Solved

map drives based on group membership

Posted on 2009-03-30
9
597 Views
Last Modified: 2012-08-14
I have a new Server 2008 domain that I want to have certain drives/printers mapped when a user logs on based on their group membership.  How can I go about accomplishing this?  Thank you.
0
Comment
Question by:mandyquinn
  • 5
  • 3
9 Comments
 
LVL 5

Expert Comment

by:kollenh
Comment Utility
Depends on how dymanic you'd like things to be.  If it's mostly a one-time setup, I have a login script that can do that - maps drives based on group memberships, easy enough to add printers, as well.
By one-time setup I mean that group A will map to \\server\share and printer 1 and that wont change too often.  You can change it easily enough in the script, but if it's frequent could become a pain.
Let me know if you want the script, I'll need to make some tweaks to make it more generic.
0
 

Author Comment

by:mandyquinn
Comment Utility
I would love that as it is going to be pretty static as it won't change often at all.

I would really aprreciate the script.

Thank you!
0
 
LVL 5

Expert Comment

by:kollenh
Comment Utility
I'll sanitize it up and share it out.  Will you ever have any instance where a user, due to being a member of multiple groups, would map to the same drive letter?
0
 

Author Comment

by:mandyquinn
Comment Utility
What we are wating to so is have our departmental drives map to S: and the admins in each department will have an admin drive that we would like to map to T: and their may be a couple of users that will be a part of multiple groups but that will only be 4 or 5 user out of 100.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 5

Expert Comment

by:kollenh
Comment Utility
How are you going to handle the printer mapping?  It's easy enough to add a network printer but things can get a little messed up if you want to start tweaking local printers or printing to a network printer via a local TCP/IP port.
Typically what I do is enumerate the installed network printers and then if the one I want to have mapped isn't there, add it and ignore everything else.  You said it will be based on their group memberships?
0
 
LVL 5

Expert Comment

by:kollenh
Comment Utility
I went ahead and put something together based and what makes sense given the information I have so far.  This is what I call a "bare-bones" script; it doesn't do much other than add what you want, very little in the way of checking and error handling.  If you want to do things like evaluate the printers (and drivers) installed and make sure you're not trying to map a network drive to a letter in use by a physical drive or just more error handling in general, let me know.  
You'll want to edit lines 7-13 for your environment but it should work fine from there.  You can remark-out line 5 if you're having problems to see if there are errors.  Let me know if you have other questions.

'login.vbs

'

'Function:  Map drives and printers according to group membership
 

On Error Resume Next
 

Const strDomain = "DC=domain,dc=com"	'AD domain

Const DeptGroup = "GroupName"

Const AdminGroup = "AdminGroupName"

Const DeptShare = "\\Server\Share"

Const AdminShare = "\\Server\Share"

Const DeptPrinter = "\\Server\Printer-Shared-name"

Const AdminPrinter = "\\Server\Printer-Shared-name"
 

Set wshNet = CreateObject("Wscript.Network")

Set objfso = CreateObject("Scripting.FileSystemObject")
 

blnAddDeptPrinter=True

blnAddAdminPrinter=True

' Enumerate the network printers

Set colPrinters = wshNet.EnumPrinterConnections

If colPrinters.Count > 0 Then

	For p = 0 To colPrinters.Count -1 Step 2

		 ' compare the printers by name CASE SENSITIVE

		If colprinters.item(p+1) = DeptPrinter Then blnAddDeptPrinter=False 

		

		If colprinters.item(p+1) = Adminprinter Then blnAddAdminPrinter=False
 

		 ' add new/additional printers here using above format

	Next

End If
 

' Search AD for user

strUser = CreateObject("Wscript.Network").Username

Set objconn = CreateObject("ADODB.Connection")

Set objcmd = CreateObject("ADODB.Command")

objconn.Provider = "ADsDSOObject"

objconn.Open "Active Directory Provider"

