set_ntstatus( NTSTATUS status )
 {
-    if (status) SetLastError( RtlNtStatusToDosError( status ));
-    return !status;
+    if (!NT_SUCCESS(status)) SetLastError( RtlNtStatusToDosError( status ));
+    return NT_SUCCESS(status);
 }
 
 static const RECORD SidTable[] =
@@ -325,16 +293,34 @@ BOOL ADVAPI_IsLocalComputer(LPCWSTR ServerName)
     if (!ServerName || !ServerName[0])
         return TRUE;
 
-    buf = HeapAlloc(GetProcessHeap(), 0, dwSize * sizeof(WCHAR));
+    buf = heap_alloc(dwSize * sizeof(WCHAR));
     Result = GetComputerNameW(buf,  &dwSize);
     if (Result && (ServerName[0] == '\\') && (ServerName[1] == '\\'))
         ServerName += 2;
     Result = Result && !lstrcmpW(ServerName, buf);
-    HeapFree(GetProcessHeap(), 0, buf);
+    heap_free(buf);
 
     return Result;
 }
 
+/************************************************************
+ *                ADVAPI_GetComputerSid
+ */
+BOOL ADVAPI_GetComputerSid(PSID sid)
+{
+    static const struct /* same fields as struct SID */
+    {
+        BYTE Revision;
+        BYTE SubAuthorityCount;
+        SID_IDENTIFIER_AUTHORITY IdentifierAuthority;
+        DWORD SubAuthority[4];
+    } computer_sid =
+    { SID_REVISION, 4, { SECURITY_NT_AUTHORITY }, { SECURITY_NT_NON_UNIQUE, 0, 0, 0 } };
+
+    memcpy( sid, &computer_sid, sizeof(computer_sid) );
+    return TRUE;
+}
+
 /* Exported functions */
 
 /*
@@ -364,28 +350,29 @@ OpenProcessToken(HANDLE ProcessHandle,
     return TRUE;
 }
 
-/*
- * @implemented
+/******************************************************************************
+ * OpenThreadToken [ADVAPI32.@]
+ *
+ * Opens the access token associated with a thread handle.
+ *
+ * PARAMS
+ *   ThreadHandle  [I] Handle to process
+ *   DesiredAccess [I] Desired access to the thread
+ *   OpenAsSelf    [I] ???
+ *   TokenHandle   [O] Destination for the token handle
+ *
+ * RETURNS
+ *  Success: TRUE. TokenHandle contains the access token.
+ *  Failure: FALSE.
+ *
+ * NOTES
+ *  See NtOpenThreadToken.
  */
 BOOL WINAPI
-OpenThreadToken(HANDLE ThreadHandle,
-                DWORD DesiredAccess,
-                BOOL OpenAsSelf,
-                PHANDLE TokenHandle)
+OpenThreadToken( HANDLE ThreadHandle, DWORD DesiredAccess,
+                BOOL OpenAsSelf, HANDLE *TokenHandle)
 {
-    NTSTATUS Status;
-
-    Status = NtOpenThreadToken(ThreadHandle,
-                               DesiredAccess,
-                               OpenAsSelf,
-                               TokenHandle);
-    if (!NT_SUCCESS(Status))
-    {
-        SetLastError(RtlNtStatusToDosError(Status));
-        return FALSE;
-    }
-
-    return TRUE;
+       return set_ntstatus( NtOpenThreadToken(ThreadHandle, DesiredAccess, OpenAsSelf, TokenHandle));
 }
 
 /*
@@ -528,57 +515,88 @@ SetThreadToken(IN PHANDLE ThreadHandle  OPTIONAL,
     return TRUE;
 }
 
-BOOL WINAPI
-CreateRestrictedToken(HANDLE TokenHandle,
-                      DWORD Flags,
-                      DWORD DisableSidCount,
-                      PSID_AND_ATTRIBUTES pSidAndAttributes,
-                      DWORD DeletePrivilegeCount,
-                      PLUID_AND_ATTRIBUTES pLUIDAndAttributes,
-                      DWORD RestrictedSidCount,
-                      PSID_AND_ATTRIBUTES pSIDAndAttributes,
-                      PHANDLE NewTokenHandle)
-{
-    UNIMPLEMENTED;
-    return FALSE;
-}
+/*************************************************************************
+ * CreateRestrictedToken [ADVAPI32.@]
+ *
+ * Create a new more restricted token from an existing token.
+ *
+ * PARAMS
+ *   baseToken       [I] Token to base the new restricted token on
+ *   flags           [I] Options
+ *   nDisableSids    [I] Length of disableSids array
+ *   disableSids     [I] Array of SIDs to disable in the new token
+ *   nDeletePrivs    [I] Length of deletePrivs array
+ *   deletePrivs     [I] Array of privileges to delete in the new token
+ *   nRestrictSids   [I] Length of restrictSids array
+ *   restrictSids    [I] Array of SIDs to restrict in the new token
+ *   newToken        [O] Address where the new token is stored
+ *
+ * RETURNS
+ *  Success: TRUE
+ *  Failure: FALSE
+ */
+BOOL WINAPI CreateRestrictedToken(
+    HANDLE baseToken,
+    DWORD flags,
+    DWORD nDisableSids,
+    PSID_AND_ATTRIBUTES disableSids,
+    DWORD nDeletePrivs,
+    PLUID_AND_ATTRIBUTES deletePrivs,
+    DWORD nRestrictSids,
+    PSID_AND_ATTRIBUTES restrictSids,
+    PHANDLE newToken)
+{
+    TOKEN_TYPE type;
+    SECURITY_IMPERSONATION_LEVEL level = TokenImpersonationLevel;
+    DWORD size;
 
