From e17b3a521dbc71c34a54a7e7c7811bb80acaa59c Mon Sep 17 00:00:00 2001 From: cproudlock Date: Fri, 10 Apr 2026 09:28:25 -0400 Subject: [PATCH] Fix 5 bugs from shopfloor-setup transcript review 1. UDC JSON ACL: set on directory C:\ProgramData\UDC\ with ContainerInherit+ObjectInherit instead of the file. UDC_Setup.exe gets killed by KillAfterDetection before UDC.exe creates udc_settings.json, so the file doesn't exist at ACL-grant time. Directory-level ACL with inheritance covers any file created later. 2. Set-MachineNumber.ps1 auto-running: the type-specific loop's Get-ChildItem -Filter "*.ps1" picked up the desktop tool alongside the numbered installer scripts. Added Where-Object { $_.Name -match '^\d' } so only numbered-prefix scripts (01-eDNC, 02-ACLs) run. 3. WJ Shopfloor copy-to-self: Phase 1 sweep moved WJ Shopfloor.lnk into Shopfloor Tools\, then Phase 2's Find-ExistingLnk found it there and tried to Copy-Item to the same path. Now checks if resolved source path == destination and prints "exists: (already in Shopfloor Tools)" instead of erroring. 4. NTLARS missing from taskbar pins: the $pinSpec entry was never added to 07-TaskbarLayout.ps1 despite the comment update. Added between eDNC and Defect_Tracker in pin order. 5. shutdown /a stderr noise: 15+ red "Unable to abort system shutdown" lines in the transcript from shutdown.exe writing to stderr when no shutdown is pending. Changed all occurrences in Run-ShopfloorSetup, 00-PreInstall-MachineApps to: cmd /c "shutdown /a 2>nul" *>$null which suppresses both native stderr and PS error stream. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../shopfloor-setup/Run-ShopfloorSetup.ps1 | 15 +++++++---- .../Shopfloor/00-PreInstall-MachineApps.ps1 | 4 +-- .../Shopfloor/06-OrganizeDesktop.ps1 | 20 +++++++++----- .../Shopfloor/07-TaskbarLayout.ps1 | 5 ++++ .../Standard/02-MachineNumberACLs.ps1 | 27 ++++++++++++------- 5 files changed, 49 insertions(+), 22 deletions(-) diff --git a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 index 2dcad55..58a5c0a 100644 --- a/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 +++ b/playbook/shopfloor-setup/Run-ShopfloorSetup.ps1 @@ -26,7 +26,7 @@ Write-Host "" reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoLogonCount /t REG_DWORD /d 99 /f | Out-Null # Cancel any pending reboot so it doesn't interrupt setup -shutdown -a 2>$null +cmd /c "shutdown /a 2>nul" *>$null # Prompt user to unplug from PXE switch before re-enabling wired adapters Write-Host "" @@ -96,7 +96,7 @@ if (Test-Path $baselineDir) { Write-Host "Skipping baseline: $($script.Name) (runs in finalization phase)" continue } - shutdown /a 2>$null + cmd /c "shutdown /a 2>nul" *>$null Write-Host "Running baseline: $($script.Name)" try { & $script.FullName @@ -110,9 +110,14 @@ if (Test-Path $baselineDir) { if ($pcType -ne "Shopfloor") { $typeDir = Join-Path $setupDir $pcType if (Test-Path $typeDir) { - $scripts = Get-ChildItem -Path $typeDir -Filter "*.ps1" -File | Sort-Object Name + # Only run numbered scripts (01-eDNC.ps1, 02-MachineNumberACLs.ps1). + # Unnumbered .ps1 files (Set-MachineNumber.ps1) are desktop tools, + # not installer scripts, and must not auto-run during setup. + $scripts = Get-ChildItem -Path $typeDir -Filter "*.ps1" -File | + Where-Object { $_.Name -match '^\d' } | + Sort-Object Name foreach ($script in $scripts) { - shutdown /a 2>$null + cmd /c "shutdown /a 2>nul" *>$null Write-Host "Running $pcType setup: $($script.Name)" try { & $script.FullName @@ -137,7 +142,7 @@ foreach ($name in $runAfterTypeSpecific) { Write-Warning "Deferred script not found: $script" continue } - shutdown /a 2>$null + cmd /c "shutdown /a 2>nul" *>$null Write-Host "Running deferred baseline: $name" try { & $script diff --git a/playbook/shopfloor-setup/Shopfloor/00-PreInstall-MachineApps.ps1 b/playbook/shopfloor-setup/Shopfloor/00-PreInstall-MachineApps.ps1 index 87c7fd5..2c72959 100644 --- a/playbook/shopfloor-setup/Shopfloor/00-PreInstall-MachineApps.ps1 +++ b/playbook/shopfloor-setup/Shopfloor/00-PreInstall-MachineApps.ps1 @@ -151,7 +151,7 @@ foreach ($app in $config.Applications) { # Cancel any reboot a previous installer scheduled (some respect /norestart, some # don't - VC++ 2008's bootstrapper sometimes triggers an immediate Windows reboot # despite the flag). Doing this BEFORE each install protects the rest of the loop. - & shutdown.exe /a 2>$null + cmd /c "shutdown /a 2>nul" *>$null Write-PreInstallLog "==> $($app.Name)" @@ -369,6 +369,6 @@ Write-PreInstallLog "============================================" # Final reboot cancel - if the last installer in the loop scheduled one, the # dispatcher's later `shutdown /a` won't fire until the next baseline script starts. # Cancel here so control returns cleanly to Run-ShopfloorSetup.ps1. -& shutdown.exe /a 2>$null +cmd /c "shutdown /a 2>nul" *>$null exit 0 diff --git a/playbook/shopfloor-setup/Shopfloor/06-OrganizeDesktop.ps1 b/playbook/shopfloor-setup/Shopfloor/06-OrganizeDesktop.ps1 index 586fe8e..71db638 100644 --- a/playbook/shopfloor-setup/Shopfloor/06-OrganizeDesktop.ps1 +++ b/playbook/shopfloor-setup/Shopfloor/06-OrganizeDesktop.ps1 @@ -319,12 +319,20 @@ function Add-ShopfloorToolsApps { 'existing' { $src = Find-ExistingLnk $app.SourceName if ($src) { - if (-not (& $ensureToolsDir)) { break } - try { - Copy-Item -LiteralPath $src -Destination $dest -Force -ErrorAction Stop - Write-Host " copied: $($app.Name) from $src" - } catch { - Write-Warning "Failed to copy $src -> $dest : $_" + # Skip if the sweep already moved the source into the + # destination folder (src == dest → "cannot overwrite + # the item with itself"). + if ((Resolve-Path -LiteralPath $src -ErrorAction SilentlyContinue).Path -eq + (Join-Path $shopfloorToolsDir $app.SourceName)) { + Write-Host " exists: $($app.Name) (already in Shopfloor Tools)" + } else { + if (-not (& $ensureToolsDir)) { break } + try { + Copy-Item -LiteralPath $src -Destination $dest -Force -ErrorAction Stop + Write-Host " copied: $($app.Name) from $src" + } catch { + Write-Warning "Failed to copy $src -> $dest : $_" + } } } else { Write-Host " skip: $($app.Name) - no source .lnk found" -ForegroundColor DarkGray diff --git a/playbook/shopfloor-setup/Shopfloor/07-TaskbarLayout.ps1 b/playbook/shopfloor-setup/Shopfloor/07-TaskbarLayout.ps1 index 3b650f2..51bc454 100644 --- a/playbook/shopfloor-setup/Shopfloor/07-TaskbarLayout.ps1 +++ b/playbook/shopfloor-setup/Shopfloor/07-TaskbarLayout.ps1 @@ -65,6 +65,11 @@ $pinSpec = @( Path = '%PUBLIC%\Desktop\Shopfloor Tools\eDNC.lnk' Literal = (Join-Path $shopfloorToolsDir 'eDNC.lnk') } + @{ + Name = 'NTLARS' + Path = '%PUBLIC%\Desktop\Shopfloor Tools\NTLARS.lnk' + Literal = (Join-Path $shopfloorToolsDir 'NTLARS.lnk') + } @{ Name = 'Defect_Tracker' Path = '%PUBLIC%\Desktop\Shopfloor Tools\Defect_Tracker.lnk' diff --git a/playbook/shopfloor-setup/Standard/02-MachineNumberACLs.ps1 b/playbook/shopfloor-setup/Standard/02-MachineNumberACLs.ps1 index acc2104..88c3ae7 100644 --- a/playbook/shopfloor-setup/Standard/02-MachineNumberACLs.ps1 +++ b/playbook/shopfloor-setup/Standard/02-MachineNumberACLs.ps1 @@ -16,21 +16,30 @@ Write-Host "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurren Write-Host "" Write-Host "Setting ACLs for standard-user machine number access..." -# --- UDC settings JSON --- -$udcJson = 'C:\ProgramData\UDC\udc_settings.json' -if (Test-Path -LiteralPath $udcJson) { +# --- UDC settings directory --- +# Set ACL on the DIRECTORY (not the file) with inheritance so that +# udc_settings.json inherits the permission whenever UDC.exe creates it. +# UDC_Setup.exe is killed by KillAfterDetection before UDC.exe writes the +# JSON, so the file doesn't exist at this point. Directory-level ACL with +# ContainerInherit + ObjectInherit covers any file created inside later. +$udcDir = 'C:\ProgramData\UDC' +if (Test-Path -LiteralPath $udcDir) { try { - $acl = Get-Acl -LiteralPath $udcJson + $acl = Get-Acl -LiteralPath $udcDir $rule = New-Object System.Security.AccessControl.FileSystemAccessRule( - 'BUILTIN\Users', 'Modify', 'Allow') + 'BUILTIN\Users', 'Modify', + ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor + [System.Security.AccessControl.InheritanceFlags]::ObjectInherit), + [System.Security.AccessControl.PropagationFlags]::None, + 'Allow') $acl.AddAccessRule($rule) - Set-Acl -LiteralPath $udcJson -AclObject $acl -ErrorAction Stop - Write-Host " UDC JSON: BUILTIN\Users granted Modify on $udcJson" + Set-Acl -LiteralPath $udcDir -AclObject $acl -ErrorAction Stop + Write-Host " UDC dir: BUILTIN\Users granted Modify (inherited) on $udcDir" } catch { - Write-Warning " Failed to set ACL on $udcJson : $_" + Write-Warning " Failed to set ACL on $udcDir : $_" } } else { - Write-Host " UDC JSON not found at $udcJson - skipping (UDC not installed?)" -ForegroundColor DarkGray + Write-Host " UDC dir not found at $udcDir - skipping (UDC not installed?)" -ForegroundColor DarkGray } # --- eDNC registry key ---