cb2a9d48a1
New tools:
Configure-PC.bat/.ps1 - Interactive desktop tool for SupportUser to
configure a shopfloor PC after imaging. Two sections:
1. Machine number: if UDC/eDNC are still at placeholder 9999, prompt
to set the real number right now (updates UDC JSON + eDNC registry,
restarts UDC.exe with new args).
2. Auto-startup toggle: pick which apps start at user logon from a
numbered list (UDC, eDNC, Defect Tracker, WJ Shopfloor, Plant Apps).
Creates/removes .lnk files in AllUsers Startup folder. Toggle UI
shows [ON]/[ ] state, safe to re-run anytime. Plant Apps URL
resolved from .url file at runtime with hardcoded fallback to
https://mes-wjefferson.apps.lr.geaerospace.net/run/...
3. Item 6 in the toggle list: register/unregister a "Check Machine
Number" logon task for standard (non-admin) users. When enabled,
the task fires at every logon, checks for 9999, pops an InputBox
if found, updates both apps, then unregisters itself on success.
Check-MachineNumber.ps1 - The logon task script. Runs as the logged-in
user (needs GUI for InputBox), not SYSTEM. Writing to ProgramData + HKLM
is possible because 02-MachineNumberACLs.ps1 pre-grants BUILTIN\Users
write access on the two specific targets during imaging.
02-MachineNumberACLs.ps1 - Standard type-specific script (runs after
01-eDNC.ps1). Opens C:\ProgramData\UDC\udc_settings.json for Users:Modify
and HKLM:\...\GE Aircraft Engines\DNC\General for Users:SetValue. Narrow
scope, not blanket admin.
Execution order fixes in Run-ShopfloorSetup.ps1:
The dispatcher now has two lists: $skipInBaseline (scripts NOT run in the
alphabetical baseline loop) and $runAfterTypeSpecific (scripts run
explicitly after type-specific scripts complete). This fixes the bug where
06/07 ran before 01-eDNC.ps1 installed DnC, so eDNC/NTLARS shortcuts were
silently skipped.
New execution order:
Baseline: 00-PreInstall, 04-NetworkAndWinRM (skipping 05-08 + tools)
Type-specific: 01-eDNC, 02-MachineNumberACLs
Finalization: 06-OrganizeDesktop, 07-TaskbarLayout
06 internally calls 05 (Office shortcuts, Phase 0) and 08 (Edge config,
Phase 4) as sub-phases, so they also benefit from running late. Office
isn't installed until after the first reboot (ppkg streams C2R), so 05
no-ops at imaging time but succeeds when 06's SYSTEM logon task re-runs
it on the second boot. 08 resolves startup-tab URLs from .url files
delivered by DSC (even later); same self-heal via the logon task.
Other fixes in this commit:
- OpenText Setup-OpenText.ps1 Step 4: exclude WJ_Office.lnk, IBM_qks.lnk,
mmcs.lnk desktop shortcuts (matching the Step 3 .hep profile exclusion
from the previous commit). Removes stale copies from prior installs.
- 05-OfficeShortcuts.ps1: widened Office detection to 6 path variants
covering C2R + MSI + Office15/16, with diagnostic output on miss.
- 06-OrganizeDesktop.ps1: removed Phase 3 (desktop-root pin copies for
eDNC/NTLARS) so shortcuts live in Shopfloor Tools only, not duplicated
at root. Emptied $keepAtRoot. Added Phase 0 (call 05) and Phase 4
(call 08). Lazy folder creation + empty-folder cleanup. Scheduled task
now runs as SYSTEM (was BUILTIN\Users with Limited which failed the
admin check). Added NTLARS to 07's taskbar pin list.
- 08-EdgeDefaultBrowser.ps1: Plant Apps URL fallback hardcoded from
device-config.yaml.
- All new scripts have Start-Transcript logging to C:\Logs\SFLD\ with
timestamps and running-as identity.
- Run-ShopfloorSetup.ps1: Start-Transcript + Stop-Transcript wrapping
entire dispatcher run, writes to C:\Logs\SFLD\shopfloor-setup.log.
Configure-PC.bat added to SupportUser desktop copy list.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
56 lines
2.4 KiB
PowerShell
56 lines
2.4 KiB
PowerShell
# 02-MachineNumberACLs.ps1 - Pre-grant write access on the UDC settings
|
|
# file and eDNC registry key so that STANDARD (non-admin) users can update
|
|
# the machine number via the Check-MachineNumber logon task without
|
|
# elevation or a UAC prompt.
|
|
#
|
|
# Runs during imaging as admin (type-specific Standard phase, after
|
|
# 01-eDNC.ps1 has installed DnC). Only touches Standard PCs.
|
|
#
|
|
# What gets opened up (narrow scope, not blanket admin):
|
|
# - C:\ProgramData\UDC\udc_settings.json -> BUILTIN\Users : Modify
|
|
# - HKLM:\SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General
|
|
# -> BUILTIN\Users : SetValue
|
|
|
|
Write-Host "02-MachineNumberACLs.ps1 starting $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
|
|
Write-Host "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
|
|
Write-Host ""
|
|
Write-Host "Setting ACLs for standard-user machine number access..."
|
|
|
|
# --- UDC settings JSON ---
|
|
$udcJson = 'C:\ProgramData\UDC\udc_settings.json'
|
|
if (Test-Path -LiteralPath $udcJson) {
|
|
try {
|
|
$acl = Get-Acl -LiteralPath $udcJson
|
|
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
|
|
'BUILTIN\Users', 'Modify', 'Allow')
|
|
$acl.AddAccessRule($rule)
|
|
Set-Acl -LiteralPath $udcJson -AclObject $acl -ErrorAction Stop
|
|
Write-Host " UDC JSON: BUILTIN\Users granted Modify on $udcJson"
|
|
} catch {
|
|
Write-Warning " Failed to set ACL on $udcJson : $_"
|
|
}
|
|
} else {
|
|
Write-Host " UDC JSON not found at $udcJson - skipping (UDC not installed?)" -ForegroundColor DarkGray
|
|
}
|
|
|
|
# --- eDNC registry key ---
|
|
$ednRegPathWin = 'SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General'
|
|
try {
|
|
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($ednRegPathWin, $true)
|
|
if ($regKey) {
|
|
$regSec = $regKey.GetAccessControl()
|
|
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
|
|
'BUILTIN\Users', 'SetValue', 'Allow')
|
|
$regSec.AddAccessRule($rule)
|
|
$regKey.SetAccessControl($regSec)
|
|
$regKey.Close()
|
|
Write-Host " eDNC reg: BUILTIN\Users granted SetValue on HKLM:\$ednRegPathWin"
|
|
} else {
|
|
Write-Host " eDNC registry key not found - skipping (eDNC not installed?)" -ForegroundColor DarkGray
|
|
}
|
|
} catch {
|
|
Write-Warning " Failed to set ACL on HKLM:\$ednRegPathWin : $_"
|
|
}
|
|
|
|
Write-Host "ACL setup complete."
|