-/*
- * @implemented
- */
-BOOL WINAPI
-AllocateAndInitializeSid(PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
-                         BYTE nSubAuthorityCount,
-                         DWORD dwSubAuthority0,
-                         DWORD dwSubAuthority1,
-                         DWORD dwSubAuthority2,
-                         DWORD dwSubAuthority3,
-                         DWORD dwSubAuthority4,
-                         DWORD dwSubAuthority5,
-                         DWORD dwSubAuthority6,
-                         DWORD dwSubAuthority7,
-                         PSID *pSid)
-{
-    NTSTATUS Status;
+    FIXME("(%p, 0x%x, %u, %p, %u, %p, %u, %p, %p): stub\n",
+          baseToken, flags, nDisableSids, disableSids,
+          nDeletePrivs, deletePrivs,
+          nRestrictSids, restrictSids,
+          newToken);
 
-    Status = RtlAllocateAndInitializeSid(pIdentifierAuthority,
-                                         nSubAuthorityCount,
-                                         dwSubAuthority0,
-                                         dwSubAuthority1,
-                                         dwSubAuthority2,
-                                         dwSubAuthority3,
-                                         dwSubAuthority4,
-                                         dwSubAuthority5,
-                                         dwSubAuthority6,
-                                         dwSubAuthority7,
-                                         pSid);
-    if (!NT_SUCCESS(Status))
+    size = sizeof(type);
+    if (!GetTokenInformation( baseToken, TokenType, &type, size, &size )) return FALSE;
+    if (type == TokenImpersonation)
     {
-        SetLastError(RtlNtStatusToDosError(Status));
-        return FALSE;
+        size = sizeof(level);
+        if (!GetTokenInformation( baseToken, TokenImpersonationLevel, &level, size, &size ))
+            return FALSE;
     }
+    return DuplicateTokenEx( baseToken, MAXIMUM_ALLOWED, NULL, level, type, newToken );
+}
 
-    return TRUE;
+/******************************************************************************
+ * AllocateAndInitializeSid [ADVAPI32.@]
+ *
+ * PARAMS
+ *   pIdentifierAuthority []
+ *   nSubAuthorityCount   []
+ *   nSubAuthority0       []
+ *   nSubAuthority1       []
+ *   nSubAuthority2       []
+ *   nSubAuthority3       []
+ *   nSubAuthority4       []
+ *   nSubAuthority5       []
+ *   nSubAuthority6       []
+ *   nSubAuthority7       []
+ *   pSid                 []
+ */
+BOOL WINAPI
+AllocateAndInitializeSid( PSID_IDENTIFIER_AUTHORITY pIdentifierAuthority,
+                          BYTE nSubAuthorityCount,
+                          DWORD nSubAuthority0, DWORD nSubAuthority1,
+                          DWORD nSubAuthority2, DWORD nSubAuthority3,
+                          DWORD nSubAuthority4, DWORD nSubAuthority5,
+                          DWORD nSubAuthority6, DWORD nSubAuthority7,
+                          PSID *pSid )
+{
+    return set_ntstatus( RtlAllocateAndInitializeSid(
+                             pIdentifierAuthority, nSubAuthorityCount,
+                             nSubAuthority0, nSubAuthority1, nSubAuthority2, nSubAuthority3,
+                             nSubAuthority4, nSubAuthority5, nSubAuthority6, nSubAuthority7,
+                             pSid ));
 }
 
 /*
@@ -595,26 +613,18 @@ FreeSid(PSID pSid)
     return RtlFreeSid(pSid);
 }
 
-/*
- * @implemented
+/******************************************************************************
+ * CopySid [ADVAPI32.@]
+ *
+ * PARAMS
+ *   nDestinationSidLength []
+ *   pDestinationSid       []
+ *   pSourceSid            []
  */
 BOOL WINAPI
-CopySid(DWORD nDestinationSidLength,
-        PSID pDestinationSid,
-        PSID pSourceSid)
+CopySid( DWORD nDestinationSidLength, PSID pDestinationSid, PSID pSourceSid )
 {
-    NTSTATUS Status;
-
-    Status = RtlCopySid(nDestinationSidLength,
-                        pDestinationSid,
-                        pSourceSid);
-    if (!NT_SUCCESS (Status))
-    {
-        SetLastError(RtlNtStatusToDosError(Status));
-        return FALSE;
-    }
-
-  return TRUE;
+       return set_ntstatus(RtlCopySid(nDestinationSidLength, pDestinationSid, pSourceSid));
 }
 
 /*
@@ -828,19 +838,13 @@ GetLengthSid(PSID pSid)
  */
 BOOL
 WINAPI
-GetKernelObjectSecurity(HANDLE Handle,
-                        SECURITY_INFORMATION RequestedInformation,
-                        PSECURITY_DESCRIPTOR pSecurityDescriptor,
-                        DWORD nLength,
-                        LPDWORD lpnLengthNeeded)
+InitializeSecurityDescriptor(PSECURITY_DESCRIPTOR pSecurityDescriptor,
+                             DWORD dwRevision)
 {
     NTSTATUS Status;
 
-    Status = NtQuerySecurityObject(Handle,
-                                   RequestedInformation,
-                                   pSecurityDescriptor,
-                                   nLength,
-                                   lpnLengthNeeded);
+    Status = RtlCreateSecurityDescriptor(pSecurityDescriptor,
+                                         dwRevision);
     if (!NT_SUCCESS(Status))
     {
         SetLastError(RtlNtStatusToDosError(Status));
@@ -855,15 +859,31 @@ GetKernelObjectSecurity(HANDLE Handle,
  */
 BOOL
 WINAPI
-InitializeAcl(PACL pAcl,
-              DWORD nAclLength,
-              DWORD dwAclRevision)
+MakeAbsoluteSD(PSECURITY_DESCRIPTOR pSelfRelativeSecurityDescriptor,
+               PSECURITY_DESCRIPTOR pAbsoluteSecurityDescriptor,
+               LPDWORD lpdwAbsoluteSecurityDescriptorSize,
+               PACL pDacl,
+               LPDWORD lpdwDaclSize,
+               PACL pSacl,
+               LPDWORD lpdwSaclSize,
+               PSID pOwner,
+               LPDWORD lpdwOwnerSize,
+               PSID pPrimaryGroup,
+               LPDWORD lpdwPrimaryGroupSize)
 {
     NTSTATUS Status;
 