Set objcmd.ActiveConnection = objconn
 

objcmd.commandtext = _

  "<LDAP://" & strDomain & ">;(&(&objectCategory=User)" & _

    "(samAccountName=" & strUser & "));distinguishedname;subtree"
 

Set objrs = objcmd.Execute

While Not objrs.eof

	If objrs.recordcount = 0 Then

		 ' cannot continue w/o finding user group memberships

	Else

		 ' connect to the user object and enumerate their groups

		Set objUser = GetObject("LDAP://" & objrs.fields("distinguishedName"))

		arrGroups = objUser.GetEx("memberOf")

		 ' memberOf is an extended value so treat as an array

		For Each group in arrGroups

			'If using "distinguished" group names:

'			strGroup = group
 

			'otherwise use "friendly" group names

			Set objGroup = GetObject("LDAP://" & group)

			strGroup = objGroup.SAMaccountName
 

			If strGroup = DeptGroupt Then

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("S:") Then wshNet.RemoveNetworkDrive "S:",True

				 ' map drive

				wshNet.MapNetworkDrive "S:", DeptShare

				 ' add printer if it wasn't found initially

				If blnAddDeptPrinter Then wshNet.AddWindowsPrinterConnection DeptPrinter

			

			ElseIf strGroup = AdminGroup Then

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", AdminShare

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			End If

		Next

	

	End If

	objrs.movenext

Wend

objconn.close()
 

' Optional command to set the default

wshNet.SetDefaultPrinter DeptPrinter
 

' Release objects

If IsObject(objGroup)	Then Set objGroup = Nothing

If IsObject(objUser)	 Then Set objUser = Nothing

If IsObject(objfso)	Then Set objfso = Nothing

If IsObject(wshNet)	Then Set wshNet = Nothing

Open in new window

0
 

Author Comment

by:mandyquinn
Comment Utility
Thank you so much!

As for the printers what we plan on doing is having network printers installed on our print server and then we want to map them on the clients as necessary.

As for the script what do I do if I have multiple admin shares and department shares?  What I'm asking is I have the shares below that need to be mapped based on group membership.  All admin shares should map to the T: drive and deparment shares should map to S: as we will have some users that need the admin and department drive.  As an example let's say a user that is a Highway department admin then they will need LC_HWYadmin mapped to T: and the LC_HWYuser mapped to S: and then I will have a user that is not an admin of the Probate office that will only need the S: drive mapped to LC_PROuser.

Admin Group Shares (need to map to T:)
     LC_HWYadmin
     LC_APRadmin
     LC_COMadmin
     LC_PROadmin
     LC_REVadmin

Department Group Shares (need to map to S: )
     LC_HWYuser
     LC_APRuser
     LC_COMuser
     LC_PROuser
     LC_REVuser
     LC_ACuser
     LC_SWuser
     LC_ENVuser
0
 
LVL 5

Accepted Solution

by:
kollenh earned 50 total points
Comment Utility
Working off the assumption that you have a different group for each department, it's simply a matter of editing to script to look for and take action based on the groups each user belongs to.  Given the groups you're using, I switched to a 'Select Case' statement - it's easy to add more groups as time goes on, if you follow the format.
I also want to mention that while I define all the printer and server shares at the beginning of the script, you don't have to do that.  I like it because everything is identified at the top of the script for easy reference.
Not sure if you're mapping different printers for each group; I would guess not but I left it that way in the script, just in case.  It's easier to delete a line than add it later.  I'm also going off the assumption you have a little working knowledge of vbs.  If you need help understanding what I put together, I can go into more detail.
The best way to test this is add yourself to a group and then run the script (manually) and make sure it's doing what you want.  Remove yourself from that group, remove the drive/printer mapping, add to another group, run the script.  Rinse & repeat to your satisfaction.  I've used variations of this script for many years at several different companies and has worked well for me.
There is a big caveat with this script.  If a user belongs to more than one of these groups (for whatever reason), it's a toss-up which share they'll be mapped to due to the way the script cycles through the group memberships.  What will happen is that the LAST group read will be the one that they're mapped to.  Make sense?

