Group member based Logon script issue.

[rkalk]

I am rather new to vb script, but feel I have a decent grasp on it. I have the following script that map's printers, and shares based on group membership. I have an issues with this script running against a Windows XP SP2 system, and wanted to get some feedback.

I have posted on other forums relating to VBScript,and WSH, but no one had a clue. The script runs fine until it gets to the part where it verifies group mambership from AD.

I have been successfull at getting it to run on our windows 2000 machines, and had good success with XP SP1, but now I am having issues with Windows XP SP2. The script will install the "Non-Group" assigned items, but when I get to the group assigned items I get the following error:

Script: test.vbs
Line: 60
Char: 5
Error: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open event viewer or contact your system administrator.
Code: 800704EC
Sourcenull)

I have been looking at event viewer, and no errors are reported for this issue.

I have the software restriction policies for my Test OU set to allow vbs to run on this specific mechine, as well as from the SYSVOL share. Windows Firewall, and security center are both disabled, so I know that is not the cause. I can not figure out why the "non-group" associated resources are getting installed without error, but when I get to the Group associated items it generates the above error.


Here are my Software Restrictions rules:
created the following software restriction Rules:

Type: Path Rule \\wklaw.net\sysvol\wklaw.net\scripts\*.* = Unrestricted
Type: Path Rule *.vbs = Unrestricted
Type: Path Rule %WINDIR%\System32\*.VBS = Unrestricted

I have verified that these policies have been applied to the local machine from Active Directory. I have tested it and still the exact same error.

In addition to all of teh above, I have also verified that I have no other Policies in place above this OU.

Has anyone seen this? If so, how do I resolve this?



Option Explicit

Dim objNetwork, objUser,
Dim WScript, net, WshNetwork
Dim currentuser, strGroup



Set objNetwork = CreateObject("WScript.Network")
' Forces script to skip errors
' On Error Resume Next

Set objUser = CreateObject("ADSystemInfo")
Set currentuser = GetObject("LDAP://" & objUser.UserName)
strGroup = LCase(Join(currentuser.MemberOf))

'*************************
'*Install Global Printers*
'*************************

Set net = CreateObject("WScript.Network")
net.AddWindowsPrinterConnection "\\DA2UTL01\McK-15", "McK-15 (Color)"
net.AddWindowsPrinterConnection "\\DA2UTL01\McK-20", "McK-20 (High Speed)"
net.AddWindowsPrinterConnection "\\DA2UTL01\McK-30", "McK-30 (High Speed)"
net.AddWindowsPrinterConnection "\\DA2UTL01\McK-40", "McK-40 (High Speed)"

'*************************************************
'*NETWORKDRIVES THAT ARE AVAILABLE FOR EVERY USER*
'*************************************************

objNetwork.MapNetworkDrive "q:", "\\da1fls01\files"
objNetwork.MapNetworkDrive "H:", "\\Da1DC101\home\" & objNetwork.UserName
objNetwork.MapNetworkDrive "G:", "\\Da2fls02\working_files"

'********************************************
'*Installs Printers for the Tech Files group*
'********************************************

If InStr(strGroup, "cn=Tech Files") Then
net.AddWindowsPrinterConnection "\\DA1UTL01\AK-73 (TF)", "AK-73 (TF)"
net.AddWindowsPrinterConnection "\\DA1UTL01\AK-74 (Color)", "AK-74 (Color)"
net.AddWindowsPrinterConnection "\\DA1UTL01\AK-75 (TF)", "AK-75 (TF)"
net.AddWindowsPrinterConnection "\\DA1UTL01\AK-77 (MF)", "AK-77 (MF)"
End If

'*****************************************
'*Installs Printers for the Medical Group*
'*****************************************

If InStr(strGroup, "cn=Medical") Then
net.AddWindowsPrinterConnection "\\DA1UTL01\AK-80 (Medical)", "AK-80 (Medical)"
net.AddWindowsPrinterConnection "\\DA1UTL01\AK-79 (medical)", "AK-79 (medical)"
End If

'*******************************************
'*Installs Printers for the 7th Floor Users*
'*******************************************

If InStr(strGroup, "cn=Test") Then
net.AddWindowsPrinterConnection "\\DA1UTL01\AK-82 (Color)", "AK-82 (Color)"
net.AddWindowsPrinterConnection "\\DA1UTL01\AK-83 (7th)", "AK-83 (7th)"
End If

'Concordance - Note Only Concordance indexing users are assigned to this group.
If InStr(strGroup, "cn=Index QC") Then
objNetwork.MapNetworkDrive "k:", "\\DA2fls01\Test"
objNetwork.MapNetworkDrive "I:", "\\DA1fls01\images"
objNetwork.MapNetworkDrive "o:", "\\DA1fls01\ocr"
End If



Any help on this would be great.