-    Status = RtlCreateAcl(pAcl,
-                          nAclLength,
-                          dwAclRevision);
+    Status = RtlSelfRelativeToAbsoluteSD(pSelfRelativeSecurityDescriptor,
+                                         pAbsoluteSecurityDescriptor,
+                                         lpdwAbsoluteSecurityDescriptorSize,
+                                         pDacl,
+                                         lpdwDaclSize,
+                                         pSacl,
+                                         lpdwSaclSize,
+                                         pOwner,
+                                         lpdwOwnerSize,
+                                         pPrimaryGroup,
+                                         lpdwPrimaryGroupSize);
     if (!NT_SUCCESS(Status))
     {
         SetLastError(RtlNtStatusToDosError(Status));
@@ -873,30 +893,37 @@ InitializeAcl(PACL pAcl,
     return TRUE;
 }
 
-/**********************************************************************
- * ImpersonateNamedPipeClient                  EXPORTED
- *
+/******************************************************************************
+ * GetKernelObjectSecurity [ADVAPI32.@]
+ */
+BOOL WINAPI GetKernelObjectSecurity(
+        HANDLE Handle,
+        SECURITY_INFORMATION RequestedInformation,
+        PSECURITY_DESCRIPTOR pSecurityDescriptor,
+        DWORD nLength,
+        LPDWORD lpnLengthNeeded )
+{
+    TRACE("(%p,0x%08x,%p,0x%08x,%p)\n", Handle, RequestedInformation,
+          pSecurityDescriptor, nLength, lpnLengthNeeded);
+
+    return set_ntstatus( NtQuerySecurityObject(Handle, RequestedInformation, pSecurityDescriptor,
+                                               nLength, lpnLengthNeeded ));
+}
+
+/*
  * @implemented
  */
 BOOL
 WINAPI
-ImpersonateNamedPipeClient(HANDLE hNamedPipe)
+InitializeAcl(PACL pAcl,
+              DWORD nAclLength,
+              DWORD dwAclRevision)
 {
-    IO_STATUS_BLOCK StatusBlock;
     NTSTATUS Status;
 
-    TRACE("ImpersonateNamedPipeClient() called\n");
-
-    Status = NtFsControlFile(hNamedPipe,
-                             NULL,
-                             NULL,
-                             NULL,
-                             &StatusBlock,
-                             FSCTL_PIPE_IMPERSONATE,
-                             NULL,
-                             0,
-                             NULL,
-                             0);
+    Status = RtlCreateAcl(pAcl,
+                          nAclLength,
+                          dwAclRevision);
     if (!NT_SUCCESS(Status))
     {
         SetLastError(RtlNtStatusToDosError(Status));
@@ -906,6 +933,16 @@ ImpersonateNamedPipeClient(HANDLE hNamedPipe)
     return TRUE;
 }
 
+BOOL WINAPI ImpersonateNamedPipeClient( HANDLE hNamedPipe )
+{
+    IO_STATUS_BLOCK io_block;
+
+    TRACE("(%p)\n", hNamedPipe);
+
+    return set_ntstatus( NtFsControlFile(hNamedPipe, NULL, NULL, NULL,
+                         &io_block, FSCTL_PIPE_IMPERSONATE, NULL, 0, NULL, 0) );
+}
+
 /*
  * @implemented
  */
@@ -1035,25 +1072,12 @@ AddAce(PACL pAcl,
     return TRUE;
 }
 
-/*
- * @implemented
+/******************************************************************************
+ * DeleteAce [ADVAPI32.@]
  */
-BOOL
-WINAPI
-DeleteAce(PACL pAcl,
-          DWORD dwAceIndex)
+BOOL WINAPI DeleteAce(PACL pAcl, DWORD dwAceIndex)
 {
-    NTSTATUS Status;
-
-    Status = RtlDeleteAce(pAcl,
-                          dwAceIndex);
-    if (!NT_SUCCESS(Status))
-    {
-        SetLastError(RtlNtStatusToDosError(Status));
-        return FALSE;
-    }
-
-    return TRUE;
+    return set_ntstatus(RtlDeleteAce(pAcl, dwAceIndex));
 }
 
 /*
@@ -1068,28 +1092,12 @@ FindFirstFreeAce(PACL pAcl,
                            (PACE*)pAce);
 }
 
-
-/*
- * @implemented
+/******************************************************************************
+ * GetAce [ADVAPI32.@]
  */
-BOOL
-WINAPI
-GetAce(PACL pAcl,
-       DWORD dwAceIndex,
-       LPVOID *pAce)
+BOOL WINAPI GetAce(PACL pAcl,DWORD dwAceIndex,LPVOID *pAce )
 {
-    NTSTATUS Status;
-
-    Status = RtlGetAce(pAcl,
-                       dwAceIndex,
-                       pAce);
-    if (!NT_SUCCESS(Status))
-    {
-        SetLastError(RtlNtStatusToDosError(Status));
-        return FALSE;
-    }
-
-    return TRUE;
+    return set_ntstatus(RtlGetAce(pAcl, dwAceIndex, pAce));
 }
 