'login.vbs

'

'Function:  Map drives and printers according to group membership
 

On Error Resume Next		'Rem for testing
 

Const strDomain = "DC=domain,dc=com"	'AD domain

' Printers

Const DeptPrinter = "\\Server\Printer-Shared-name"

Const AdminPrinter = "\\Server\Printer-Shared-name"

' Groups for the T: drive

Const LC_HWYadmin = "\\Server\LC_HWYadmin"

Const LC_APRadmin = "\\Server\LC_APRadmin"

Const LC_COMadmin = "\\Server\LC_COMadmin"

Const LC_PROadmin = "\\Server\LC_PROadmin"

Const LC_REVadmin = "\\Server\LC_REVadmin"

' Groups for the S: drive

Const LC_HWYuser = "\\Server\LC_HWYuser"

Const LC_APRuser = "\\Server\LC_APRuser"

Const LC_COMuser = "\\Server\LC_COMuser"

Const LC_PROuser = "\\Server\LC_PROuser"

Const LC_REVuser = "\\Server\LC_REVuser"

Const LC_ACuser = "\\Server\LC_ACuser"

Const LC_SWuser = "\\Server\LC_SWuser"

Const LC_ENVuser = "\\Server\LC_ENVuser"
 

Set wshNet = CreateObject("Wscript.Network")

Set objfso = CreateObject("Scripting.FileSystemObject")
 

blnAddDeptPrinter=True

blnAddAdminPrinter=True

' Enumerate the network printers

Set colPrinters = wshNet.EnumPrinterConnections

If colPrinters.Count > 0 Then

	For p = 0 To colPrinters.Count -1 Step 2

		 ' compare the printers by name CASE SENSITIVE

		If colprinters.item(p+1) = DeptPrinter Then blnAddDeptPrinter=False 

		

		If colprinters.item(p+1) = Adminprinter Then blnAddAdminPrinter=False
 

		 ' add new/additional printers here using above format

	Next

End If
 

' Search AD for user

strUser = CreateObject("Wscript.Network").Username

Set objconn = CreateObject("ADODB.Connection")

Set objcmd = CreateObject("ADODB.Command")

objconn.Provider = "ADsDSOObject"

objconn.Open "Active Directory Provider"

Set objcmd.ActiveConnection = objconn
 

objcmd.commandtext = _

  "<LDAP://" & strDomain & ">;(&(&objectCategory=User)" & _

    "(samAccountName=" & strUser & "));distinguishedname;subtree"
 

Set objrs = objcmd.Execute

While Not objrs.eof

	If objrs.recordcount = 0 Then

		 ' cannot continue w/o finding user group memberships

	Else

		 ' connect to the user object and enumerate their groups

		Set objUser = GetObject("LDAP://" & objrs.fields("distinguishedName"))

		arrGroups = objUser.GetEx("memberOf")

		 ' memberOf is an extended value so treat as an array

		For Each group in arrGroups

			' wscript.echo group		'Un-remark for TESTING

			'If using "distinguished" group names:

'			strGroup = group
 

			'otherwise use "friendly" group names

			Set objGroup = GetObject("LDAP://" & group)

			strGroup = objGroup.SAMaccountName
 

			Select Case LCase(strGroup)

			   ' Admin groups

			  Case "lc_hwyadmin"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_HWYadmin

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_apradmin"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_APRadmin

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_comadmin"

  				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_COMadmin

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_proadmin"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_PROadmin

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_revadmin"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_REVadmin

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  

			   ' Departmental groups

			  Case "lc_hwyuser"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_HWYuser

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_apruser"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_APuser

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_comuser"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_COMuser

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_prouser"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_PROuser

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_revuser"					 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_REVuser

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_acuser"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_ACuser

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_swuser"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_SWuser

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			  Case "lc_envuser"

