From 322db146e9397c99e708dd33158a74b792300185 Mon Sep 17 00:00:00 2001
From: Lord Hepipud <contact@lordhepipud.de>
Date: Wed, 18 Mar 2026 11:20:37 +0100
Subject: [PATCH] Fixes service logon permission removed from other
 local/domain users

---
 doc/100-General/10-Changelog.md                       |  1 +
 .../windows/Update-IcingaWindowsUserPermission.psm1   | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
index 0bb3f3d..307d0f0 100644
--- a/doc/100-General/10-Changelog.md
+++ b/doc/100-General/10-Changelog.md
@@ -15,6 +15,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 
 * [#861](https://github.com/Icinga/icinga-powershell-framework/pull/861) Fixes `Update-IcingaWindowsUserPermission` to ensure permissions for logon as service are granted for non-managed users, while the removal process and any logon deny rights are never touched to not break possible third-party software and manually user configuration for those users
 * [#864](https://github.com/Icinga/icinga-powershell-framework/pull/864) Fixes process provider which could throw an exception for integer overflow on memory usage
+* [#866](https://github.com/Icinga/icinga-powershell-framework/pull/866) Fixes an issue with the Icinga for Windows permission grant for the managed `icinga` user to logon as service, which causes other added local/domain users having this permission revoked for them
 
 ## 1.14.1 (2026-02-11)
 
diff --git a/lib/core/windows/Update-IcingaWindowsUserPermission.psm1 b/lib/core/windows/Update-IcingaWindowsUserPermission.psm1
index f2aeba3..1001d8e 100644
--- a/lib/core/windows/Update-IcingaWindowsUserPermission.psm1
+++ b/lib/core/windows/Update-IcingaWindowsUserPermission.psm1
@@ -100,6 +100,17 @@ function Update-IcingaWindowsUserPermission()
                     if ([string]::IsNullOrEmpty($token) -eq $FALSE) {
                         # Detect any entries that are not SIDs (SIDs start with '*' and S-1-...)
                         if (-not ($token -match '^\*S-1-\d+(-\d+)*$')) {
+                            # Try to fetch the SID for the user entry and add it if a SID
+                            # is found to ensure we don't accidentally remove entries which are still valid
+                            $SIDFromToken = Get-IcingaUserSID -User $token;
+
+                            if ([string]::IsNullOrEmpty($SIDFromToken) -eq $FALSE) {
+                                $entryList += $token;
+                                continue;
+                            }
+
+                            # Add the non-SID entry to a list to print a warning later, but don't add it to the entry list,
+                            # as we don't want to remove it if we are removing permissions for the managed user
                             $nonSidEntries += $token;
                             continue;
                         }