 /*
@@ -1813,6 +1821,339 @@ GetSecurityInfoExW(HANDLE hObject,
     return ERROR_BAD_PROVIDER;
 }
 
+/******************************************************************************
+ * BuildExplicitAccessWithNameA [ADVAPI32.@]
+ */
+VOID WINAPI
+BuildExplicitAccessWithNameA(PEXPLICIT_ACCESSA pExplicitAccess,
+                             LPSTR pTrusteeName,
+                             DWORD AccessPermissions,
+                             ACCESS_MODE AccessMode,
+                             DWORD Inheritance)
+{
+    pExplicitAccess->grfAccessPermissions = AccessPermissions;
+    pExplicitAccess->grfAccessMode = AccessMode;
+    pExplicitAccess->grfInheritance = Inheritance;
+
+    pExplicitAccess->Trustee.pMultipleTrustee = NULL;
+    pExplicitAccess->Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pExplicitAccess->Trustee.TrusteeForm = TRUSTEE_IS_NAME;
+    pExplicitAccess->Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pExplicitAccess->Trustee.ptstrName = pTrusteeName;
+}
+
+
+/******************************************************************************
+ * BuildExplicitAccessWithNameW [ADVAPI32.@]
+ */
+VOID WINAPI
+BuildExplicitAccessWithNameW(PEXPLICIT_ACCESSW pExplicitAccess,
+                             LPWSTR pTrusteeName,
+                             DWORD AccessPermissions,
+                             ACCESS_MODE AccessMode,
+                             DWORD Inheritance)
+{
+    pExplicitAccess->grfAccessPermissions = AccessPermissions;
+    pExplicitAccess->grfAccessMode = AccessMode;
+    pExplicitAccess->grfInheritance = Inheritance;
+
+    pExplicitAccess->Trustee.pMultipleTrustee = NULL;
+    pExplicitAccess->Trustee.MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pExplicitAccess->Trustee.TrusteeForm = TRUSTEE_IS_NAME;
+    pExplicitAccess->Trustee.TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pExplicitAccess->Trustee.ptstrName = pTrusteeName;
+}
+
+/******************************************************************************
+ * BuildTrusteeWithObjectsAndNameA [ADVAPI32.@]
+ */
+VOID WINAPI BuildTrusteeWithObjectsAndNameA( PTRUSTEEA pTrustee, POBJECTS_AND_NAME_A pObjName,
+                                             SE_OBJECT_TYPE ObjectType, LPSTR ObjectTypeName,
+                                             LPSTR InheritedObjectTypeName, LPSTR Name )
+{
+    DWORD ObjectsPresent = 0;
+
+    TRACE("%p %p 0x%08x %p %p %s\n", pTrustee, pObjName,
+          ObjectType, ObjectTypeName, InheritedObjectTypeName, debugstr_a(Name));
+
+    /* Fill the OBJECTS_AND_NAME structure */
+    pObjName->ObjectType = ObjectType;
+    if (ObjectTypeName != NULL)
+    {
+        ObjectsPresent |= ACE_OBJECT_TYPE_PRESENT;
+    }
+
+    pObjName->InheritedObjectTypeName = InheritedObjectTypeName;
+    if (InheritedObjectTypeName != NULL)
+    {
+        ObjectsPresent |= ACE_INHERITED_OBJECT_TYPE_PRESENT;
+    }
+
+    pObjName->ObjectsPresent = ObjectsPresent;
+    pObjName->ptstrName = Name;
+
+    /* Fill the TRUSTEE structure */
+    pTrustee->pMultipleTrustee = NULL;
+    pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pTrustee->TrusteeForm = TRUSTEE_IS_OBJECTS_AND_NAME;
+    pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pTrustee->ptstrName = (LPSTR)pObjName;
+}
+
+/******************************************************************************
+ * BuildTrusteeWithObjectsAndNameW [ADVAPI32.@]
+ */
+VOID WINAPI BuildTrusteeWithObjectsAndNameW( PTRUSTEEW pTrustee, POBJECTS_AND_NAME_W pObjName,
+                                             SE_OBJECT_TYPE ObjectType, LPWSTR ObjectTypeName,
+                                             LPWSTR InheritedObjectTypeName, LPWSTR Name )
+{
+    DWORD ObjectsPresent = 0;
+
+    TRACE("%p %p 0x%08x %p %p %s\n", pTrustee, pObjName,
+          ObjectType, ObjectTypeName, InheritedObjectTypeName, debugstr_w(Name));
+
+    /* Fill the OBJECTS_AND_NAME structure */
+    pObjName->ObjectType = ObjectType;
+    if (ObjectTypeName != NULL)
+    {
+        ObjectsPresent |= ACE_OBJECT_TYPE_PRESENT;
+    }
+
+    pObjName->InheritedObjectTypeName = InheritedObjectTypeName;
+    if (InheritedObjectTypeName != NULL)
+    {
+        ObjectsPresent |= ACE_INHERITED_OBJECT_TYPE_PRESENT;
+    }
+
+    pObjName->ObjectsPresent = ObjectsPresent;
+    pObjName->ptstrName = Name;
+
+    /* Fill the TRUSTEE structure */
+    pTrustee->pMultipleTrustee = NULL;
+    pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pTrustee->TrusteeForm = TRUSTEE_IS_OBJECTS_AND_NAME;
+    pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pTrustee->ptstrName = (LPWSTR)pObjName;
+}
+
+/******************************************************************************
+ * BuildTrusteeWithObjectsAndSidA [ADVAPI32.@]
+ */
+VOID WINAPI
+BuildTrusteeWithObjectsAndSidA(PTRUSTEEA pTrustee,
+                               POBJECTS_AND_SID pObjSid,
+                               GUID *pObjectGuid,
+                               GUID *pInheritedObjectGuid,
+                               PSID pSid)
+{
+    DWORD ObjectsPresent = 0;
+
+    TRACE("%p %p %p %p %p\n", pTrustee, pObjSid, pObjectGuid, pInheritedObjectGuid, pSid);
+
+    /* Fill the OBJECTS_AND_SID structure */
+    if (pObjectGuid != NULL)
+    {
+        pObjSid->ObjectTypeGuid = *pObjectGuid;
+        ObjectsPresent |= ACE_OBJECT_TYPE_PRESENT;
+    }
+    else
+    {
+        ZeroMemory(&pObjSid->ObjectTypeGuid,
+                   sizeof(GUID));
+    }
+
+    if (pInheritedObjectGuid != NULL)
+    {
+        pObjSid->InheritedObjectTypeGuid = *pInheritedObjectGuid;
