Need to map drives according to group membership

[1Zeus]

Using NT 4.0 server with lastest security updates. Clients are W2k. Currently using net use statements in login.bat file to map drives. We now have a need to map drives per group membership. How can I do this?

 

[Andyleates]

Have a look at the ifmember tool in the resource kit

Andy Leates MCSE CCNA MCP+I

 

[1Zeus]

Per a seach on Microsoft's web site, I found ifmember for:
System Requirements
Supported Operating Systems: Windows 2000

You can download and use Ifmember.exe on any of the following platforms:

Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server
Windows 2000 Datacenter

Is there a version for NT 4.0 Server as well?

 

[Andyleates]

Definately - I have used it for years. I can email it to you if you have any problems finding it.

Andy

Andy Leates MCSE CCNA MCP+I

 

[NortonES2]

Agree, it runs quite happily on NT as well.

-------------------------------

If it doesn't leak oil it must be empty!!

 

[1Zeus]

Ok, have ifmember installed and part of the path statement. If I create a login.bat file and have every user logging in using it, should the following work? Also, on the last section; how do I get all the groups to map the last 3 drives?

ifmember accounting
if not errorlevel 1 exit
net use F: \\pandora\accounting /persistent:no

ifmember marketing
if not errorlevel exit
net use m: "\\pandora\MarketingSales" /persistent:no
net use o: \\mbomer\GoldMine /persistent:no

ifmember programs
if not errorlevel exit
net use E: \\pandora\programs /persistent:no
nET use I:\\pandora\execadmin /persistent:no

ifmember hr
if not errorlevel exit
net use r: \\pandora\hr /persistent:no



rem How do I get all the users to map the follwing 3 drives?
rem net use n: \\pandora\psware /persistent:no
rem net use s: \\pandora\software /persistent:no
rem net use p: \\server\psware /persistent:no

 

[sinyce]

I'm doing the exact same thing, but I have 3 BDC's on different segment, how does that login.bat script file gets replicated and where should it be placed.

Andy: Can you send me a copy of the ifmember.exe and let me know where (which Domain Controller) it should be and which folder.

Thanks

 

[Andyleates]

Sure, will need your email address.

Andy Leates MCSE CCNA MCP+I

 

[1Zeus]

sinyce,

below is the link where I got it:

http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/ifmember-o.asp

 

[1Zeus]

As a test, I logged in as a user who has membership to some of the groups, all the drives get mapped but only access to the correct groups is accessed. I do not want the other drives to be visable drives. Any ideas?

Below is my login.bat file:

net use n: \\pandora\psware /persistent:no
net use s: \\pandora\software /persistent:no
net use p: \\server\psware /persistent:no

ifmember accounting
if not errorlevel 1 exit
net use F: \\pandora\accounting /persistent:no

ifmember bphone
if not errorlevel 1 exit
net use G: \\pandora\bphone /persistent:no

ifmember marketing
if not errorlevel 1 exit
net use m: "\\pandora\MarketingSales" /persistent:no
net use o: \\mbomer\GoldMine /persistent:no

ifmember programs
if not errorlevel 1 exit
net use E: \\pandora\programs /persistent:no
net use I:\\pandora\execadmin /persistent:no

ifmember hr
if not errorlevel 1 exit
net use r: \\pandora\hr /persistent:no

ifmember smiths engineering
if not errorlevel 1 exit
net use q: \\pandora\smiths\smiths_engineering

ifmember smiths marketing
if not errorlevel 1 exit
net use t: \\pandora\smiths\smiths_marketing

 

[NortonES2]

try replacing exit with "goto exit" and create an "exit" label at the end of the script. Also you will need to use quotes " when your group name contains a space :-

If each user is only in one group

ifmember "smiths engineering"
if not errorlevel 1 goto exit
net use q: \\pandora\smiths\smiths_engineering

ifmember "smiths marketing"
if not errorlevel 1 goto exit
net use t: \\pandora\smiths\smiths_marketing

:exit

Or if multiple groups

ifmember "smiths engineering"
if not errorlevel 1 goto SmithsMarketing
net use q: \\pandora\smiths\smiths_engineering

:SmithsMarketing
ifmember "smiths marketing"
if not errorlevel 1 goto exit
net use t: \\pandora\smiths\smiths_marketing

:exit

-------------------------------

If it doesn't leak oil it must be empty!!

 

[1Zeus]

Ok, created the new script, following NortonES2's advise. The 1st section below is the 1st 2 group statements in my batch file, the 2nd section is the error response when the batch file runs at login. The errors repeat for all the groups. ifmember is installed on the NT server.

ifmember accounting
if not errorlevel 1 goto bphone
net use F: \\pandora\accounting /persistent:no

:bphone
ifmember bphone
if not errorlevel 1 goto marketing
net use G: \\pandora\bphone /persistent:no

--------

U:\>ifmember accounting
'ifmember' is not recognized as an internal or external command,
operable program or batch file.

