• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3013
  • Last Modified:

Windows domain remote user login script drive mapping

Hi

I have a Windows 2003 domain. Security groups are defined for people in different parts of the company. Active directory defines a login script for all users at the home office and maps drives to network shares depending on secuity group membership. Works great

Now I have some remote users who want to access shares on the domain controller over vpn. he remote users are members of workgroups at their locations and do not login to the domain.  The remote are able to map a drive on the domain controller by specifying domain login credentials. Works great - but since the users don't log into the domain, the login script defined in active directory does not run and therefore the drives don't get mapped for these people.  I know that they can map drives in Explorer or via net use etc.; but I want to automate this and provide the same type of group based automatic drive mapping to occur.

I can provide remote users with scripts on each PC that will map drives, but I don't know how to get domain group membership. I would rather provide one central script instead of individual scripts on each PC.  I would rather not hardcode domain login credentials in scripts on the remote users PC's

Help.

Thanks
0
Rockjodo
Asked:
Rockjodo
  • 5
  • 3
  • 2
  • +4
10 Solutions
 
aindelicatoCommented:
Have you considered using Terminal Services and letting those remote users RDP into a server after connecting to the VPN?
0
 
victornegriCommented:
What VPN Client are you using? Some allow you to authenticate to VPN prior to logging into the computer. If this is available on your VPN Client, you have have them log on to VPN, then log into the domain and have the login scripts run just like they were in the office.
0
 
RockjodoAuthor Commented:
Hi

1) I have never looket at terminal services, so I'm not sure what RDP does.

2) I am using Cisco VPN client v4.6.  HOw do I configure this to login to the domain after logging on to the VPN ?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
victornegriCommented:
I don't have one in front of me but I think it's in Tools --> Options and there's a checkbox to launch the VPN client prior to logging on.
0
 
RockjodoAuthor Commented:
I'm not sure what 'launch the VPN client prior to logging on' is supposed to do.  The remote user logs into his remote system, runs the vpn client, connects to the main office  --  but then what happens ? How does the remote user then login to the domain?
0
 
Walter PadrónCommented:
Hi Rockjodo,

If your users don't log on the domain you can't automate the scripts based on AD policies or group membership, that's a fact.

A work around can be to ask the username/domain credentials and then pass both as parameters to your script, that way you have enough info to verify the user group membership and map drives accordingly and don't have the password hardcoded.

cheers
0
 
RockjodoAuthor Commented:
wpardon

If I get the remote user's domain userid and password, how can I determine the remote user's AD group membership ?
0
 
craylordCommented:
With the VPN client open go to options and select Advanced Mode. Go back to options and select Windows Logon Properties. Check the Enable start before logon box. Restart. When you restart before logging on the Cisco client should pop up. Enter your information and wait several seconds until you're sure you're vpn'ed in. Then login with the domain username. Be patient, as it could take a little while to login while it retrieves scripts and checks GPO's. Before you change these options, make sure there are no issues when connecting via the Cisco client (firewalls?) a few times. That should be it!
0
 
RockjodoAuthor Commented:
Craylord,

A few questions:
1.  My Cisco VPN client is version 4.6.0.0045   I do not have an options / windows logon properties
2. Assuming that I can fix #1, and the user enters his domain userid / password, then how does he get authenticated for the remote work group (the remote users local workgroup) for access to file shares and printers ?

Unless I missed something, I think that what I need is a dual login - local workgroup and domain
0
 
victornegriCommented:
You will need to join the computer(s) to the domain. If they are connected to the VPN and log on, they will run the scripts you set in the GPO. If they are not connected to the VPN and log on, they will use their cached credentials and still be able to use the computer as a "workstation".
0
 
craylordCommented:
There is no such thing as dual login, at least to my knowledge. You are either logged in as a local user or a domain user. It can't be both. #2 hinges on #1. If you correctly configure #1, #2 will "just happen".

You must make sure you have the Cisco client set to "Advance mode", it should be an option under one of the drop down menus. Here is a document, scroll to page 36 (section 3-4). There is a picture of the Cisco client when Advanced Mode is checked. Scroll to page 42, there is a picture of the Windows Logon Properties option.
http://www1.umn.edu/adcs/help/vpn/pdf/Win4.6Guide.pdf

I'm assuming the pc is joined to the domain already. If the pc is not and they are using a local user account, that will take a few more steps to merge into a domain account.

2. Assuming #1 is fixed. This means the pc is at the logon screen, the user was prompted for his cisco username/password, the user entered it and the cisco client connected successfully. At this point the computer is logically connected to the domain, i.e. it wouldn't know the difference if it was connected from a vpn connection or sitting in office. This also means, prior to the user logging on, the pc can see other computers and servers on the domain. Most importantly.. a domain controller, which it will use to authenticate the user when the user actually signs on and run any logon scripts you have assigned to him. Hope I'm not beating a dead horse here.
0
 
zagman76Commented:
Some VPN clients (too few though) will establish the VPN connection prior to the Windows logon.  TheGreenBow client is one that we are testing in our lab for just that purpose.  If it is compatible with your VPN device, it is an option to look into.  That way, the remote users will never have to "log in locally"
0
 
bkoehler-mprCommented:
I agree with the comments listed above; the best way to do this is Terminal Services.

If you really wanted to script a solution you'd need the following:

Some way programmatically determine the user
Prompt for their domain password
Use the WinNT or LDAP providers to look up group membership using the supplied credentials
Explicitly authenticate with the server(s) sharing required resources

Not the easiest thing to write or upkeep.

If you decided you didn't care about group membership lookup you could use a simple batch file for explicit authentication (net use t: \\server\share /user:domain\user /persistent:no)
0
 
zagman76Commented:
One thing you could also try is creating a Security Group such as "Field Employees" or something similar, and in their script add:

ifmember "domain user group"
net use h: \\server\share1
net use s: \\server\share2
call remote_user_script.cmd
0
 
Walter PadrónCommented:
Hi Rockjodo,

Why don't you set a DFS root and map users to it? Is the same mapping for everyone regardless of where they are.

Script to determine the group membership
http://cwashington.netreach.net/depo/view.asp?Index=343&ScriptType=jscript

cheers

0
 
RockjodoAuthor Commented:
Thank you all for your ideas. I'll try various combinations of your suggestions. Since there was no one 'correct' solution, points are split among all who replied - hope that works for you guys.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 3
  • 2
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now