+        ObjectsPresent |= ACE_INHERITED_OBJECT_TYPE_PRESENT;
+    }
+    else
+    {
+        ZeroMemory(&pObjSid->InheritedObjectTypeGuid,
+                   sizeof(GUID));
+    }
+
+    pObjSid->ObjectsPresent = ObjectsPresent;
+    pObjSid->pSid = pSid;
+
+    /* Fill the TRUSTEE structure */
+    pTrustee->pMultipleTrustee = NULL;
+    pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pTrustee->TrusteeForm = TRUSTEE_IS_OBJECTS_AND_SID;
+    pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pTrustee->ptstrName = (LPSTR) pObjSid;
+}
+
+
+/******************************************************************************
+ * BuildTrusteeWithObjectsAndSidW [ADVAPI32.@]
+ */
+VOID WINAPI
+BuildTrusteeWithObjectsAndSidW(PTRUSTEEW pTrustee,
+                               POBJECTS_AND_SID pObjSid,
+                               GUID *pObjectGuid,
+                               GUID *pInheritedObjectGuid,
+                               PSID pSid)
+{
+    DWORD ObjectsPresent = 0;
+
+    TRACE("%p %p %p %p %p\n", pTrustee, pObjSid, pObjectGuid, pInheritedObjectGuid, pSid);
+
+    /* Fill the OBJECTS_AND_SID structure */
+    if (pObjectGuid != NULL)
+    {
+        pObjSid->ObjectTypeGuid = *pObjectGuid;
+        ObjectsPresent |= ACE_OBJECT_TYPE_PRESENT;
+    }
+    else
+    {
+        ZeroMemory(&pObjSid->ObjectTypeGuid,
+                   sizeof(GUID));
+    }
+
+    if (pInheritedObjectGuid != NULL)
+    {
+        pObjSid->InheritedObjectTypeGuid = *pInheritedObjectGuid;
+        ObjectsPresent |= ACE_INHERITED_OBJECT_TYPE_PRESENT;
+    }
+    else
+    {
+        ZeroMemory(&pObjSid->InheritedObjectTypeGuid,
+                   sizeof(GUID));
+    }
+
+    pObjSid->ObjectsPresent = ObjectsPresent;
+    pObjSid->pSid = pSid;
+
+    /* Fill the TRUSTEE structure */
+    pTrustee->pMultipleTrustee = NULL;
+    pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pTrustee->TrusteeForm = TRUSTEE_IS_OBJECTS_AND_SID;
+    pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pTrustee->ptstrName = (LPWSTR) pObjSid;
+}
+
+/******************************************************************************
+ * BuildTrusteeWithSidA [ADVAPI32.@]
+ */
+VOID WINAPI
+BuildTrusteeWithSidA(PTRUSTEE_A pTrustee,
+                     PSID pSid)
+{
+    TRACE("%p %p\n", pTrustee, pSid);
+
+    pTrustee->pMultipleTrustee = NULL;
+    pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pTrustee->TrusteeForm = TRUSTEE_IS_SID;
+    pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pTrustee->ptstrName = (LPSTR) pSid;
+}
+
+
+/******************************************************************************
+ * BuildTrusteeWithSidW [ADVAPI32.@]
+ */
+VOID WINAPI
+BuildTrusteeWithSidW(PTRUSTEE_W pTrustee,
+                     PSID pSid)
+{
+    TRACE("%p %p\n", pTrustee, pSid);
+
+    pTrustee->pMultipleTrustee = NULL;
+    pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pTrustee->TrusteeForm = TRUSTEE_IS_SID;
+    pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pTrustee->ptstrName = (LPWSTR) pSid;
+}
+
+/******************************************************************************
+ * BuildTrusteeWithNameA [ADVAPI32.@]
+ */
+VOID WINAPI
+BuildTrusteeWithNameA(PTRUSTEE_A pTrustee,
+                      LPSTR name)
+{
+    TRACE("%p %s\n", pTrustee, name);
+
+    pTrustee->pMultipleTrustee = NULL;
+    pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pTrustee->TrusteeForm = TRUSTEE_IS_NAME;
+    pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pTrustee->ptstrName = name;
+}
+
+/******************************************************************************
+ * BuildTrusteeWithNameW [ADVAPI32.@]
+ */
+VOID WINAPI
+BuildTrusteeWithNameW(PTRUSTEE_W pTrustee,
+                      LPWSTR name)
+{
+    TRACE("%p %s\n", pTrustee, name);
+
+    pTrustee->pMultipleTrustee = NULL;
+    pTrustee->MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
+    pTrustee->TrusteeForm = TRUSTEE_IS_NAME;
+    pTrustee->TrusteeType = TRUSTEE_IS_UNKNOWN;
+    pTrustee->ptstrName = name;
+}
+
+/******************************************************************************
+ * GetTrusteeFormW [ADVAPI32.@]
+ */
+TRUSTEE_FORM WINAPI
+GetTrusteeFormA(PTRUSTEE_A pTrustee)
+{
+    return pTrustee->TrusteeForm;
+}
+
+
+/******************************************************************************
+ * GetTrusteeFormW [ADVAPI32.@]
+ */
+TRUSTEE_FORM WINAPI
+GetTrusteeFormW(PTRUSTEE_W pTrustee)
+{
+    return pTrustee->TrusteeForm;
+}
+
+/******************************************************************************
+ * GetTrusteeNameA [ADVAPI32.@]
+ */
+LPSTR WINAPI
+GetTrusteeNameA(PTRUSTEE_A pTrustee)
+{
+    return pTrustee->ptstrName;
+}
+
+
+/******************************************************************************
+ * GetTrusteeNameW [ADVAPI32.@]
+ */
+LPWSTR WINAPI
+GetTrusteeNameW(PTRUSTEE_W pTrustee)
+{
+    return pTrustee->ptstrName;
+}
+
+/******************************************************************************
+ * GetTrusteeTypeA [ADVAPI32.@]
+ */
+TRUSTEE_TYPE WINAPI
+GetTrusteeTypeA(PTRUSTEE_A pTrustee)
+{
+    return pTrustee->TrusteeType;
+}
+
+/******************************************************************************
+ * GetTrusteeTypeW [ADVAPI32.@]
+ */
+TRUSTEE_TYPE WINAPI
+GetTrusteeTypeW(PTRUSTEE_W pTrustee)
+{
+    return pTrustee->TrusteeType;
+}
+
 /*
  * @implemented
  */
@@ -1951,6 +2292,9 @@ static BYTE ParseAceStringType(LPCWSTR* StringAcl)
     LPCWSTR szAcl = *StringAcl;
     const ACEFLAG *lpaf = AceType;
 
