Login Script question 1

[erikhertzel]

All,

We have Windows Server 2003 AD and use login scripts to map drives (traditional batch files).

I want to map a drive for users that fall in a certain group on the AD, otherwise, it does not map if they are not a member of this group.

For example:

User Adam is a member of Group AA

If Adam is a member of AA then
map drive L: to this \\server\share
else
don't map it

How do I write this in a bat script?

Thanks,

 

[sharper]

I think you should look at using Group Polocies to deliver mapped network drives. Create Group policies for each security group and set 'User Configuration -> Windows settings -> Scripts (Logon/Logoff) -> Logon' to point to a batch file that mapps the correct drive for that group. I create a batch file for each security group called say accounts.bat and sales.bat and the like. Now give only the respective security groups rights to apply the Group Policy Object and link all these Group Policy Objects to your Users Organisational Unit (Create an OU for you standard users and move them out of the 'Users' folder in AD Users and Computers if you haven't done so already)

So you have:
A security group called Accounts with users in it
A batch file called accounts.bat that maps a drive to your accounts share
A Group Policy Object called 'Accounts Logon' with the accounts.bat file as the Logon script
The Security on the 'Accounts Logon' has the Authenticated Users removed and the Accounts security added with 'Read' and 'Apply Group Policy' set
The 'Accounts Logon' GPO linked to your Users Organisational Unit.

hope this helps,

S.

 

[monsterjta]

This should start you on the right path.

*******************************************
Option Explicit

Dim objNetwork, objSysInfo, strUserDN
Dim objUser, objFSO, colGroups, objGroup
Dim strUser

Set objNetwork = CreateObject("Wscript.Network")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.userName
''''''''''''''''''''''''''''
'Bind to user object in LDAP
''''''''''''''''''''''''''''
Set objUser = GetObject("LDAP://" & strUserDN)
Set colGroups = objUser.Groups
'''''''''''''''''''''''''''''''''''''''''''''
'Loop through each group membership occurance
'''''''''''''''''''''''''''''''''''''''''''''
For Each objGroup in colGroups
Call MapDrive
Next
***********************************************

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[erikhertzel]

monsterjta

Will this work with a regular batch file (.bat file). What language is this?

I am just needing a simple if then for this issue, that's all I need.

I appreciate your help,

Erik

 

[pkirill]

Use .vbs instead of .bat...

 

[Maugwa]

Here is an example of mine:

rem check for resource utility
rem IF NOT EXIST %windir%\IFMEMBER.EXE copy \\PDC\netlogon\ifmember.exe %windir%
@SET LANG=ENU

@ECHO OFF



GOTO USERS

:USERS
rem this section maps the K: drives
rem for AccPac users.
IFMEMBER users
IF NOT %errorlevel% EQU 1 GOTO TOPART
net use K: \\topperssql\sbt32020205 /persistent:no

:TOPART
rem this section maps the I: drives
rem for TopArt users.
IFMEMBER topart
IF NOT %errorlevel% EQU 1 GOTO IT
net use I: \\luke\topart /persistent:no
net use L: \\tllc-printers\printers /persistent:no

:IT
IFMEMBER netops
IF NOT %errorlevel% EQU 1 GOTO REBATE
net use N: \\luke\IT /persistent:no

:REBATE
IFMEMBER rebate
IF NOT %errorlevel% EQU 1 GOTO TIME
net use L: \\luke\REBATE /persistent:no

:TIME
rem this section maps the U: drives
rem for Time users.
IFMEMBER time
IF NOT %errorlevel% EQU 1 GOTO END
net use U: \\luke\time /persistent:no


REM =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=

 

[pagy]

You should read markdmac's login script faq;

http://tek-tips.com/faqs.cfm?fid=5798

All you need in this life is ignorance and confidence; then success is sure.
- Mark Twain

 

[erikhertzel]

Maugwa

That looks like what I had in mind, do you need access to a resource kit file, is that what I am reading?

Thanks,

Erik

 

[erikhertzel]

Got it working. Thanks!

 

[monsterjta]

Erik,

That is VBScript. I don't believe it's possible to enumerate through group membership with a batch file. If you would like to build around the concept of automating your systems, go with VBScript as it can access much more in terms of network and AD objects.

