WMI Folder Add ACL Type Mismatch

I am attempting to write a small application to update folder permissions. I have written the following code to remove oldGroup and add in newGroup.

When I call InvokeMethod I catch an exception HRESULT 0x80041005 - Type Mismatch. Not very helpful! If I comment out newAces.Add(newAce); the old group is successfully removed so the issue lies in my new ACE (newAce) or trustee (trustee). I have tried several methods of instantiating trustee, commented out below.

public void Function()
    {
        CimInstance QueryInstance(CimSession session, string cimNamespace, string query)
        {
            IEnumerable<CimInstance> queryInstances = session.QueryInstances(cimNamespace, "WQL", query);
            return queryInstances.FirstOrDefault();
        }
        string computerName = "localhost";
        string namespaceName = @"root\cimv2";
        string oldGroup = "Everyone";
        string newGroup = "Not Everyone";
        DComSessionOptions sessionOptions = new DComSessionOptions
        {
            Timeout = new TimeSpan(0, 2, 0)
        };
        CimSession cimSession = CimSession.Create(computerName, sessionOptions);

        CimInstance trustee = new CimInstance(cimSession.GetClass(namespaceName, "Win32_Trustee"));
        //CimInstance trustee = new CimInstance("Win32_Trustee");
        trustee.CimInstanceProperties.Single(p => p.Name == "Name").Value = newGroup;
        //trustee.CimInstanceProperties.Add(CimProperty.Create("Name", newGroup, CimType.String, CimFlags.Key));
        trustee.CimInstanceProperties.Single(p => p.Name == "Domain").Value = "GLOBAL";
        //trustee.CimInstanceProperties.Add(CimProperty.Create("Domain", "GLOBAL", CimType.String, CimFlags.Key));

        CimInstance newAce = new CimInstance("Win32_ACE");
        newAce.CimInstanceProperties.Add(CimProperty.Create("AccessMask", 1179817, CimFlags.Key));
        newAce.CimInstanceProperties.Add(CimProperty.Create("AceFlags", 3, CimFlags.Key));
        newAce.CimInstanceProperties.Add(CimProperty.Create("AceType", 0, CimFlags.Key));
        newAce.CimInstanceProperties.Add(CimProperty.Create("Trustee", trustee, CimFlags.Key));

        CimInstance logicalFileSecSetting = QueryInstance(cimSession, namespaceName, @"select * from Win32_LogicalFileSecuritySetting where Path='C:\\dev\\temp\\wmi'");
        CimMethodResult methodResult;
        methodResult = cimSession.InvokeMethod(namespaceName, logicalFileSecSetting, "GetSecurityDescriptor", new CimMethodParametersCollection());
        CimInstance descriptor = (CimInstance)methodResult.OutParameters.SingleOrDefault(p => p.Name == "Descriptor").Value;
        IEnumerable<CimInstance> aces = (IEnumerable<CimInstance>)descriptor.CimInstanceProperties.SingleOrDefault(p => p.Name == "DACL").Value;
        List<CimInstance> newAces = aces.Where(ace =>
        {
            CimInstance aceTrustee = (CimInstance)ace.CimInstanceProperties.Single(p => p.Name == "Trustee").Value;
            string aceTrusteeName = (string)aceTrustee.CimInstanceProperties.Single(p => p.Name == "Name").Value;
            return aceTrusteeName != oldGroup;
        }).ToList();

        newAces.Add(newAce);
        descriptor.CimInstanceProperties.SingleOrDefault(p => p.Name == "DACL").Value = newAces.ToArray();

        CimInstance cimDirectory = QueryInstance(cimSession, namespaceName, @"SELECT * FROM Win32_Directory WHERE Name='C:\\dev\\temp\\wmi'");
        CimMethodParametersCollection methodParameters = new CimMethodParametersCollection
        {
            CimMethodParameter.Create("SecurityDescriptor", descriptor, CimType.Instance, CimFlags.In),
            CimMethodParameter.Create("Option", 4, CimType.UInt32, CimFlags.In)
        };
        methodResult = cimSession.InvokeMethod(namespaceName, cimDirectory, "ChangeSecurityPermissions", methodParameters);
    }

Could anyone more familiar with the Microsoft Management Infrastructure help me out? Thanks in advance.

