PowerShell Ezine, Logon Scripts

Guy's Scripting Ezine 24 - Groups

Contents for Guy's Scripting Ezine 24 - Scripting Groups

Note: This page has been superseded by this Group Membership VBScript.

 

See Also Creating Groups: Ezine 38 and 37

This week’s secret - Guy runs an advice service

Readers email me with their problems and I do my best to solve them.  If I can answer the question quickly then I do it for free, if the requestor needs an hour of my time then I charge $25.

As you can imagine I get a wide variety of scripts, from all sorts of people.  You may be interested to know that my score to date is:  'Mr Sensible' 250, 'Nutters' 3. 
Friends who run similar services say they get a higher proportion of nutty letters.  So well done you Mr Sensible!

ˆ

Multiple Logon Problem

Can you help?  This week I had a thorny problem from a reader who wants to limit users to one workstation.  What they want for that user to be denied logon at the second workstation.

So far I have come up with a third party program called UserLock, but that costs an arm and a leg.  We are also experimenting with a Resource Kit program called Cconnect.exe.  (Any experience of CConnect?)

I have been experimenting with a cunning strategy to exploit the share connection limit.  The idea is that the user logs on and connects to a special network share, special because it restricts a user to one share user.  So when they logon as the second workstation, the operating system kicks them off because their logon script tries to map a second share to the same drive.  The trouble with this solution is that it does not scale.  For the connection limit to work, you have to create a separate share for each user.

If you have an idea then do email me.

Scripting for Groups

This is my week for thorny problems.  Scripting for groups is one of my bugbears.  With most attributes there is only one value, for example givenName = Guy.  However groups support multiple values.  When dealing with groups, the key LDAP attribute is MemberOf.

The scenario: You want to map network drives based on group membership.  Let us imagine that Managers have their data stored on a different server from Dentists.

Instructions

  1. Pre-requisites.  You need either a Windows 2000 or Server 2003 domain controller for this script to work.
  2. Important:  Make sure that the person testing the script is in a group called Managers, or Dentists.  Alternatively alter dentists on line 10, to a group that you ARE a member of.
  3. Optional: Edit the ' commented out lines.  Remember in the scenario, you want the script to map the network drive.  So edit that line to reflect a UNC share on your network.  See more here how to map a network drive. MapNetworkDrive
  4. Copy and paste the script below into notepad.
  5. Save the file with .vbs extension e.g. GroupMap.vbs
  6. Double click and observe the message box

 

 

'  GroupMap.vbs
' VBScript to map different groups to different shares.
' Author Guy Thomas http://computerperformance.co.uk/
' Version 3.2 - March 28th 2004
' -----------------------------------------------------------------'
Option Explicit
Dim objNetwork, objUser, CurrentUser
Dim strGroup

Const Dentists_Group = "cn=dentists"
Const Managers_Group = "cn=managers"
Const What_ever_you_Like = "cn=any_lower_case_group"
Const Users_Group = "cn=users"
Const Administrators_Group = "cn=administrators"

Set objNetwork = CreateObject("WScript.Network")

Set objUser = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" & objUser.UserName)
strGroup = LCase(Join(CurrentUser.MemberOf))

If InStr(strGroup, Dentists_Group) Then
WScript.Echo "Dentists "
' objNetwork.MapNetworkDrive "h:", "\\Server\Users\" _
' & objNetwork.UserName

ElseIf InStr(strGroup, Managers_Group) Then
WScript.Echo " Manager "
' objNetwork.MapNetworkDrive "h:", "\\YourServer\Users\"_
' & objNetwork.UserName

ElseIf InStr(strGroup, Users_Group) Then
WScript.Echo " Only a User... "
' objNetwork.MapNetworkDrive "y:", "\\alan\home\" _
' & objNetwork.UserName

ElseIf InStr(strGroup, Administrators_Group) Then
WScript.Echo "Administrator " & strGroup
' objNetwork.MapNetworkDrive "h:", "\\Another Server\Users\" _
' & objNetwork.UserName

End If
Wscript.Echo "Finished Testing for Groups "
WScript.Quit

' End of example VBScript .
 

Learning Points

Note 1: Constants.  This week I have introduced CONST to hold the group information.  Did you edit Dentists, or to be precise dentists?

Note 2: AdSystemInfo.  Here is a new method of extracting the information from Active Directory.

Note 3: InStr.  This means: in the string value.

Note 4: If.... ElseIf.  I have always liked the 'If' statement, so versatile, so easy, 'If' never lets me down.

Note 5: If you are happy with .Echo message, why not remove the comment ' objNetwork and get the MapNetworkDrive method working.  Remember to uncomment the ' & objNetwork like as well.  Here is more help on MapNetworkDrive.

Note 6: I concatenated '& strGroup' to the Administrators group, you may like to add & strGroup to the other groups.  As ever what I want to do is get you started and give you the confidence to experiment for yourself.

Note 7: See more on MemberOf here

ˇ

Guy's Out Takes

While this script will run after a fashion, my challenges are:

1)  Why doesn't the script echo the USERS message box?  Surely who ever is running this script is member of the Users group? 

2)  Why isn't my second message box working?   Wscript.Echo "Finished Testing for Groups ", has no effect.  Why not?

 

'  GroupMap.vbs
' VBScript to map different groups to different shares.
' Author Guy Thomas http://computerperformance.co.uk/
' Version 2.5 - March 27th 2004
' -----------------------------------------------------------------'
Option Explicit
Dim objNetwork, objUser, CurrentUser
Dim strGroup

Const Dentists_Group = "cn=Dentists"
Const Managers_Group = "cn=Managers"
Const What_ever_you_Like = "cn=any_lower_case_group"
Const Users_Group = "cn=Users"
Const Administrators_Group = "cn=administrators"

Set objNetwork = CreateObject("WScript.Network")

Set objUser = CreateObject("AdSystemInfo")
Set CurrentUser = GetObject("LDAP://" & objUser.UserName)
strGroup = LCase(Join(CurrentUser.MemberOf))

If InStr(strGroup, Dentists_Group) Then
WScript.Echo "Dentists "
' objNetwork.MapNetworkDrive "h:", "\\Server\Users\" _
' & objNetwork.UserName

ElseIf InStr(strGroup, Managers_Group) Then
WScript.Echo " Manager "
' objNetwork.MapNetworkDrive "h:", "\\YourServer\Users\"_
' & objNetwork.UserName

ElseIf InStr(strGroup, Users_Group) Then
WScript.Echo " Only a User... "
' objNetwork.MapNetworkDrive "y:", "\\alan\home\" _
' & objNetwork.UserName

ElseIf InStr(strGroup, Administrators_Group) Then
WScript.Echo "Administrator " & strGroup
' objNetwork.MapNetworkDrive "h:", "\\AnotherServer\Users\" _
' & objNetwork.UserName

End If
WScript.Quit

Wscript.Echo "Finished Testing for Groups "
' End of example VBScript .
 

Out Takes - Answers

  • LCase(Join(CurrentUser.MemberOf) means lower case.  So Users Administrators and Dentists are wrong.  Should be users, administrators, and dentists.
  • Silly Guy putting the WScript.Echo AFTER the WSCript.Quit.  Who is going to see that message box.  Mr Nobody!

Computer Training Software - Recommended Training VideosGuy Thomas recommends Computer Training Software

Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

 *

Google

Webcomputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.