pxe-server/playbook/shopfloor-setup/Standard/02-MachineNumberACLs.ps1

# 02-MachineNumberACLs.ps1 - Pre-grant write access on the UDC settings
# file and eDNC registry key so that STANDARD (non-admin) users can update
# the machine number via the Check-MachineNumber logon task without
# elevation or a UAC prompt.
#
# Runs during imaging as admin (type-specific Standard phase, after
# 01-eDNC.ps1 has installed DnC). Only touches Standard PCs.
#
# What gets opened up (narrow scope, not blanket admin):
#   - C:\ProgramData\UDC\udc_settings.json  ->  BUILTIN\Users : Modify
#   - HKLM:\SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General
#                                            ->  BUILTIN\Users : SetValue

# --- Transcript ---
$logDir = 'C:\Logs\SFLD'
if (-not (Test-Path $logDir)) { try { New-Item -ItemType Directory -Path $logDir -Force | Out-Null } catch {} }
try { Start-Transcript -Path (Join-Path $logDir '02-MachineNumberACLs.log') -Append -Force | Out-Null } catch {}

# --- Skip on Timeclock sub-type (no UDC/eDNC to grant ACLs for) ---
$subtypeFile = 'C:\Enrollment\pc-subtype.txt'
if (Test-Path $subtypeFile) {
    $subtype = (Get-Content $subtypeFile -First 1 -ErrorAction SilentlyContinue).Trim()
    if ($subtype -eq 'Timeclock') {
        Write-Host "02-MachineNumberACLs: skipped (Standard-Timeclock)"
        try { Stop-Transcript | Out-Null } catch {}
        return
    }
}

Write-Host "02-MachineNumberACLs.ps1 starting $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
Write-Host "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
Write-Host ""
Write-Host "Setting ACLs for standard-user machine number access..."

# --- UDC settings directory ---
# Set ACL on the DIRECTORY (not the file) with inheritance so that
# udc_settings.json inherits the permission whenever UDC.exe creates it.
# UDC_Setup.exe is killed by KillAfterDetection before UDC.exe writes the
# JSON, so the file doesn't exist at this point. Directory-level ACL with
# ContainerInherit + ObjectInherit covers any file created inside later.
$udcDir = 'C:\ProgramData\UDC'
if (Test-Path -LiteralPath $udcDir) {
    try {
        $acl = Get-Acl -LiteralPath $udcDir
        $rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
            'BUILTIN\Users', 'Modify',
            ([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor
             [System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
            [System.Security.AccessControl.PropagationFlags]::None,
            'Allow')
        $acl.AddAccessRule($rule)
        Set-Acl -LiteralPath $udcDir -AclObject $acl -ErrorAction Stop
        Write-Host "  UDC dir: BUILTIN\Users granted Modify (inherited) on $udcDir"
    } catch {
        Write-Warning "  Failed to set ACL on $udcDir : $_"
    }
} else {
    Write-Host "  UDC dir not found at $udcDir - skipping (UDC not installed?)" -ForegroundColor DarkGray
}

# --- eDNC registry key ---
$ednRegPathWin = 'SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General'
try {
    $regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($ednRegPathWin, $true)
    if ($regKey) {
        $regSec = $regKey.GetAccessControl()
        $rule = New-Object System.Security.AccessControl.RegistryAccessRule(
            'BUILTIN\Users', 'SetValue', 'Allow')
        $regSec.AddAccessRule($rule)
        $regKey.SetAccessControl($regSec)
        $regKey.Close()
        Write-Host "  eDNC reg: BUILTIN\Users granted SetValue on HKLM:\$ednRegPathWin"
    } else {
        Write-Host "  eDNC registry key not found - skipping (eDNC not installed?)" -ForegroundColor DarkGray
    }
} catch {
    Write-Warning "  Failed to set ACL on HKLM:\$ednRegPathWin : $_"
}

Write-Host "ACL setup complete."
try { Stop-Transcript | Out-Null } catch {}