How do I correctly set the struct members of SECURITY_DESCRIPTOR?

InitializeSecurityDescriptor should be called first before doing anything else to the security descriptor, otherwise you will get this error.

Don't call SetSecurityDescriptorRMControl if you are not dealing with machines that read smart cards.

SetSecurityDescriptorOwner takes PSID as the second parameter, not PPSID. Passing si's address instead of value probably corrupted memory somewhere.

I found writing SID by hand error prone. I usually create a temp file with desired permission then use cacls filename /s to grab the result SDDL, and finally call ConvertStringSidToSid with the SDDL. If you are dealing with registry and other permissions, there are a few SDDL tools on GitHub.