+    while (*szAcl == ' ')
+        szAcl++;
+
     while (lpaf->wstr &&
         (len = strlenW(lpaf->wstr)) &&
         strncmpW(lpaf->wstr, szAcl, len))
@@ -1959,7 +2303,7 @@ static BYTE ParseAceStringType(LPCWSTR* StringAcl)
     if (!lpaf->wstr)
         return 0;
 
-    *StringAcl += len;
+    *StringAcl = szAcl + len;
     return lpaf->value;
 }
 
@@ -1985,6 +2329,9 @@ static BYTE ParseAceStringFlags(LPCWSTR* StringAcl)
     BYTE flags = 0;
     LPCWSTR szAcl = *StringAcl;
 
+    while (*szAcl == ' ')
+        szAcl++;
+
     while (*szAcl != ';')
     {
         const ACEFLAG *lpaf = AceFlags;
@@ -1997,7 +2344,7 @@ static BYTE ParseAceStringFlags(LPCWSTR* StringAcl)
         if (!lpaf->wstr)
             return 0;
 
-        flags |= lpaf->value;
+       flags |= lpaf->value;
         szAcl += len;
     }
 
@@ -2009,25 +2356,62 @@ static BYTE ParseAceStringFlags(LPCWSTR* StringAcl)
 /******************************************************************************
  * ParseAceStringRights
  */
+static const ACEFLAG AceRights[] =
+{
+    { SDDL_GENERIC_ALL,     GENERIC_ALL },
+    { SDDL_GENERIC_READ,    GENERIC_READ },
+    { SDDL_GENERIC_WRITE,   GENERIC_WRITE },
+    { SDDL_GENERIC_EXECUTE, GENERIC_EXECUTE },
+
+    { SDDL_READ_CONTROL,    READ_CONTROL },
+    { SDDL_STANDARD_DELETE, DELETE },
+    { SDDL_WRITE_DAC,       WRITE_DAC },
+    { SDDL_WRITE_OWNER,     WRITE_OWNER },
+
+    { SDDL_READ_PROPERTY,   ADS_RIGHT_DS_READ_PROP},
+    { SDDL_WRITE_PROPERTY,  ADS_RIGHT_DS_WRITE_PROP},
+    { SDDL_CREATE_CHILD,    ADS_RIGHT_DS_CREATE_CHILD},
+    { SDDL_DELETE_CHILD,    ADS_RIGHT_DS_DELETE_CHILD},
+    { SDDL_LIST_CHILDREN,   ADS_RIGHT_ACTRL_DS_LIST},
+    { SDDL_SELF_WRITE,      ADS_RIGHT_DS_SELF},
+    { SDDL_LIST_OBJECT,     ADS_RIGHT_DS_LIST_OBJECT},
+    { SDDL_DELETE_TREE,     ADS_RIGHT_DS_DELETE_TREE},
+    { SDDL_CONTROL_ACCESS,  ADS_RIGHT_DS_CONTROL_ACCESS},
+
+    { SDDL_FILE_ALL,        FILE_ALL_ACCESS },
+    { SDDL_FILE_READ,       FILE_GENERIC_READ },
+    { SDDL_FILE_WRITE,      FILE_GENERIC_WRITE },
+    { SDDL_FILE_EXECUTE,    FILE_GENERIC_EXECUTE },
+
+    { SDDL_KEY_ALL,         KEY_ALL_ACCESS },
+    { SDDL_KEY_READ,        KEY_READ },
+    { SDDL_KEY_WRITE,       KEY_WRITE },
+    { SDDL_KEY_EXECUTE,     KEY_EXECUTE },
+    { NULL, 0 },
+};
+
 static DWORD ParseAceStringRights(LPCWSTR* StringAcl)
 {
     UINT len = 0;
     DWORD rights = 0;
     LPCWSTR szAcl = *StringAcl;
 
+    while (*szAcl == ' ')
+        szAcl++;
+
     if ((*szAcl == '0') && (*(szAcl + 1) == 'x'))
     {
         LPCWSTR p = szAcl;
 