U:\>if not errorlevel 1 goto bphone

U:\>net use F: \\pandora\accounting /persistent:no
The command completed successfully.


U:\>ifmember bphone
'ifmember' is not recognized as an internal or external command,
operable program or batch file.

 

[sinyce]

1Zeus:

You need to copy the ifmember.exe to the c:\winnt\system32 and the c:\winnt\system folder of the NT Domain Controller (PDC and BDC's)that the users are authenticating to, if you have Replication configured, it will automatically replicated to the BDC, but I copy mine for good measure.

Also you may want to copy it to the c:\winnt\system32\repl\import\scripts folder.

At at DOS prompt type PATH on the PDC and this will give you an indication which directories are scanned when the ifmember.exe is processed.

I had the same issue, during my install.

Below is my login.bat which works like a charm:
rem Remote group Login Script ******

@echo off

ifmember TXGROUP
if not errorlevel 1 goto LA
NET USE H: \\nbtxdc\home
NET USe N: \\nbtxdc\apps

:LA
ifmember LAGROUP
if not errorlevel 1 goto MI
NET USE H: \\nbtxdc\home
NET USe N: \\nbtxdc\apps

:MI
ifmember MIGROUP
if not errorlevel 1 goto IT
NET USE H: \\nbtxdc\home
NET USe N: \\nbtxdc\apps

:IT
ifmember ITGroup
if not errorlevel 1 goto end
NET USE M: \\nbtxdc\home
NET USe K: \\nbtxdc\apps

pause
:end
echo NT Sucks !!

Good luck

 

[NortonES2]

OK but, the logon script runs on the local machine so you need to copy ifmember.exe to a directory that is in the path on the pc. Below is the first line of our logon script that achieves this.

copy %logonserver%\netlogon\ifmember.exe %systemroot%\system32

-------------------------------

If it doesn't leak oil it must be empty!!

 

[1Zeus]

It is now working!!!!!
I did not have to copy ifmember.exe to the workstations at all. Once I copied ifmember.exe to:
"copy the ifmember.exe to the c:\winnt\system32 and the c:\winnt\system folder of the NT Domain Controller"
The bat file worked.

Thank you guys for the assistance with this it is appreciated.

 

[CodeCore]

This is great information. There are other options, Kix32, testgrp.exe, ect., but they all have there share of problems! I currently am useing a product that work flawlessly except for one drawback. I have discovered that in a mutli-dc enviroment where a star, spoke, network design has been implimented the testgrp.exe will not verify that the login user is a member of the specified group if the circuit is broken. This is a problem due to the need to insure that the login user can still get to data, drive mappings, to the servers on his side of the wire "Local LAN" So my question about ifmember.exe is "Has anyone ever deployed this solution is an enterprise enviroment with muti remote locations? Each remote having a BDC for fault tolerence regarding attenication and to reduce the need to have addition traffic go accross the WAN ciruits. If you have tested this what happened in the event of a ciruit outage? Did the ifmember.exe arp out the request for athenication, hence the bdc answered the call or did the script through errors?



CodeCore --

 

[sinyce]

CodeCore:

Recall, that the BDC's in your remote offices (I have exactly same configuration - BDC at each site over Frame Relay) are requested to Sync up databases with the PDC, if I recall correctly, this happens every 12 mins.

So, now that your circuit is down, the BDC (local to the user) handles the authentication because it has the group memberships (unless you're adding users to groups constantly) and knows how to process the ifmember.exe call.

But, there's no better way to test this out than yanking the circuit late one evening.

Sinyce

 

[alexlights]

great post...thanks.

I'm haveing alittle trouble and need help. We have been useing a logon.bat file from some time. we have just been mapping all drives and if your not a member, you just dont get access. I installed ifmember and wrote at new bat and here is a part of it:

:ENG
ifmember Engineering
if not errorlevel 1 goto MS
net use g: \\server1\engineering

:MS
ifmember MarketingandSales
if not errorlevel 1 goto TDT
net use k: \\server1\Marketingandsales

I put drives everyone needs access to, at the top of the bat file.

Ok the problem is on the local machine, XP is remembering the mapped drives. So before, as not a member of Engineering, you would get the drive mapped but not have access. I put a few pauses in the bat file to watch it. it does step over that line, but XP is still mapping it. If I unmap the drive locally the bat file workes. When i move to another machine I used with the old bat, it still gets Engineering mapped.

I guess i need a line where errorlevel 0 then unnet use.... I don't know the command to unmap the drive.

Any thoughts?

 

[NortonES2]

To unmap a drive:-

net use k: /d

will unmap the k: drive.

-------------------------------

If it doesn't leak oil it must be empty!!

 

[alexlights]

I think i found it. for some reasion I think XP is using /persistent:yes as default. so i just added /persistent:no to the net use lines.

ENG
ifmember Engineering
if not errorlevel 1 goto MS
net use g: \\server1\engineering /persistent:no

i'm going to let that run for a few days and then try the ifmember bat file.

thanks for the help.