ge-aerospace/pxe-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e17b3a521dbc71c34a54a7e7c7811bb80acaa59c
pxe-server/playbook/shopfloor-setup/Standard/02-MachineNumberACLs.ps1
cproudlock e17b3a521d Fix 5 bugs from shopfloor-setup transcript review 
1. UDC JSON ACL: set on directory C:\ProgramData\UDC\ with
   ContainerInherit+ObjectInherit instead of the file. UDC_Setup.exe
   gets killed by KillAfterDetection before UDC.exe creates
   udc_settings.json, so the file doesn't exist at ACL-grant time.
   Directory-level ACL with inheritance covers any file created later.

2. Set-MachineNumber.ps1 auto-running: the type-specific loop's
   Get-ChildItem -Filter "*.ps1" picked up the desktop tool alongside
   the numbered installer scripts. Added Where-Object { $_.Name -match
   '^\d' } so only numbered-prefix scripts (01-eDNC, 02-ACLs) run.

3. WJ Shopfloor copy-to-self: Phase 1 sweep moved WJ Shopfloor.lnk
   into Shopfloor Tools\, then Phase 2's Find-ExistingLnk found it
   there and tried to Copy-Item to the same path. Now checks if
   resolved source path == destination and prints "exists: (already
   in Shopfloor Tools)" instead of erroring.

4. NTLARS missing from taskbar pins: the $pinSpec entry was never
   added to 07-TaskbarLayout.ps1 despite the comment update. Added
   between eDNC and Defect_Tracker in pin order.

5. shutdown /a stderr noise: 15+ red "Unable to abort system shutdown"
   lines in the transcript from shutdown.exe writing to stderr when no
   shutdown is pending. Changed all occurrences in Run-ShopfloorSetup,
   00-PreInstall-MachineApps to: cmd /c "shutdown /a 2>nul" *>$null
   which suppresses both native stderr and PS error stream.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 09:28:25 -04:00

65 lines
2.9 KiB
PowerShell
Raw Blame History

# 02-MachineNumberACLs.ps1 - Pre-grant write access on the UDC settings
# file and eDNC registry key so that STANDARD (non-admin) users can update
# the machine number via the Check-MachineNumber logon task without
# elevation or a UAC prompt.
#
# Runs during imaging as admin (type-specific Standard phase, after
# 01-eDNC.ps1 has installed DnC). Only touches Standard PCs.
#
# What gets opened up (narrow scope, not blanket admin):
# - C:\ProgramData\UDC\udc_settings.json -> BUILTIN\Users : Modify
# - HKLM:\SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General
# -> BUILTIN\Users : SetValue
Write-Host "02-MachineNumberACLs.ps1 starting $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
Write-Host "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
Write-Host ""
Write-Host "Setting ACLs for standard-user machine number access..."
# --- UDC settings directory ---
# Set ACL on the DIRECTORY (not the file) with inheritance so that
# udc_settings.json inherits the permission whenever UDC.exe creates it.
# UDC_Setup.exe is killed by KillAfterDetection before UDC.exe writes the
# JSON, so the file doesn't exist at this point. Directory-level ACL with
# ContainerInherit + ObjectInherit covers any file created inside later.
$udcDir = 'C:\ProgramData\UDC'
if (Test-Path -LiteralPath $udcDir) {
try {
$acl = Get-Acl -LiteralPath $udcDir
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
'BUILTIN\Users', 'Modify',
([System.Security.AccessControl.InheritanceFlags]::ContainerInherit -bor
[System.Security.AccessControl.InheritanceFlags]::ObjectInherit),
[System.Security.AccessControl.PropagationFlags]::None,
'Allow')
$acl.AddAccessRule($rule)
Set-Acl -LiteralPath $udcDir -AclObject $acl -ErrorAction Stop
Write-Host " UDC dir: BUILTIN\Users granted Modify (inherited) on $udcDir"
} catch {
Write-Warning " Failed to set ACL on $udcDir : $_"
}
} else {
Write-Host " UDC dir not found at $udcDir - skipping (UDC not installed?)" -ForegroundColor DarkGray
}
# --- eDNC registry key ---
$ednRegPathWin = 'SOFTWARE\WOW6432Node\GE Aircraft Engines\DNC\General'
try {
$regKey = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey($ednRegPathWin, $true)
if ($regKey) {
$regSec = $regKey.GetAccessControl()
$rule = New-Object System.Security.AccessControl.RegistryAccessRule(
'BUILTIN\Users', 'SetValue', 'Allow')
$regSec.AddAccessRule($rule)
$regKey.SetAccessControl($regSec)
$regKey.Close()
Write-Host " eDNC reg: BUILTIN\Users granted SetValue on HKLM:\$ednRegPathWin"
} else {
Write-Host " eDNC registry key not found - skipping (eDNC not installed?)" -ForegroundColor DarkGray
}
} catch {
Write-Warning " Failed to set ACL on HKLM:\$ednRegPathWin : $_"
}
Write-Host "ACL setup complete."
Reference in New Issue View Git Blame Copy Permalink