ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a4de11814df12d94048b85e753f302443fe06816
pxe-server/playbook/shopfloor-setup/Shopfloor/Register-MapSfldShare.ps1
cproudlock a4de11814d Force-Lockdown.bat + S: drive logon mapper for ShopFloor end-user 
Force-Lockdown.bat (SupportUser desktop):
  Vendor escape hatch when Intune Lockdown push hasn't applied within
  ~30 minutes. Self-elevates via UAC, prompts for typed YES confirmation
  that an ARTS request is in place, then runs sfld_autologon.ps1.

Register-MapSfldShare.ps1 (every PC type):
  The SFLD vendor's 'SFLD - Consume Credentials' scheduled task is
  principal-restricted (admin-only) so it fires for SupportUser logon
  but not for ShopFloor logon -- ShopFloor lands at the desktop with
  no S: drive and no way to reach \\tsgwp00525\shared. Workaround:
  register a parallel 'GE Shopfloor Map S: Drive' AtLogOn task with
  Principal=BUILTIN\Users + RunLevel=Limited that invokes the vendor's
  C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1 in the
  interactive user's session. Vendor script handles cred-store + net use
  end to end; we just give it a wider trigger principal. Cross-PC-type
  because every shopfloor account needs S:.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-15 18:31:18 -04:00

77 lines
3.0 KiB
PowerShell
Raw Blame History

# Register-MapSfldShare.ps1 - Register a parallel logon task that runs
# the SFLD vendor's ConsumeCredentials.ps1 for ANY user in BUILTIN\Users.
#
# Why: the vendor's own 'SFLD - Consume Credentials' scheduled task is
# registered with a principal that excludes ShopFloor (admin/specific-
# user only), so when ShopFloor logs in, ConsumeCredentials never fires
# for that session and S: drive is never mapped (drive mappings are
# per-user-session, so SupportUser's mapping doesn't carry over).
#
# We don't reimplement the mapping logic - the vendor script at
# C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1 already
# reads HKLM creds and runs net use when DriveLetter/ShareName are
# populated. We just register a second task with a wider principal
# (BUILTIN\Users + Limited) so the vendor script ALSO fires for the
# end-user logon.
#
# Trade-off: the vendor script's New-StoredCredential -Persist LocalMachine
# step requires admin to write Cred Manager. ShopFloor (Limited) will see
# that part throw, but the script catches per-cred and the net use step
# still runs and lands the drive in ShopFloor's session.
$ErrorActionPreference = 'Continue'
$logDir = 'C:\Logs\SFLD'
$logFile = Join-Path $logDir 'register-mapshare.log'
if (-not (Test-Path $logDir)) { New-Item -Path $logDir -ItemType Directory -Force | Out-Null }
function Write-RegLog {
param([string]$Message)
$line = '[{0}] [INFO] {1}' -f (Get-Date -Format 'yyyy-MM-dd HH:mm:ss'), $Message
Add-Content -Path $logFile -Value $line -ErrorAction SilentlyContinue
Write-Host $line
}
Write-RegLog '=== Register-MapSfldShare start ==='
$vendorScript = 'C:\ProgramData\SFLD\CredentialManager\ConsumeCredentials.ps1'
try {
$action = New-ScheduledTaskAction `
-Execute 'powershell.exe' `
-Argument "-NoProfile -ExecutionPolicy Bypass -File `"$vendorScript`""
$trigger = New-ScheduledTaskTrigger -AtLogOn
# BUILTIN\Users + Limited: any logged-in user triggers it; action
# runs in that user's session so net use lands the drive in the
# right place.
$principal = New-ScheduledTaskPrincipal -GroupId 'S-1-5-32-545' -RunLevel Limited
$settings = New-ScheduledTaskSettingsSet `
-AllowStartIfOnBatteries `
-DontStopIfGoingOnBatteries `
-StartWhenAvailable `
-ExecutionTimeLimit (New-TimeSpan -Minutes 5)
Write-RegLog "Registering 'GE Shopfloor Map S: Drive' (logon trigger, BUILTIN\Users -> $vendorScript)"
Register-ScheduledTask `
-TaskName 'GE Shopfloor Map S: Drive' `
-Action $action `
-Trigger $trigger `
-Principal $principal `
-Settings $settings `
-Force `
-Description 'Run vendor ConsumeCredentials.ps1 on any user logon (parallel to the principal-restricted SFLD-owned task) so ShopFloor and other end-user accounts get S: mapped' `
-ErrorAction Stop | Out-Null
Write-RegLog 'Scheduled task registered'
} catch {
Write-RegLog "FAILED to register task: $_"
exit 1
}
Write-RegLog '=== Register-MapSfldShare end ==='
exit 0
Reference in New Issue View Git Blame Copy Permalink