Solved

vbscript login script for Windows Server 2003 - users can't "see" group memberships

Posted on 2009-07-10
6
559 Views
Last Modified: 2012-05-07
I have a login script, which I have variously adapted and used before on Windows domains, in which the script maps a number of drives according to group membership.  It reads the group memberships from an LDAP string and then operates a case statement on the contents of the string.

It works for me, as a Domain Admin, but for the ordinary users it skips through without "seeing" any of the groups.  Presumably this is some kind of LDAP security problem.  I'm quite sure that thhis has worked before and does work on other sites, but I can't see what is different here.  

Code snippet below, any suggestions?
' VBScript source code

'Login script for Windows 2003 Server 
 

dim test

'If test is 1 then debugging mode enabled

test = 0
 

'Debug info

if test = 1 then msgbox("Login Script Started")
 

on error RESUME NEXT
 

Dim objNetwork

Dim WshShell

dim fs
 

Set fs = CreateObject("Scripting.FileSystemObject")

Set objSysInfo = CreateObject("ADSystemInfo")

Set objNetwork = WScript.CreateObject("WScript.Network")

Set WshShell = WScript.CreateObject("WScript.Shell")
 
 

' *** Run through User groups and add/delete drive mappings as required

' *** Then create and analyse a string of user groups
 

strUserPath = "LDAP://" & objSysInfo.UserName

Set objUser = GetObject(strUserPath)
 

For Each strGroup in objUser.MemberOf

    strGroupPath = "LDAP://" & strGroup

    Set objGroup = GetObject(strGroupPath)

    strGroupName = objGroup.CN
 

'Debug info

if test = 1 then msgbox(lcase(strGroupName))
 

    Select Case lcase(strGroupName)

        Case "g_staff"

' *** Access to the IFD General Data ***

            if test = 1 then msgbox("Mapping Drive D:")

            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"

            

        Case "group2"

' *** Access to the Group2 Data ***

            if test = 1 then msgbox("Mapping drive G:")

            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"

    

        Case "group3"        

' *** Access to the Group3 Data ***

            if test = 1 then msgbox("Mapping Group3 drive I:")

            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"

                   

    End Select
 

Next
 

'Debug info

if test = 1 then msgbox("Login Script End")
 

WScript.Quit

Open in new window

0
Comment
Question by:KD Johnson
  • 4
  • 2
6 Comments
 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
Hi, if you comment out On Error Resume Next, what error do you get?

Regards,

Rob.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
Comment Utility
If the user is only a member of one group, MemberOf will not return a collection....it will only return a string, so you can't use a For Each loop.

Try the code below.  I've tested for the "type" of the MemberOf attribute, and created an array based on that, so that you *can* use a For Each loop to go through the new array.

Regards,

Rob.
' VBScript source code

'Login script for Windows 2003 Server 

 

dim test

'If test is 1 then debugging mode enabled

test = 0

 

'Debug info

if test = 1 then msgbox("Login Script Started")

 

on error RESUME NEXT

 

Dim objNetwork

Dim WshShell

dim fs

 

Set fs = CreateObject("Scripting.FileSystemObject")

Set objSysInfo = CreateObject("ADSystemInfo")

Set objNetwork = WScript.CreateObject("WScript.Network")

Set WshShell = WScript.CreateObject("WScript.Shell")

 

 

' *** Run through User groups and add/delete drive mappings as required

' *** Then create and analyse a string of user groups

 

strUserPath = "LDAP://" & objSysInfo.UserName

Set objUser = GetObject(strUserPath)
 

If TypeName(objuser.MemberOf) = "Empty" Then

	arrGroups = Array("DUMMYGROUPTHATDOESNOTEXIST")

ElseIf TypeName(objuser.MemberOf) = "String" Then

	arrGroups = Array(objuser.MemberOf)

Else

	arrGroups = objUser.MemberOf

End If
 

For Each strGroup In arrGroups

    strGroupPath = "LDAP://" & strGroup

    Set objGroup = GetObject(strGroupPath)

    strGroupName = objGroup.CN

 

'Debug info

if test = 1 then msgbox(lcase(strGroupName))

 

    Select Case lcase(strGroupName)

        Case "g_staff"

' *** Access to the IFD General Data ***

            if test = 1 then msgbox("Mapping Drive D:")

            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"

            

        Case "group2"

' *** Access to the Group2 Data ***

            if test = 1 then msgbox("Mapping drive G:")

            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"

    

        Case "group3"        

' *** Access to the Group3 Data ***

            if test = 1 then msgbox("Mapping Group3 drive I:")

            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"

                   

    End Select

 

Next

 

'Debug info

if test = 1 then msgbox("Login Script End")

 

WScript.Quit

Open in new window

0
 
LVL 1

Author Comment

by:KD Johnson
Comment Utility
Thanks.  I didn't know why it doesn't work if there is only one group, but I had already noticed this at other sites and dealt with it by creating a dummy group "G_Test", to which everyone belongs.

The code does work as it stands - given that extra group - but for some reason the ordinary domain users are not able to read the LDAP attributes on this server.  If I log in as a Domain Admin, then the For/Next loop triggers and the drives map, the ordinary users get the starting and ending messages ... but no group output and no drive mappings.

KD
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
Perhaps it's that as a domain admin, you are a member of Domain Admin, plus one of the groups you're looking for, hence, more than one group.  The code that posted will work for members that are only in one group.  Domain Users (or whatever is a user's primary group) is not listed with MemberOf.

Regards,

Rob.
0
 
LVL 1

Author Closing Comment

by:KD Johnson
Comment Utility
The problem was as you describe, and now I finally understand why my script only ever worked if I added the members to the dummy group "G_Test".   Your solution is more sophisticated - and omits the error, which I had made, of creating "G_Test" and then forgetting to add the users to the group.

Apologies for the delay in getting back to this - the script problem was only part of a considerable operation in migrating that company's systems on to the new server.

Thanks.

KD
0
 
LVL 65

Expert Comment

by:RobSampson
Comment Utility
No problem.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now