-        while (*p && *p != ';')
+       while (*p && *p != ';')
             p++;
 
-        if (p - szAcl <= 10 /* 8 hex digits + "0x" */ )
-        {
-            rights = strtoulW(szAcl, NULL, 16);
-            szAcl = p;
-        }
-        else
+       if (p - szAcl <= 10 /* 8 hex digits + "0x" */ )
+       {
+           rights = strtoulW(szAcl, NULL, 16);
+           szAcl = p;
+       }
+       else
             WARN("Invalid rights string format: %s\n", debugstr_wn(szAcl, p - szAcl));
     }
     else
@@ -2037,16 +2421,16 @@ static DWORD ParseAceStringRights(LPCWSTR* StringAcl)
             const ACEFLAG *lpaf = AceRights;
 
             while (lpaf->wstr &&
-                   (len = strlenW(lpaf->wstr)) &&
-                   strncmpW(lpaf->wstr, szAcl, len))
-            {
-                lpaf++;
-            }
+               (len = strlenW(lpaf->wstr)) &&
+               strncmpW(lpaf->wstr, szAcl, len))
+           {
+               lpaf++;
+           }
 
             if (!lpaf->wstr)
                 return 0;
 
-            rights |= lpaf->value;
+           rights |= lpaf->value;
             szAcl += len;
         }
     }
@@ -2061,11 +2445,8 @@ static DWORD ParseAceStringRights(LPCWSTR* StringAcl)
  * 
  * dacl_flags(string_ace1)(string_ace2)... (string_acen) 
  */
-static BOOL
-ParseStringAclToAcl(LPCWSTR StringAcl,
-                    LPDWORD lpdwFlags, 
-                    PACL pAcl,
-                    LPDWORD cBytes)
+static BOOL ParseStringAclToAcl(LPCWSTR StringAcl, LPDWORD lpdwFlags, 
+    PACL pAcl, LPDWORD cBytes)
 {
     DWORD val;
     DWORD sidlen;
@@ -2073,11 +2454,12 @@ ParseStringAclToAcl(LPCWSTR StringAcl,
     DWORD acesize = 0;
     DWORD acecount = 0;
     PACCESS_ALLOWED_ACE pAce = NULL; /* pointer to current ACE */
+    DWORD error = ERROR_INVALID_ACL;
 
     TRACE("%s\n", debugstr_w(StringAcl));
 
     if (!StringAcl)
-        return FALSE;
+       return FALSE;
 
     if (pAcl) /* pAce is only useful if we're setting values */
         pAce = (PACCESS_ALLOWED_ACE) (pAcl + 1);
@@ -2092,29 +2474,34 @@ ParseStringAclToAcl(LPCWSTR StringAcl,
 
         /* Parse ACE type */
         val = ParseAceStringType(&StringAcl);
-        if (pAce)
+       if (pAce)
             pAce->Header.AceType = (BYTE) val;
         if (*StringAcl != ';')
+        {
+            error = RPC_S_INVALID_STRING_UUID;
             goto lerr;
+        }
         StringAcl++;
 
         /* Parse ACE flags */
-        val = ParseAceStringFlags(&StringAcl);
-        if (pAce)
+       val = ParseAceStringFlags(&StringAcl);
+       if (pAce)
             pAce->Header.AceFlags = (BYTE) val;
         if (*StringAcl != ';')
             goto lerr;
         StringAcl++;
 
         /* Parse ACE rights */
-        val = ParseAceStringRights(&StringAcl);
-        if (pAce)
+       val = ParseAceStringRights(&StringAcl);
+       if (pAce)
             pAce->Mask = val;
         if (*StringAcl != ';')
             goto lerr;
         StringAcl++;
 
         /* Parse ACE object guid */
+        while (*StringAcl == ' ')
+            StringAcl++;
         if (*StringAcl != ';')
         {
             FIXME("Support for *_OBJECT_ACE_TYPE not implemented\n");
@@ -2123,6 +2510,8 @@ ParseStringAclToAcl(LPCWSTR StringAcl,
         StringAcl++;
 
         /* Parse ACE inherit object guid */
+        while (*StringAcl == ' ')
+            StringAcl++;
         if (*StringAcl != ';')
         {
             FIXME("Support for *_OBJECT_ACE_TYPE not implemented\n");
@@ -2132,10 +2521,10 @@ ParseStringAclToAcl(LPCWSTR StringAcl,
 
         /* Parse ACE account sid */
         if (ParseStringSidToSid(StringAcl, pAce ? &pAce->SidStart : NULL, &sidlen))
-        {
+       {
             while (*StringAcl && *StringAcl != ')')
                 StringAcl++;
-        }
+       }
 
         if (*StringAcl != ')')
             goto lerr;
@@ -2170,7 +2559,7 @@ ParseStringAclToAcl(LPCWSTR StringAcl,
     return TRUE;
 
 lerr:
-    SetLastError(ERROR_INVALID_ACL);
+    SetLastError(error);
     WARN("Invalid ACE string format\n");
     return FALSE;
 }
@@ -2179,10 +2568,10 @@ lerr:
 /******************************************************************************
  * ParseStringSecurityDescriptorToSecurityDescriptor
  */
-static BOOL
-ParseStringSecurityDescriptorToSecurityDescriptor(LPCWSTR StringSecurityDescriptor,
-                                                  SECURITY_DESCRIPTOR_RELATIVE* SecurityDescriptor,
-                                                  LPDWORD cBytes)
+static BOOL ParseStringSecurityDescriptorToSecurityDescriptor(
+    LPCWSTR StringSecurityDescriptor,
+    SECURITY_DESCRIPTOR_RELATIVE* SecurityDescriptor,
+    LPDWORD cBytes)
 {
     BOOL bret = FALSE;
     WCHAR toktype;
@@ -2196,25 +2585,28 @@ ParseStringSecurityDescriptorToSecurityDescriptor(LPCWSTR StringSecurityDescript
     if (SecurityDescriptor)
         lpNext = (LPBYTE)(SecurityDescriptor + 1);
 
