LogonScript and Global Domain Policy

[MartinLove]

Hi, I have spent a good few hours going through the post on this site and trying different thing to get my LogonScript to work, but have been unsucceful..

I have a 2003 SBS as the server, with a mix of W2k and XP... I have amended the Main Default Policy and added the following script...

There is a couple of questions..

1. How do I get the server NOT to run this script when it boots.. Not that it'll be booting that much..

2. The only part of the LogonScript that doesn't work is where it is meant to read the Groups and then Map the drives... This doesn't seem to work.. I have map them manually no problem...

' COMMENT: Enumerates current users' group memberships in given domain.
'
'==========================================================================


ON ERROR RESUME NEXT

Set WSHShell = CreateObject("WScript.Shell")
Set WSHNetwork = CreateObject("WScript.Network")

'Edit the next line with your domain name
DomainString = "LevelFour"
UserString = WSHNetwork.UserName
UserString = UserString & "$"

'Bind to the user object to get user name and check for group memberships later
Set UserObj = GetObject("WinNT://" & DomainString & "/" & UserString)

'Synchronizes the time with Server our NTP Server
WSHShell.Run "NET TIME \\lev4dunpdc001 /set /y"

'Disconnect any drive mappings as needed.
WSHNetwork.RemoveNetworkDrive "F:"

'Give the PC time to do the disconnect, wait 300 milliseconds
wscript.sleep 300

'Map drives needed by all
WSHNetwork.MapNetworkDrive "U:", "\\lev4dunpdc001\"& UserString,True


'Now check for group memberships and map appropriate drives
For Each GroupObj In UserObj.Groups
Select Case GroupObj.Name
'Check for group memberships and take needed action
'In this example below, ADMIN and WORKERB are groups.
Case "GGSales"
WSHNetwork.MapNetworkDrive "M:", "\\lev4dunpdc001\Sales",True
Case "GGDevelopers"
WSHNetwork.MapNetworkDrive "I:", "\\lev4dunpdc001\Development",True
Case "GGDevelopers"
WSHNetwork.MapNetworkDrive "S:", "\\Sol",True
Case "GGIT_Support"
WSHNetwork.MapNetworkDrive "T:", "\\IT_Support",True
End Select
Next


'Install Printers

WSHNetwork.AddWindowsPrinterConnection "\\lev4dunpdc001\Kyocera_FS-3800"
WSHNetwork.AddWindowsPrinterConnection "\\lev4dunpdc001\Magicolor_2350"

'Clean Up Memory We Used
set UserObj = Nothing
set GroupObj = Nothing
set WSHNetwork = Nothing
set DomainString = Nothing
set WSHSHell = Nothing

'Quit the Script
wscript.quit

Thanks in advance for you help.

 

[ShackDaddy]

To keep the script from running on the server, when you set up the Policy, explicitly deny access to the policy for the server's computer account.

Or, if your network is small, remove the "Authenticated users" or whatever permission is currently set on the policy and only populate that list with the individual computer names on the network, except for your server.

As far as the group/mapping scripting issue, maybe someone else here can help you with that. Markdmac?

ShackDaddy

 

[tfg13]

I think you should look at:

faq329-6116

Basically, you shouldn't be running any type of login script on the domain policy, but as a policy destined for PC's that you place in an OU.

As for your other issue:

faq329-5798

Markdmac is probably one of the best contributors to this forum. I am not trying to take anything away from any one else, as most people have contributed greatly, but the numbers don't lie.

Look over both of those FAQ's, and you'll see on the Loginscript, you can use some of markdmac's ideas on the second faq, to ease your group membership problems.

 

[markdmac]

Thanks for the praise TFG.

MartinLove, you have to problems with your script. First it is missing something REALLY IMPORTANT.

From the FAQ....

If you use my script(s) please give credit where it is due and leave my name on it. Thanks.

The reason your groups are not enumerating is because you messed with the UserString portion by appending a $ to the end for your shares.

Remove this line:

UserString = UserString & "$"

Then change this

WSHNetwork.MapNetworkDrive "U:", "\\lev4dunpdc001\"& UserString,True

to this

WSHNetwork.MapNetworkDrive "U:", "\\lev4dunpdc001\"& UserString & "$",True

And at the top of the script you will want to add this

'==========================================================================
'
' NAME: LogonScript.vbs
'
' AUTHOR:  Mark D. MacLachlan, The Spider's Parlor
' URL   : [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 4/10/2003
'
' COMMENT: [red]This code blatantly copied from MarkDMac's
'          FAQ on Tek-Tips[/red]
'
'==========================================================================[shadeshappy]

I hope you find this post helpful.

Regards,

Mark

 

[markdmac]

Also regarding your question about executing on bootup. If this is running when you start your server you have implemented it in the wrong place by placing it in the Startup Script rather than Login Script section of your GPO.

As was correctly noted above, do not place you script in the Default Domain Policy. Instead create a new policy and place the script in there. Follow the directions at the end of my FAQ on how to do it. To keep the script from executing when you log on as admin on the server you can simply modify the security of your new GPO and block the Apply for Admin or you can move admin to a new OU and block inheritance on that new OU.

I hope you find this post helpful.

Regards,

Mark