vbscript login script for Windows Server 2003 - users can't "see" group memberships

I have a login script, which I have variously adapted and used before on Windows domains, in which the script maps a number of drives according to group membership.  It reads the group memberships from an LDAP string and then operates a case statement on the contents of the string.

It works for me, as a Domain Admin, but for the ordinary users it skips through without "seeing" any of the groups.  Presumably this is some kind of LDAP security problem.  I'm quite sure that thhis has worked before and does work on other sites, but I can't see what is different here.  

Code snippet below, any suggestions?
' VBScript source code
'Login script for Windows 2003 Server 
 
dim test
'If test is 1 then debugging mode enabled
test = 0
 
'Debug info
if test = 1 then msgbox("Login Script Started")
 
on error RESUME NEXT
 
Dim objNetwork
Dim WshShell
dim fs
 
Set fs = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = WScript.CreateObject("WScript.Network")
Set WshShell = WScript.CreateObject("WScript.Shell")
 
 
' *** Run through User groups and add/delete drive mappings as required
' *** Then create and analyse a string of user groups
 
strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)
 
For Each strGroup in objUser.MemberOf
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN
 
'Debug info
if test = 1 then msgbox(lcase(strGroupName))
 
    Select Case lcase(strGroupName)
        Case "g_staff"
' *** Access to the IFD General Data ***
            if test = 1 then msgbox("Mapping Drive D:")
            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"
            
        Case "group2"
' *** Access to the Group2 Data ***
            if test = 1 then msgbox("Mapping drive G:")
            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"
    
        Case "group3"        
' *** Access to the Group3 Data ***
            if test = 1 then msgbox("Mapping Group3 drive I:")
            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"
                   
    End Select
 
Next
 
'Debug info
if test = 1 then msgbox("Login Script End")
 
WScript.Quit

Open in new window

LVL 1
KD JohnsonIT ConsultantAsked:
Who is Participating?
 
RobSampsonConnect With a Mentor Commented:
If the user is only a member of one group, MemberOf will not return a collection....it will only return a string, so you can't use a For Each loop.

Try the code below.  I've tested for the "type" of the MemberOf attribute, and created an array based on that, so that you *can* use a For Each loop to go through the new array.

Regards,

Rob.
' VBScript source code
'Login script for Windows 2003 Server 
 
dim test
'If test is 1 then debugging mode enabled
test = 0
 
'Debug info
if test = 1 then msgbox("Login Script Started")
 
on error RESUME NEXT
 
Dim objNetwork
Dim WshShell
dim fs
 
Set fs = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = WScript.CreateObject("WScript.Network")
Set WshShell = WScript.CreateObject("WScript.Shell")
 
 
' *** Run through User groups and add/delete drive mappings as required
' *** Then create and analyse a string of user groups
 
strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)
 
If TypeName(objuser.MemberOf) = "Empty" Then
	arrGroups = Array("DUMMYGROUPTHATDOESNOTEXIST")
ElseIf TypeName(objuser.MemberOf) = "String" Then
	arrGroups = Array(objuser.MemberOf)
Else
	arrGroups = objUser.MemberOf
End If
 
For Each strGroup In arrGroups
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN
 
'Debug info
if test = 1 then msgbox(lcase(strGroupName))
 
    Select Case lcase(strGroupName)
        Case "g_staff"
' *** Access to the IFD General Data ***
            if test = 1 then msgbox("Mapping Drive D:")
            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"
            
        Case "group2"
' *** Access to the Group2 Data ***
            if test = 1 then msgbox("Mapping drive G:")
            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"
    
        Case "group3"        
' *** Access to the Group3 Data ***
            if test = 1 then msgbox("Mapping Group3 drive I:")
            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"
                   
    End Select
 
Next
 
'Debug info
if test = 1 then msgbox("Login Script End")
 
WScript.Quit

Open in new window

0
 
RobSampsonCommented:
Hi, if you comment out On Error Resume Next, what error do you get?

Regards,

Rob.
0
 
KD JohnsonIT ConsultantAuthor Commented:
Thanks.  I didn't know why it doesn't work if there is only one group, but I had already noticed this at other sites and dealt with it by creating a dummy group "G_Test", to which everyone belongs.

The code does work as it stands - given that extra group - but for some reason the ordinary domain users are not able to read the LDAP attributes on this server.  If I log in as a Domain Admin, then the For/Next loop triggers and the drives map, the ordinary users get the starting and ending messages ... but no group output and no drive mappings.

KD
0
Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

 
RobSampsonCommented:
Perhaps it's that as a domain admin, you are a member of Domain Admin, plus one of the groups you're looking for, hence, more than one group.  The code that posted will work for members that are only in one group.  Domain Users (or whatever is a user's primary group) is not listed with MemberOf.

Regards,

Rob.
0
 
KD JohnsonIT ConsultantAuthor Commented:
The problem was as you describe, and now I finally understand why my script only ever worked if I added the members to the dummy group "G_Test".   Your solution is more sophisticated - and omits the error, which I had made, of creating "G_Test" and then forgetting to add the users to the group.

Apologies for the delay in getting back to this - the script problem was only part of a considerable operation in migrating that company's systems on to the new server.

Thanks.

KD
0
 
RobSampsonCommented:
No problem.  Thanks for the grade.

Regards,

Rob.
0
All Courses

From novice to tech pro — start learning today.