diff --git a/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1 b/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1 index c341d5f..5300dea 100644 --- a/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1 +++ b/playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1 @@ -124,6 +124,42 @@ else { Write-CMMLog "Install-FromManifest returned $rc" } +# ============================================================================ +# Step 2.5: Grant Users write access to PC-DMIS install directories +# ============================================================================ +# PC-DMIS writes settings, probe configs, and measurement data to its own +# install directory at runtime. Without Modify permission for BUILTIN\Users, +# non-admin accounts get a UAC elevation prompt on every launch. Granting +# the ACL here is the Hexagon-documented approach for non-admin deployment +# and avoids the need for a first-run-as-admin (which hits a license dialog +# and can't be automated silently). +$pcdmisDirs = @( + 'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit', + 'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit', + 'C:\ProgramData\Hexagon' +) +foreach ($dir in $pcdmisDirs) { + if (-not (Test-Path -LiteralPath $dir)) { + Write-CMMLog "PC-DMIS dir not found: $dir - skipping ACL" + continue + } + try { + $acl = Get-Acl -LiteralPath $dir + $rule = New-Object System.Security.AccessControl.FileSystemAccessRule( + 'BUILTIN\Users', + 'Modify', + 'ContainerInherit,ObjectInherit', + 'None', + 'Allow' + ) + $acl.AddAccessRule($rule) + Set-Acl -LiteralPath $dir -AclObject $acl -ErrorAction Stop + Write-CMMLog "Granted BUILTIN\Users Modify on $dir" + } catch { + Write-CMMLog "Failed to set ACL on $dir : $_" "WARN" + } +} + # ============================================================================ # Step 3: Stage runtime scripts to C:\Program Files\GE\CMM # ============================================================================