ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5c3db71879556adc5c8f59eb149f06c6ca55dd36
pxe-server/playbook/shopfloor-setup/gea-shopfloor-nocollections/02-MachineNumberACLs.ps1
cproudlock 97b9e58d23 Configure-PC + nocollections ACL: align with two-task machine number design 
- gea-shopfloor-nocollections/02-MachineNumberACLs.ps1: gut to no-op
  matching the collections variant. SYSTEM Apply task no longer needs
  per-user ACLs on the eDNC reg key or UDC ProgramData dir.

- Configure-PC.ps1 item 6 (Machine number logon prompt toggle):
  Stop duplicating Register-ScheduledTask logic inline. Call the
  shared Register-CheckMachineNumberTask.ps1 registrar so both the
  Prompt user-task and Apply SYSTEM-task are installed with matching
  SDDL config. Existence check now treats EITHER the new "Prompt
  Machine Number" task OR the legacy "Check Machine Number" task as
  "ON" so old bays still register correctly. Toggle OFF unregisters
  all three names (Prompt + Apply + legacy) for clean removal.
2026-05-24 18:36:35 -04:00

30 lines
1.6 KiB
PowerShell
Raw Blame History

# 02-MachineNumberACLs.ps1 - NO-OP (deprecated 2026-05-24).
#
# This script used to grant BUILTIN\Users SetValue on the eDNC reg key
# and Modify on the UDC ProgramData dir so the logged-in user could
# update machine number from the Check-MachineNumber logon dialog without
# elevation.
#
# That design had two flaws:
# 1. Security hole - any logged-in user could overwrite the machine-
# identity reg key.
# 2. Fragile - ACL grants raced with eDNC install timing on some bays;
# the OpenSubKey call returned null + the grant was silently skipped,
# leaving Check-MachineNumber unable to update the bay (yet the old
# Update-MachineNumber.ps1 reported success anyway because
# Set-ItemProperty's PermissionDenied is non-terminating).
#
# Replaced by the two-task design in Register-CheckMachineNumberTask.ps1:
# - "Prompt Machine Number" : user-context GUI, no privileges
# - "Apply Machine Number" : SYSTEM-context worker, full HKLM access
#
# Left as a no-op so Stage-Dispatcher / Run-ShopfloorSetup discovery
# patterns don't have to be updated. Existing bays' ACL grants are still
# present and harmless (the SYSTEM Apply task ignores them).
$logDir = 'C:\Logs\SFLD'
if (-not (Test-Path $logDir)) { try { New-Item -ItemType Directory -Path $logDir -Force | Out-Null } catch {} }
try { Start-Transcript -Path (Join-Path $logDir '02-MachineNumberACLs.log') -Append -Force | Out-Null } catch {}
Write-Host "02-MachineNumberACLs.ps1: no-op (replaced by SYSTEM Apply task - see Register-CheckMachineNumberTask.ps1)"
try { Stop-Transcript | Out-Null } catch {}
Reference in New Issue View Git Blame Copy Permalink