You are correct. You would have a number of lines in the MapDrive section. One line per defined group you have in AD, to map the appropriate drives. The actual mapping code would look like this:
**************************************
''''''''''''''''
' Drive mappings
''''''''''''''''
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set objNetwork = CreateObject("WScript.Network")
If objGroup.CN = "group1" Then
objNetwork.MapNetworkDrive "S:", "\\servername\sharename"
EndIf
If objGroup.CN = "group2" Then
objNetwork.MapNetworkDrive "T:", "\\servername\sharename"
EndIf
''''''''''''''''''''''''''''''''''
'Rename mappings
''''''''''''''''''''''''''''''''''
WScript.Sleep 300
Set objShell = CreateObject("Shell.Application")
objShell.NameSpace("S:").Self.Name = "Share"
*******************************************
Of course, this code would reside within a function called MapDrive.

Hope This Helps,

Good Luck!

(I do what I can with what I know)

 

[markdmac]

I second the use of vbscript instead of batch files.

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[dasaybz]

try using kix ... it's a little bit easier to write code in it than VB and it's free.

I use it on my servers and it works perfectly!! I also map printers.

 

[markdmac]

Kix is old hat dasaybz.

VBScript is super easy to write code for. Refer to my FAQ on the subject (link above). I'm aware of a few hundred companies using my script, and its free too. ;-)

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at

http://www.thespidersparlor.com/vbscript

 

[TweakMYbox]

KIX may be old school, but I think it is highly under-estimated. It is a strong scripting language, and I must agree that it is a lot easier to learn than VB.

Don't get me wrong, VB Script is very powerful, and way more versatile than KIX - but I wouldn't completely disregard it.

Mike Fegan, MCSE

Read about the best FREE IT tools available, and check out the 'Babe of the Week' at

http://tweakmybox.com

 

[mbryson]

I'm coming to this party kinda late and have a *.bat file attached to a GPO. For some reason it doesn't seem to process even after a GPUPDATE from the 'run' line.


I've even followed Sharper's post to the letter (I've got a security group and GPO named 'accounts' now ). The only interpretation from his instructions I've had to make are in attaching the *.bat file.

If I 'right click' "Accounts Logon" and choose edit, I get a the GPOEditor. I'm pretty sure I remember that's where I'm supposed to be. I've attached the *.bat file in the 'computer' and 'user' configuration. (Windows Settings-Scripts-startup)

Where am I going wrong?


Thanks for any help.......(we're converting from Netware so please excuse my ignorance )

 

[mbryson]

Oh, and I guess I should let people know what's in my *.bat file.

net use J: \\<servername>\<sharedfolder> /persistent:no




I'm sure that will get a little more interesting with time, but just trying to keep it simple to get things working.

 

[monsterjta]

mbryson,

I've attached the *.bat file in the 'computer' and 'user' configuration. (Windows Settings-Scripts-startup)

This would not be a computer startup policy. It would be implemented in a user logon policy.

Also, the script will not run with a gpupdate command. It will only run during logon time.

Hope This Helps,

Good Luck!

 

[mbryson]

mbryson,

I've attached the *.bat file in the 'computer' and 'user' configuration. (Windows Settings-Scripts-startup)

This would not be a computer startup policy. It would be implemented in a user logon policy.

Also, the script will not run with a gpupdate command. It will only run during logon time.

Hope This Helps,

Good Luck!

I included the GPUPDATE on the server so people would know I applied the group policy before logging in to a workstation as a user (read that somewhere, I think).

I'll take the *.bat file out of the computer startup policy.

Thanks for the quick response

 

[monsterjta]

I included the GPUPDATE on the server so people would know I applied the group policy before logging in to a workstation as a user

Not quite sure what you mean here. GPUPDATE must be ran on the local machine to be refreshed.

Hope This Helps,

Good Luck!

 

[mbryson]

I included the GPUPDATE on the server so people would know I applied the group policy before logging in to a workstation as a user

Not quite sure what you mean here. GPUPDATE must be ran on the local machine to be refreshed.

Hope This Helps,

Good Luck!

I just ran 'gpupdate' on both the server and the client and still get the same results with no mapped drive on the client machine. I am able to 'net use....etc.' from a command line on the client machine and the server machine. .

Again, thanks for your assistance!