I figured it out this morning. Once I added the SID and related properties to the Win32_Trustee CimInstance object my new group ACE was added to the folder as required. The SID string is retrieved from Active Directory when I query for the new group details.

public void Function()
{
    CimInstance QueryInstance(CimSession session, string cimNamespace, string query)
    {
        IEnumerable<CimInstance> queryInstances = session.QueryInstances(cimNamespace, "WQL", query);
        return queryInstances.FirstOrDefault();
    }
    byte[] BuildObjectSid(string sid)
    {
        SecurityIdentifier securityIdentifier = new SecurityIdentifier(sid);
        byte[] bytes = new byte[securityIdentifier.BinaryLength];
        securityIdentifier.GetBinaryForm(bytes, 0);
        return bytes;
    }
    string computerName = "localhost";
    string namespaceName = @"root\cimv2";
    string oldGroup = "Everyone";
    string newGroup = "Not Everyone";
    string newGroupSidString = "S-1-5-21";
    byte[] newGroupSid = BuildObjectSid(newGroupSidString);
    DComSessionOptions sessionOptions = new DComSessionOptions
    {
        Timeout = new TimeSpan(0, 2, 0)
    };
    CimSession cimSession = CimSession.Create(computerName, sessionOptions);
    CimInstance trustee = new CimInstance(cimSession.GetClass(namespaceName, "Win32_Trustee"));
    trustee.CimInstanceProperties["Domain"].Value = "GLOBAL";
    trustee.CimInstanceProperties["Name"].Value = newGroup;
    trustee.CimInstanceProperties["SIDString"].Value = newGroupSidString;
    trustee.CimInstanceProperties["SID"].Value = newGroupSid;
    trustee.CimInstanceProperties["SidLength"].Value = newGroupSid.Length;

    CimInstance newAce = new CimInstance(cimSession.GetClass(namespaceName, "Win32_ACE"));
    newAce.CimInstanceProperties["AccessMask"].Value = 1179817;
    newAce.CimInstanceProperties["AceFlags"].Value = 3;
    newAce.CimInstanceProperties["AceType"].Value = 0;
    newAce.CimInstanceProperties["Trustee"].Value = trustee;

    string lfsQuery = @"select * from Win32_LogicalFileSecuritySetting where Path='C:\\dev\\temp\\wmi'";
    CimInstance logicalFileSecSetting = QueryInstance(cimSession, namespaceName, lfsQuery);
    CimClass cimClass = cimSession.GetClass(namespaceName, "Win32_LogicalFileSecuritySetting");
    CimMethodResult methodResult;
    methodResult = cimSession.InvokeMethod(namespaceName, logicalFileSecSetting, "GetSecurityDescriptor", new CimMethodParametersCollection());
    CimInstance descriptor = (CimInstance)methodResult.OutParameters["Descriptor"].Value;
    CimInstance[] aces = (CimInstance[])descriptor.CimInstanceProperties["DACL"].Value;
    for (int i = 0; i < aces.Length; i++)
    {
        CimInstance aceTrustee = (CimInstance)aces[i].CimInstanceProperties["Trustee"].Value;
        string aceTrusteeName = (string)aceTrustee.CimInstanceProperties["Name"].Value;
        if (aceTrusteeName == oldGroup)
        {
            aces[i] = newAce;
        }
    }
    descriptor.CimInstanceProperties["DACL"].Value = aces;
    CimInstance cimDirectory = QueryInstance(cimSession, namespaceName, @"SELECT * FROM Cim_Directory WHERE Name='C:\\dev\\temp\\wmi'");
    CimMethodParametersCollection methodParameters = new CimMethodParametersCollection
    {
        CimMethodParameter.Create("SecurityDescriptor", descriptor, CimType.Instance, CimFlags.In),
        CimMethodParameter.Create("Option", 4, CimType.UInt32, CimFlags.In)
    };
    methodResult = cimSession.InvokeMethod(namespaceName, cimDirectory, "ChangeSecurityPermissions", methodParameters);
}