# Register-MapSfldShare.ps1 - Register a parallel logon task that runs
# the SFLD vendor's ConsumeCredentials.ps1 for ANY user in BUILTIN\Users.
#
# Why: the vendor's own 'SFLD - Consume Credentials' scheduled task is
# registered with a principal that excludes ShopFloor (admin/specific-
# user only), so when ShopFloor logs in, ConsumeCredentials never fires
# for that session and S: drive is never mapped (drive mappings are
# per-user-session, so SupportUser's mapping doesn't carry over).
#
# We don't reimplement the mapping logic - the vendor script at
# C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1 already
# reads HKLM creds and runs net use when DriveLetter/ShareName are
# populated. We just register a second task with a wider principal
# (BUILTIN\Users + Limited) so the vendor script ALSO fires for the
# end-user logon.
#
# Trade-off: the vendor script's New-StoredCredential -Persist LocalMachine
# step requires admin to write Cred Manager. ShopFloor (Limited) will see
# that part throw, but the script catches per-cred and the net use step
# still runs and lands the drive in ShopFloor's session.

$ErrorActionPreference = 'Continue'

$logDir  = 'C:\Logs\SFLD'
$logFile = Join-Path $logDir 'register-mapshare.log'
if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }

function Write-RegLog {
    param([string]$Message)
    $line = '[{0}] [INFO] {1}' -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Message
    Add-Content -Path $logFile -Value $line -ErrorAction SilentlyContinue
    Write-Host $line
}

Write-RegLog '=== Register-MapSfldShare start ==='

$vendorScript = 'C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1'

try {
    $action = New-ScheduledTaskAction `
        -Execute 'powershell.exe' `
        -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$vendorScript`""

    $trigger = New-ScheduledTaskTrigger -AtLogOn

    # BUILTIN\Users + Limited: any logged-in user triggers it; action
    # runs in that user's session so net use lands the drive in the
    # right place.
    $principal = New-ScheduledTaskPrincipal -GroupId 'S-1-5-32-545' -RunLevel Limited

    $settings = New-ScheduledTaskSettingsSet `
        -AllowStartIfOnBatteries `
        -DontStopIfGoingOnBatteries `
        -StartWhenAvailable `
        -ExecutionTimeLimit (New-TimeSpan -Minutes 5)

    Write-RegLog "Registering 'GE Shopfloor Map S: Drive' (logon trigger, BUILTIN\Users -> $vendorScript)"

    Register-ScheduledTask `
        -TaskName  'GE Shopfloor Map S: Drive' `
        -Action    $action `
        -Trigger   $trigger `
        -Principal $principal `
        -Settings  $settings `
        -Force `
        -Description 'Run vendor ConsumeCredentials.ps1 on any user logon (parallel to the principal-restricted SFLD-owned task) so ShopFloor and other end-user accounts get S: mapped' `
        -ErrorAction Stop | Out-Null

    Write-RegLog 'Scheduled task registered'
} catch {
    Write-RegLog "FAILED to register task: $_"
    exit 1
}

Write-RegLog '=== Register-MapSfldShare end ==='
exit 0