How to set security descriptor(DACL) for wifi profile with ACL contains only connect/disconnect access to WD(Everyone group)

Question

If a wifi profile is configured manually by entering password, non admin users can't see the password with netsh command, but when the profile is added via wlansetprofile anyone can view the password if security descriptor is not set. As an alternative I've tried wlanGetSecuritySettings() to get the default DACL of the wifi profile, but it is also failing with parameter is incorrect (87).

In c++ I'm using win32 api to set a wifi profile with security descriptor.

I've tried most of the combinations to deny read control alone and allow write control, but nothing is denying the read access and providing access to connect/disconnect at the same time.

I need to restrict the normal users from viewing the password of a wifi profile with netsh. So I'm trying to restrict read access for WD users and WD can connect or disconnect using the profile. But using the below DACL users are able to view the password via CMD netsh command and if I deny access to RC I'm having issue with connecting the wifi.

hClient - handle returned from wlanOpenHandle().
WlanSetProfile(hClient,&(pIfInfo->InterfaceGuid),dwFlag,strProfileXmlW, L"O:WDG:WDD:(A;;CCWP;;;WD)(D;;RC;;;WD)",FALSE,NULL,pdwReasonCode);

Using WlanSetProfile function with "strAllUserProfileSecurity" parameter with the security descriptor string1 = "O:WDG:WDD:(A;;CCWP;;;WD)(D;;RC;;;WD)".
O:Owner - allusers
G:Group - allusers
A - access allowed
CC - create child
WP - write property
D - access denied
RC - read control
string2 = "O:WDG:WDD:(A;;CCWPRC;;;BA)(A;;CCWP;;;WD)(D;;RC;;;WD)"

WlanGetSecuritySettings(hClient, wlan_secure_add_new_all_user_profiles, NULL, NULL, &grantedAccess);