7298d433eb
OLD design: a single 'Check Machine Number' scheduled task ran as the
logged-in user (BUILTIN\Users, Limited) on AtLogOn. It both showed the
InputBox AND tried to update HKLM\SOFTWARE\WOW6432Node\GE Aircraft
Engines\DNC\General + C:\ProgramData\UDC\udc_settings.json. To make
those non-admin writes possible, 02-MachineNumberACLs.ps1 pre-granted
BUILTIN\Users SetValue + Modify on those targets during imaging.
Three problems with that:
1. SECURITY: any logged-in user could overwrite the machine-identity
reg key.
2. FRAGILE: ACL grants raced with eDNC install timing on some bays
(eDNC reg key didn't exist yet when 02-MachineNumberACLs ran;
OpenSubKey returned null, ACL silently skipped, Check-MachineNumber
later failed with PermissionDenied).
3. SILENT-SUCCESS BUG: Update-MachineNumber's Set-ItemProperty calls
lacked -ErrorAction Stop. PermissionDenied is a non-terminating
error in PS5.1, so the try/catch never fired. The script set
$out.EdncUpdated=$true anyway and the dialog reported success
while the reg value stayed at 9999. WJF capture log on FGY07FZ3
shows this exact pattern.
NEW design - two scheduled tasks split by responsibility:
- "Prompt Machine Number" : AtLogOn trigger, BUILTIN\Users (Limited).
Reads current values (read-only). If 9999, shows InputBox. Writes
typed number to C:\Logs\SFLD\machine-number-request.txt. Triggers
SYSTEM Apply via schtasks /run. Polls for result JSON (60s timeout).
Shows result MessageBox with TopMost so it isn't hidden behind
other windows.
- "Apply Machine Number" : on-demand, SYSTEM (Highest). Reads the
request file, calls Update-MachineNumber (full HKLM + ProgramData
access from SYSTEM context). Pulls per-machine NTLARS .reg + UDC
settings JSON + UDC live data from the SFLD share if site-config
has share paths. Writes result JSON. Removes request file.
Unregisters the Prompt task on full success (Prompt itself can't
self-unregister - Limited users can't delete a SYSTEM-owned task).
- Default task SDDL only allows Admins + SYSTEM to read/run a
SYSTEM-owned task. Added BUILTIN\Users GR+GX ACE via COM
SetSecurityDescriptor so the Limited Prompt task can schtasks /run
Apply on demand. They can read + execute it; not modify or delete.
- Update-MachineNumber.ps1 writes now have -ErrorAction Stop so
PermissionDenied actually fires the catch block instead of being
swallowed.
- 02-MachineNumberACLs.ps1 gutted to a no-op (left in place for
Stage-Dispatcher discovery; no longer grants the ACLs). Old bays'
existing grants are harmless since SYSTEM ignores them.
- Register-CheckMachineNumberTask.ps1 now installs both tasks AND
unregisters the legacy 'Check Machine Number' task name on
re-imaging. Run-ShopfloorSetup.ps1's $skipInBaseline list now
includes Prompt-MachineNumber.ps1 + Apply-MachineNumber.ps1 so
they aren't auto-run during the baseline pass (only via the
scheduled tasks).
Smoke tested end-to-end on win11 VM with ShopFloor (Limited) logging in
interactively: AtLogOn trigger fired Prompt, dialog rendered, tech
typed 7777, schtasks /run succeeded (the SDDL fix lets Limited users
trigger SYSTEM tasks), Apply ran as SYSTEM, eDNC reg + machine-number.txt
both updated to 7777, result MessageBox shown, Prompt task auto-
unregistered by Apply's cleanup step. No ACL grants needed on any user.
Apply also re-tested with -ErrorAction Stop confirming non-terminating
PermissionDenied now properly throws into the catch + populates Errors[]
+ flips $out.EdncUpdated to false - so any future write failures will
report honestly instead of silently claiming success.
