Script to change a user's group membership based on location of computer

Posted on 2006-07-24
Last Modified: 2010-08-05
This one might be a little tricky, but any help is greatly appreciated.

I already know how to create a script that can check the group membership of a computer.  However, I want to know if it is possible to run a script that will change a USER's group membership depending on what computer that user logs into.

For example. I work at a hospital, and we have probably a dozen or so Clinical Doctor's offices.  Each doctor has nursing and reception staff that can vary from day to day.  The staff in Dr. A's office one day might be in Dr. C's office the next day.

That's where a script like this would come in handy.  Each of our computers is placed in a group that corresponds with the location of that computer.  Is there any way that I could automatically at logon, using a script,  grant membership for the current user to the group that corresponds with the computer's location?  In this way we would be able to limit access to the Dr's calendar, network folders, printers, etc. without having the manually change the group membership ourselves.

Thanks in advance! Let me know if I can clarify my problem further!


Question by:MHCC
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 51

Accepted Solution

Netman66 earned 500 total points
ID: 17170441
You can script this, yes.  But in order for it to take effect, the users must log out and back in.  


Author Comment

ID: 17170812
Is that necessary so the group membership settings take effect? That probably won't work... Any suggestions on another way to accomplish the same goal?
LVL 51

Expert Comment

ID: 17171205
Yes, absolutely.  Until the next logon they won't have their Security Token updated with their new group membership.

If this is all one domain then just create Global Groups that allow access to the appropriate resources.  For staff that work several offices then they'll belong to multiple groups.  I see no security issue with this.

If it's a workgroup, then the only thing you can do is issue a Generic account for each office for the staff to use.

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


Author Comment

ID: 17171253
It's a single domain.  There really is no security issue, it's just that the doctors do not want other offices to have immediate access to their schedules and files, etc. It's not necessarily a security issue, just a point of pickiness with the Doctors, to whom much pandering is done.  Although, I could see it being a potential HIPAA Privacy issue with all these separate offices potentially having acces to each other's patient data through their employees.

In any case, thanks for the information.

LVL 51

Expert Comment

ID: 17171362

I would create separate user accounts for users that work in more than one office.  Keep them simple so they can remember what account to use where.

Perhaps, build something into the logon name for each roaming user that identifies the office.  The user can still use the same password for all accounts, just a different username for each office they work out of.


Author Comment

ID: 17176120
That's a good idea. I will see if we can get that to work. Thanks for the tip!

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question