				 ' make sure drive isn't mapped already

				If objfso.FolderExists("T:") Then wshNet.RemoveNetworkDrive "T:",True

				 ' map drive

				wshNet.MapNetworkDrive "T:", LC_ENVuser

				 ' add printer if it wasn't found initially

				If blnAddAdminPrinter Then wshNet.AddWindowsPrinterConnection AdminPrinter

			End Select
 

		Next

	End If

	objrs.movenext

Wend

objconn.close()
 

' Optional command to set the default (not recommended, tends to disgruntle employees)

'wshNet.SetDefaultPrinter DeptPrinter
 

' Release objects

If IsObject(objGroup)	Then Set objGroup = Nothing

If IsObject(objUser)	 Then Set objUser = Nothing

If IsObject(objfso)	Then Set objfso = Nothing

If IsObject(wshNet)	Then Set wshNet = Nothing

Open in new window

0
 
LVL 5

Expert Comment

by:indi001
Comment Utility
You could use batch/cmd scripts as well.
Here a script I created for a similar purpose some months ago, using the "ifmember.exe" and "con2prt.exe", download from Microsoft:
"ifmember.exe" and "con2prt.exe" should be in your netlogon share.
here the relevant part of my script:

echo disconnect drives
net use * /delete /y
echo.
echo.
echo net use h: \\XXXfscluster\DAT /persistent:no
net use h: \\XXXfscluster\DAT /persistent:no
echo.
echo net use j: \\XXXfscluster\home$\%username% /persistent:no
net use j: \\XXXfscluster\home$\%username% /persistent:no
echo.
echo.
echo net use k: \\XXXSQL\WINDVSW2 /persistent:no
net use k: \\XXXSQL\WINDVSW2 /persistent:no
echo.
echo.
\\XXXlaw\netlogon\ifmember.exe ReuCash
if errorlevel=1 (
echo net use o: \\XXXfscluster\ReuCash /persistent:no
net use o: \\XXXfscluster\ReuCash /persistent:no
)
echo.
echo.
echo net use p: \\XXXfscluster\PROGS /persistent:no
net use p: \\XXXfscluster\PROGS /persistent:no
echo.
echo net use q: \\XXXfscluster\INSTALL /persistent:no
net use q: \\XXXfscluster\INSTALL /persistent:no
echo.
echo net use t: \\XXXfscluster\Daten /persistent:no
net use t: \\XXXfscluster\Daten /persistent:no
echo.
echo Mapping Kopierer
echo.
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG2-BIB-color
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG2-BIB-sw
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG2-BriennerStr-color
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG2-BriennerStr-sw
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG2-ZV-Abt-color
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG2-ZV-Abt-sw
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG4-Serverraum-color
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG4-Serverraum-sw
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG5-Kicker-color
\\XXXlaw\netlogon\con2prt.exe /c \\XXXmnt01\Kopierer-OG5-Kicker-sw


The printers/copiers above are accessable for all users.

A second script for the smaller office printers in each floor, one script for each floor.

\\XYZdomain\netlogon\con2prt.exe /c \\XYZmnt01\204
\\XYZdomain\netlogon\con2prt.exe /c \\XYZmnt01\206
\\XYZdomain\netlogon\con2prt.exe /c \\XYZmnt01\209

The printers are all shared on a print server, the numbers 204, 206, 209 are printer names (I named them as the rooms where they stand).

In my case I had 160 users in a building with 5 floors, about 100 of these users were secretaries which circulated between these floors.
Each floor had 2 big copy/printers and at least 10 office printers in several offices.
To make only the relevant printers in each floor available, I created OUs for each floor and linked the appropriate printerscripts by GPOs. The secretaries were in the actual OU for the floor they worked on, but could be in different groups. So the first script (also by GPO) "ifmember" found out in which group a secretary actually is (even in this particular script it looks only for one group membership) and maps her network shares as necessary.
For that system it is essential to find an optimal system of OUs and groups and group nesting. But if you create all that, you have a highly flexible  system to control and share all resources.
Cheers
Werner

PS: sorry, the script comments are in German sometimes, because the company was a German company. But anyway, the comments are not relevant ;-)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now