Script to change a user's group membership based on location of computer

Posted on 2006-07-24
Last Modified: 2010-08-05
This one might be a little tricky, but any help is greatly appreciated.

I already know how to create a script that can check the group membership of a computer.  However, I want to know if it is possible to run a script that will change a USER's group membership depending on what computer that user logs into.

For example. I work at a hospital, and we have probably a dozen or so Clinical Doctor's offices.  Each doctor has nursing and reception staff that can vary from day to day.  The staff in Dr. A's office one day might be in Dr. C's office the next day.

That's where a script like this would come in handy.  Each of our computers is placed in a group that corresponds with the location of that computer.  Is there any way that I could automatically at logon, using a script,  grant membership for the current user to the group that corresponds with the computer's location?  In this way we would be able to limit access to the Dr's calendar, network folders, printers, etc. without having the manually change the group membership ourselves.

Thanks in advance! Let me know if I can clarify my problem further!


Question by:MHCC
  • 3
  • 3
LVL 51

Accepted Solution

Netman66 earned 500 total points
ID: 17170441
You can script this, yes.  But in order for it to take effect, the users must log out and back in.  


Author Comment

ID: 17170812
Is that necessary so the group membership settings take effect? That probably won't work... Any suggestions on another way to accomplish the same goal?
LVL 51

Expert Comment

ID: 17171205
Yes, absolutely.  Until the next logon they won't have their Security Token updated with their new group membership.

If this is all one domain then just create Global Groups that allow access to the appropriate resources.  For staff that work several offices then they'll belong to multiple groups.  I see no security issue with this.

If it's a workgroup, then the only thing you can do is issue a Generic account for each office for the staff to use.

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails


Author Comment

ID: 17171253
It's a single domain.  There really is no security issue, it's just that the doctors do not want other offices to have immediate access to their schedules and files, etc. It's not necessarily a security issue, just a point of pickiness with the Doctors, to whom much pandering is done.  Although, I could see it being a potential HIPAA Privacy issue with all these separate offices potentially having acces to each other's patient data through their employees.

In any case, thanks for the information.

LVL 51

Expert Comment

ID: 17171362

I would create separate user accounts for users that work in more than one office.  Keep them simple so they can remember what account to use where.

Perhaps, build something into the logon name for each roaming user that identifies the office.  The user can still use the same password for all accounts, just a different username for each office they work out of.


Author Comment

ID: 17176120
That's a good idea. I will see if we can get that to work. Thanks for the tip!

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Organizations create, modify, and maintain huge amounts of data to help their businesses earn money and generally function.  Typically every network user within an organization has a bit of disk space to store in process items and personal files.   …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now