ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

CMM: grant Users Modify on PC-DMIS install dirs for non-admin launch

Browse Source 
PC-DMIS writes settings, probe configs, and measurement data to its own
Program Files install directory at runtime. Without Modify permission
for BUILTIN\Users, non-admin accounts (ShopFloor) get a UAC elevation
prompt on every launch. The "run as admin once" workaround can't be
automated because PC-DMIS shows a license dialog on first run that
blocks silently.

Fix: grant BUILTIN\Users Modify with inheritance on:
  - C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit
  - C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit
  - C:\ProgramData\Hexagon

Runs as Step 2.5 in 09-Setup-CMM.ps1 after Install-FromManifest
completes. If the exe also has an embedded requireAdministrator manifest
(separate from the file-permission issue), that will need an additional
fix after testing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
cproudlock
2026-04-16 10:38:24 -04:00
parent ac23759486
commit 1a5feefb01
1 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
playbook/shopfloor-setup/CMM/09-Setup-CMM.ps1
View File

@@ -124,6 +124,42 @@ else {
Write-CMMLog "Install-FromManifest returned $rc" Write-CMMLog "Install-FromManifest returned $rc"
} }
# ============================================================================
# Step 2.5: Grant Users write access to PC-DMIS install directories
# ============================================================================
# PC-DMIS writes settings, probe configs, and measurement data to its own
# install directory at runtime. Without Modify permission for BUILTIN\Users,
# non-admin accounts get a UAC elevation prompt on every launch. Granting
# the ACL here is the Hexagon-documented approach for non-admin deployment
# and avoids the need for a first-run-as-admin (which hits a license dialog
# and can't be automated silently).
$pcdmisDirs = @(
'C:\Program Files\Hexagon\PC-DMIS 2016.0 64-bit',
'C:\Program Files\Hexagon\PC-DMIS 2019 R2 64-bit',
'C:\ProgramData\Hexagon'
)
foreach ($dir in $pcdmisDirs) {
if (-not (Test-Path -LiteralPath $dir)) {
Write-CMMLog "PC-DMIS dir not found: $dir - skipping ACL"
continue
}
try {
$acl = Get-Acl -LiteralPath $dir
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
'BUILTIN\Users',
'Modify',
'ContainerInherit,ObjectInherit',
'None',
'Allow'
)
$acl.AddAccessRule($rule)
Set-Acl -LiteralPath $dir -AclObject $acl -ErrorAction Stop
Write-CMMLog "Granted BUILTIN\Users Modify on $dir"
} catch {
Write-CMMLog "Failed to set ACL on $dir : $_" "WARN"
}
}
# ============================================================================ # ============================================================================
# Step 3: Stage runtime scripts to C:\Program Files\GE\CMM # Step 3: Stage runtime scripts to C:\Program Files\GE\CMM
# ============================================================================ # ============================================================================