+    while (*StringSecurityDescriptor == ' ')
+        StringSecurityDescriptor++;
+
     while (*StringSecurityDescriptor)
     {
         toktype = *StringSecurityDescriptor;
 
-        /* Expect char identifier followed by ':' */
-        StringSecurityDescriptor++;
+       /* Expect char identifier followed by ':' */
+       StringSecurityDescriptor++;
         if (*StringSecurityDescriptor != ':')
         {
             SetLastError(ERROR_INVALID_PARAMETER);
             goto lend;
         }
-        StringSecurityDescriptor++;
+       StringSecurityDescriptor++;
 
-        /* Extract token */
-        lptoken = StringSecurityDescriptor;
-        while (*lptoken && *lptoken != ':')
+       /* Extract token */
+       lptoken = StringSecurityDescriptor;
+       while (*lptoken && *lptoken != ':')
             lptoken++;
 
-        if (*lptoken)
+       if (*lptoken)
             lptoken--;
 
         len = lptoken - StringSecurityDescriptor;
@@ -2222,7 +2614,7 @@ ParseStringSecurityDescriptorToSecurityDescriptor(LPCWSTR StringSecurityDescript
         tok[len] = 0;
 
         switch (toktype)
-        {
+       {
             case 'O':
             {
                 DWORD bytes;
@@ -2236,7 +2628,7 @@ ParseStringSecurityDescriptorToSecurityDescriptor(LPCWSTR StringSecurityDescript
                     lpNext += bytes; /* Advance to next token */
                 }
 
-                *cBytes += bytes;
+               *cBytes += bytes;
 
                 break;
             }
@@ -2254,13 +2646,13 @@ ParseStringSecurityDescriptorToSecurityDescriptor(LPCWSTR StringSecurityDescript
                     lpNext += bytes; /* Advance to next token */
                 }
 
-                *cBytes += bytes;
+               *cBytes += bytes;
 
                 break;
             }
 
             case 'D':
-            {
+           {
                 DWORD flags;
                 DWORD bytes;
 
@@ -2272,11 +2664,11 @@ ParseStringSecurityDescriptorToSecurityDescriptor(LPCWSTR StringSecurityDescript
                     SecurityDescriptor->Control |= SE_DACL_PRESENT | flags;
                     SecurityDescriptor->Dacl = lpNext - (LPBYTE)SecurityDescriptor;
                     lpNext += bytes; /* Advance to next token */
-                }
+               }
 
-                *cBytes += bytes;
+               *cBytes += bytes;
 
-                break;
+               break;
             }
 
             case 'S':
@@ -2292,18 +2684,18 @@ ParseStringSecurityDescriptorToSecurityDescriptor(LPCWSTR StringSecurityDescript
                     SecurityDescriptor->Control |= SE_SACL_PRESENT | flags;
                     SecurityDescriptor->Sacl = lpNext - (LPBYTE)SecurityDescriptor;
                     lpNext += bytes; /* Advance to next token */
-                }
+               }
 
-                *cBytes += bytes;
+               *cBytes += bytes;
 
-                break;
+               break;
             }
 
             default:
                 FIXME("Unknown token\n");
                 SetLastError(ERROR_INVALID_PARAMETER);
-                goto lend;
-        }
+               goto lend;
+       }
 
         StringSecurityDescriptor = lptoken;
     }
@@ -3220,6 +3612,15 @@ static DWORD ComputeStringSidSize(LPCWSTR StringSid)
         for (i = 0; i < sizeof(WellKnownSids)/sizeof(WellKnownSids[0]); i++)
             if (!strncmpW(WellKnownSids[i].wstr, StringSid, 2))
                 return GetSidLengthRequired(WellKnownSids[i].Sid.SubAuthorityCount);
+
+        for (i = 0; i < sizeof(WellKnownRids)/sizeof(WellKnownRids[0]); i++)
+            if (!strncmpW(WellKnownRids[i].wstr, StringSid, 2))
+            {
+                MAX_SID local;
+                ADVAPI_GetComputerSid(&local);
+                return GetSidLengthRequired(*GetSidSubAuthorityCount(&local) + 1);
+            }
+
     }
 
     return GetSidLengthRequired(0);
@@ -3247,7 +3648,7 @@ static BOOL ParseStringSidToSid(LPCWSTR StringSid, PSID pSid, LPDWORD cBytes)
     *cBytes = ComputeStringSidSize(StringSid);
     if (!pisid) /* Simply compute the size */
     {
-        TRACE("only size requested, returning TRUE\n");
+        TRACE("only size requested, returning TRUE with %d\n", *cBytes);
         return TRUE;
     }
 
@@ -3326,6 +3727,15 @@ static BOOL ParseStringSidToSid(LPCWSTR StringSid, PSID pSid, LPDWORD cBytes)
                 bret = TRUE;
             }
 
+        for (i = 0; i < sizeof(WellKnownRids)/sizeof(WellKnownRids[0]); i++)
+            if (!strncmpW(WellKnownRids[i].wstr, StringSid, 2))
+            {
+                ADVAPI_GetComputerSid(pisid);
+                pisid->SubAuthority[pisid->SubAuthorityCount] = WellKnownRids[i].Rid;
+                pisid->SubAuthorityCount++;
+                bret = TRUE;
+            }
+
         if (!bret)
             FIXME("String constant not supported: %s\n", debugstr_wn(StringSid, 2));
     }