 

[terry712]

try editing it a bit - something like whats below - ie using the getex

Set ADSysInfo = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)
strGroups = LCase(Join(CurrentUser.getex("MemberOf")))

If InStr(strGroups, typing) Then

wshNetwork.MapNetworkDrive "t:", "\\juno\typing"

End If

 

[rkalk]

Well I found how to resolve this. I needed to create a file hash rule. Thanks for the advice.

 

[armills]

Would you be able to provide details on how you solved this? I have been charged with a "fixing" a login script that is expericing the same problem. The only issue is: I am not familiar with VBS and not sure what a file hash rule is. Thanks

 

[rkalk]

Here are the steps to create a hash rule.

To create a hash rule
Open Software Restriction Policies.
In either the console tree or the details pane, right-click Additional Rules, and then click New Hash Rule.
Click Browse to find a file, or paste a precalculated hash in File hash.
In Security level, click either Disallowed or Unrestricted.
In Description, type a description for this rule, and then click OK.
Notes

Different administrative credentials are required to perform this procedure, depending on your environment:
If you create a hash rule on your local computer: To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated delegated
An assignment of administrative responsibility to a user, computer, group, or organization.
For Active Directory, an assignment of responsibility that allows users without administrative credentials to complete specific administrative tasks or to manage specific directory objects. Responsibility is assigned through membership in a security group, the Delegation of Control Wizard, or Group Policy settings.

For DNS, an assignment of responsibility for a DNS zone. Delegation occurs when a name server (NS) resource record in a parent zone lists the DNS server that is authoritative for a child zone.
the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
If you create a hash rule on a computer that is joined to a domain: To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated delegated
An assignment of administrative responsibility to a user, computer, group, or organization.
For Active Directory, an assignment of responsibility that allows users without administrative credentials to complete specific administrative tasks or to manage specific directory objects. Responsibility is assigned through membership in a security group, the Delegation of Control Wizard, or Group Policy settings.

For DNS, an assignment of responsibility for a DNS zone. Delegation occurs when a name server (NS) resource record in a parent zone lists the DNS server that is authoritative for a child zone.
the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
To open Software Restriction Policies, see "Open Software Restriction Policies" in Related Topics.
It may be necessary to create a new software restriction policy setting for the Group Policy object (GPO) if you have not already done so. For information about how to create new software restriction policies, see Related Topics.
A hash rule can be created for a virus or a Trojan horse to prevent them from running.
If you want other people to use a hash rule so that a virus cannot run, calculate the hash of the virus by using software restriction policies, and then e-mail the hash value to the other people. Never e-mail the virus itself.
If a virus has been sent through e-mail, you can also create a path rule to prevent execution of e-mail attachments. For more information, see "Create a path rule" in Related Topics.
A file that is renamed or moved to another folder results in the same hash. Any change to the file itself results in a different hash.
The only file types that are affected by hash rules are those that are listed in Designated File Types in the details pane for Software Restriction Policies. There is one list of designated file types that is shared by all rules. For more information, see "Add or delete a designated file type" in Related Topics.
For software restriction policies to take effect, users must update policy settings by logging off from and logging on to their computers.
When more than one software restriction policies rule software restriction policies rule
A rule that creates an exception to the default security level that is defined by software restriction policies.
The following types of rules can be created: certificate rules, which recognize software that is digitally signed by an Authenticode software publisher certificate; hash rules, which recognize specific software based on a hash of the software; path rules, which recognize software based on the location in which the software is stored; registry path rules, which recognize software based on the location of the software as it is stored in the registry; and Internet zone rules, which recognize software based on the zone of the Internet from which the software is downloaded.
is applied to policy settings, there is a precedence of rules for handling conflicts. For more information see, "Precedence of software restriction policies" in Related Topics.


Here is the source link:

http://www.microsoft.com/resources/...erv/2003/standard/proddocs/en-us/SRP_hash.asp

Let me know if you need a simpler explanation then this one.