130 lines
5.0 KiB
PowerShell
130 lines
5.0 KiB
PowerShell
# Check-MachineNumber.ps1 - Logon-triggered check for placeholder machine
|
|
# number. If UDC or eDNC are still at 9999, pops an InputBox for the user
|
|
# to enter the real number. On success, unregisters the scheduled task so
|
|
# the prompt never appears again.
|
|
#
|
|
# Runs as the LOGGED-IN USER (not SYSTEM) because it needs to show GUI.
|
|
# Writing to ProgramData + HKLM is possible because 02-MachineNumberACLs.ps1
|
|
# pre-granted BUILTIN\Users write access on those specific targets during
|
|
# imaging.
|
|
#
|
|
# Registered/unregistered by Configure-PC.ps1 (item 6 in the toggle list).
|
|
|
|
# --- Transcript logging ---
|
|
$logDir = 'C:\Logs\SFLD'
|
|
if (-not (Test-Path $logDir)) {
|
|
try { New-Item -ItemType Directory -Path $logDir -Force | Out-Null } catch { $logDir = $env:TEMP }
|
|
}
|
|
$transcriptPath = Join-Path $logDir 'Check-MachineNumber.log'
|
|
try { Start-Transcript -Path $transcriptPath -Append -Force | Out-Null } catch {}
|
|
Write-Host "Check-MachineNumber.ps1 starting $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
|
|
Write-Host "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
|
|
|
|
. "$PSScriptRoot\lib\Get-PCProfile.ps1"
|
|
. "$PSScriptRoot\lib\Update-MachineNumber.ps1"
|
|
|
|
Add-Type -AssemblyName Microsoft.VisualBasic
|
|
Add-Type -AssemblyName System.Windows.Forms
|
|
|
|
$taskName = 'Check Machine Number'
|
|
$site = if ($siteConfig) { $siteConfig.siteName } else { 'West Jefferson' }
|
|
|
|
# --- Read current values ---
|
|
$currentMN = Get-CurrentMachineNumber
|
|
$currentUdc = $currentMN.Udc
|
|
$currentEdnc = $currentMN.Ednc
|
|
|
|
# --- Check if placeholder ---
|
|
Write-Host "UDC machine number: $(if ($currentUdc) { $currentUdc } else { '(not found)' })"
|
|
Write-Host "eDNC machine number: $(if ($currentEdnc) { $currentEdnc } else { '(not found)' })"
|
|
|
|
if ($currentUdc -ne '9999' -and $currentEdnc -ne '9999') {
|
|
Write-Host "Machine number is set (not 9999). Unregistering task and exiting."
|
|
try {
|
|
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
|
} catch {}
|
|
try { Stop-Transcript | Out-Null } catch {}
|
|
exit 0
|
|
}
|
|
|
|
Write-Host "Placeholder 9999 detected - showing prompt."
|
|
|
|
# --- Show prompt ---
|
|
$promptLines = @()
|
|
$promptLines += "The machine number on this PC is still set to the"
|
|
$promptLines += "placeholder value (9999). Please enter the correct"
|
|
$promptLines += "machine number for this workstation."
|
|
$promptLines += ""
|
|
if ($currentUdc) { $promptLines += "Current UDC: $currentUdc" }
|
|
if ($currentEdnc) { $promptLines += "Current eDNC: $currentEdnc" }
|
|
$promptLines += ""
|
|
$promptLines += "Enter the new Machine Number:"
|
|
|
|
$prompt = $promptLines -join "`n"
|
|
$new = [Microsoft.VisualBasic.Interaction]::InputBox($prompt, "Set Machine Number", "")
|
|
|
|
if ([string]::IsNullOrWhiteSpace($new)) {
|
|
Write-Host "User cancelled. Will prompt again next logon."
|
|
try { Stop-Transcript | Out-Null } catch {}
|
|
exit 0
|
|
}
|
|
|
|
$new = $new.Trim()
|
|
|
|
# --- Validate ---
|
|
if ($new -notmatch '^\d+$') {
|
|
Write-Host "Invalid input: '$new' (not digits only). Will prompt again next logon."
|
|
[System.Windows.Forms.MessageBox]::Show(
|
|
"Machine number must be digits only.`n`nYou entered: '$new'`n`nThe prompt will appear again at next logon.",
|
|
"Invalid Machine Number",
|
|
[System.Windows.Forms.MessageBoxButtons]::OK,
|
|
[System.Windows.Forms.MessageBoxIcon]::Error
|
|
) | Out-Null
|
|
try { Stop-Transcript | Out-Null } catch {}
|
|
exit 0
|
|
}
|
|
|
|
# --- Update via shared helper ---
|
|
$mnResult = Update-MachineNumber -NewNumber $new -Site $site
|
|
|
|
$results = @()
|
|
if ($mnResult.UdcUpdated) { $results += "UDC updated to $new" }
|
|
if ($mnResult.EdncUpdated) { $results += "eDNC updated to $new" }
|
|
foreach ($err in $mnResult.Errors) { $results += $err -replace '^', 'FAILED: ' }
|
|
|
|
# --- Show result ---
|
|
$summary = ($results -join "`n") + "`n`nTo apply eDNC changes, restart any running DncMain.exe.`n`nFull log: C:\Logs\SFLD\Check-MachineNumber.log"
|
|
# Force the MessageBox to topmost + take focus so it isn't hidden behind
|
|
# other windows. Without this, the result dialog can render off-screen or
|
|
# behind the FormTracePak / DNC windows and the tech misses it.
|
|
$tmpForm = New-Object System.Windows.Forms.Form
|
|
$tmpForm.TopMost = $true
|
|
$tmpForm.WindowState = 'Minimized'
|
|
$tmpForm.ShowInTaskbar = $false
|
|
$tmpForm.Opacity = 0
|
|
$tmpForm.Show()
|
|
[System.Windows.Forms.MessageBox]::Show(
|
|
$tmpForm,
|
|
$summary,
|
|
"Machine Number Updated",
|
|
[System.Windows.Forms.MessageBoxButtons]::OK,
|
|
[System.Windows.Forms.MessageBoxIcon]::Information
|
|
) | Out-Null
|
|
$tmpForm.Close()
|
|
|
|
# --- Unregister task on success ---
|
|
Write-Host "Results: $($results -join '; ')"
|
|
$anyFail = $results | Where-Object { $_ -match 'FAILED' }
|
|
if (-not $anyFail) {
|
|
Write-Host "All updates succeeded. Unregistering logon task."
|
|
try {
|
|
Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
|
|
} catch {}
|
|
} else {
|
|
Write-Host "Some updates failed. Task stays registered - will prompt again next logon."
|
|
}
|
|
|
|
Write-Host "Check-MachineNumber.ps1 finished $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
|
|
try { Stop-Transcript | Out-Null } catch {}
|
|
exit 0
|