CMM: grant Users Modify on PC-DMIS install dirs for non-admin launch

PC-DMIS writes settings, probe configs, and measurement data to its own Program Files install directory at runtime. Without Modify permission for BUILTIN\Users, non-admin accounts (ShopFloor) get a UAC elevation prompt on every launch. The "run as admin once" workaround can't be automated because PC-DMIS shows a license dialog on first run that blocks silently. Fix: grant BUILTIN\Users Modify with inheritance on: - C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit - C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit - C:\ProgramData\Hexagon Runs as Step 2.5 in 09-Setup-CMM.ps1 after Install-FromManifest completes. If the exe also has an embedded requireAdministrator manifest (separate from the file-permission issue), that will need an additional fix after testing. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 10:38:24 -04:00
parent ac23759486
commit 1a5feefb01
1 changed files with 36 additions and 0 deletions
--- a/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1
+++ b/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1
@@ -124,6 +124,42 @@ else {
    Write-CMMLog "Install-FromManifest returned $rc"
 }

+# ============================================================================
+# Step 2.5: Grant Users write access to PC-DMIS install directories
+# ============================================================================
+# PC-DMIS writes settings, probe configs, and measurement data to its own
+# install directory at runtime. Without Modify permission for BUILTIN\Users,
+# non-admin accounts get a UAC elevation prompt on every launch. Granting
+# the ACL here is the Hexagon-documented approach for non-admin deployment
+# and avoids the need for a first-run-as-admin (which hits a license dialog
+# and can't be automated silently).
+$pcdmisDirs = @(
+    'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit',
+    'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit',
+    'C:\ProgramData\Hexagon'
+)
+foreach ($dir in $pcdmisDirs) {
+    if (-not (Test-Path -LiteralPath $dir)) {
+        Write-CMMLog "PC-DMIS dir not found: $dir - skipping ACL"
+        continue
+    }
+    try {
+        $acl = Get-Acl -LiteralPath $dir
+        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
+            'BUILTIN\Users',
+            'Modify',
+            'ContainerInherit,ObjectInherit',
+            'None',
+            'Allow'
+        )
+        $acl.AddAccessRule($rule)
+        Set-Acl -LiteralPath $dir -AclObject $acl -ErrorAction Stop
+        Write-CMMLog "Granted BUILTIN\Users Modify on $dir"
+    } catch {
+        Write-CMMLog "Failed to set ACL on $dir : $_" "WARN"
+    }
+}
+
 # ============================================================================
 # Step 3: Stage runtime scripts to C:\Program Files\GE\CMM
 # ============================================================================