Private/Get-SshImportIdPermissionGrantee.ps1

function Get-SshImportIdPermissionGrantee {
    <#
    .SYNOPSIS
        Decides which identities should be granted NTFS access to an
        authorized_keys path (or its parent directory).
 
    .DESCRIPTION
        For the ordinary per-user authorized_keys file/directory, the owning
        account, SYSTEM and Administrators are granted access.
 
        For Windows OpenSSH's shared 'administrators_authorized_keys' file,
        only SYSTEM and Administrators may be granted - the Windows OpenSSH
        permission check rejects the file if any other account (even the
        owning admin's own personal account) holds an explicit ACE on it.
    #>

    [CmdletBinding()]
    [OutputType([string[]])]
    param(
        [Parameter(Mandatory)]
        [string] $Path
    )

    $isAdministratorsKeyFile = -not (Test-Path -Path $Path -PathType Container) `
        -and (Test-SshImportIdAdministratorsAuthorizedKeysPath -Path $Path)

    if ($isAdministratorsKeyFile) {
        return @('SYSTEM', '*S-1-5-32-544')
    }

    @("$env:USERDOMAIN\$env:USERNAME", 'SYSTEM', '*S-1-5-32-544')
}