Group Policy+Logon Script+File Server problem

[rrevuru]

Hello:

I have a share on Windows 2003 Server
"C:/Public" which is shared.

I have a logon script applied on "Groups-OU". Which says that map the above share if User = "Staff" (User Group)

I tried like 100 times, and found it that. it maps the drive only if
"User = Staff, Administrator"
I mean it maps only for the users who are in both groups, Staff as well as Administrator


Where exactly is the problem?

1. Is it with File Server Share security problem
2. Is it with Login Script?
3. Is it with Group Membership.

please let me know if you have any clues?

Any help is appreciated?

Thanks,

 

[intelwizrd]

sounds like a ntfs permissions issue. check the security settings on the folder. set share permissions to staff > full controll, and security permissions to staff > full controll.

hope that helps.

----------------------------
Josh
CCNA, MCSE 2003(in progress)

 

[tfg13]

Most likely a script problem. Post that portion of the script, let us see where the issues are.

 

[revururaj]

tfg13:

Here is the script iam using

******************************************
Const STAFF = "dc=com cn=staff"
Const MANAGEMENT = "dc=com cn=Management"
Const EXECUTIVE = "dc=com cn=Executive"

Set ADSysInfo = CreateObject("ADSystemInfo")
Set wshNetwork = CreateObject("WScript.Network")
wshNetwork.MapNetworkDrive "h:", "\\NS1\home\" & wshNetwork.UserName
Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)
strGroups = LCase(Join(CurrentUser.MemberOf))
myArray = Split(strGroups,",")
For i = LBound(myArray) to UBound(myArray)
Select Case myArray(i)

Case STAFF
wshNetwork.MapNetworkDrive "i:", "\\NS1\Public"
MsgBox "Inside STAFF"
case MANAGEMENT
wshNetwork.MapNetworkDrive "j:", "\\NS1\Management"

Case EXECUTIVE
wshNetwork.MapNetworkDrive "k:", "\\NS1\Executive"

End select

NEXT


******************************

 

[tfg13]

The script looks okay. Is the GP being applied to authenticated users? Do you have any security filtering going on? I don't necessarily think you need to give Full Control to staff, but the sharing permission can have full control (I've found it helps to just have NTFS permissions control this portion).

 

[Stevehewitt]

Tried the security / system logs in event viewer?

If it was a access denied message then it would show you.

You could also try and manually check the permissions by logging on as one of those users and attempting to map the drive manually.
If you can map it OK then check the AD account / group settings and also double check the script. (Sorry, not too hot on WSH!)


Steve.

 

[revururaj]

Steve:

You really made a good point. I manually did map the drives, it worked fine. So definitely there is something wrong with the script.

Also i have a basic question.
When we create a new user for example John Smith. with username jsmith, does it automotically create a directory with name jsmith?

I have c:/home as Root for employee home directories. Right now what i did is i manually created a directory jsmith in c:/home/jsmith

Question is i have c:/home as a share,and do i need to share the childdirectory too which is /jsmith?

Please explain.

Thanks,

 

[revururaj]

Fellas.. i guess i found out the reason..and here is conversation on one of the google forums, and looks like it is a bug in microsoft LDAP schema or something.
**************
Hi,

Just to clarify, the LDAP provider does not reveal membership in the
"primary" group. Ordinarily, this is the group "Domain Users". So, if the
user is a member of one group (which must also be the "primary" group), the
memberOf attribute will be empty. Users and computers must be a member of at
least one group (the "primary" group), but groups can be a member of zero
groups. As you've discovered, the code squawks unless the memberOf
collection has at least 2 groups.


The tricky part is that memberOf is an array (collection) if there are 2 or
more entries, but it is a string if there is one, and it is empty if there
are zero.


I think I pointed out the flaw in Microsoft's code on their web site long
ago, but they must not have fixed it. I would use the following:


colGroups = CurrentUser.memberOf
If IsEmpty(colGroups) Then
strGroups = ""
ElseIf TypeName(colGroups) = "String" Then
strGroups = LCase(colGroups)
Else
strGroups = LCases(Join(colGroups))
End If


I hope this helps. Jeff's solution may also work, but I have not tried. If
so, it's shorter.


*************