vbscript login script for Windows Server 2003 - users can't "see" group memberships

I have a login script, which I have variously adapted and used before on Windows domains, in which the script maps a number of drives according to group membership.  It reads the group memberships from an LDAP string and then operates a case statement on the contents of the string.

It works for me, as a Domain Admin, but for the ordinary users it skips through without "seeing" any of the groups.  Presumably this is some kind of LDAP security problem.  I'm quite sure that thhis has worked before and does work on other sites, but I can't see what is different here.  

Code snippet below, any suggestions?
' VBScript source code
'Login script for Windows 2003 Server 
 
dim test
'If test is 1 then debugging mode enabled
test = 0
 
'Debug info
if test = 1 then msgbox("Login Script Started")
 
on error RESUME NEXT
 
Dim objNetwork
Dim WshShell
dim fs
 
Set fs = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = WScript.CreateObject("WScript.Network")
Set WshShell = WScript.CreateObject("WScript.Shell")
 
 
' *** Run through User groups and add/delete drive mappings as required
' *** Then create and analyse a string of user groups
 
strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)
 
For Each strGroup in objUser.MemberOf
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN
 
'Debug info
if test = 1 then msgbox(lcase(strGroupName))
 
    Select Case lcase(strGroupName)
        Case "g_staff"
' *** Access to the IFD General Data ***
            if test = 1 then msgbox("Mapping Drive D:")
            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"
            
        Case "group2"
' *** Access to the Group2 Data ***
            if test = 1 then msgbox("Mapping drive G:")
            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"
    
        Case "group3"        
' *** Access to the Group3 Data ***
            if test = 1 then msgbox("Mapping Group3 drive I:")
            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"
                   
    End Select
 
Next
 
'Debug info
if test = 1 then msgbox("Login Script End")
 
WScript.Quit

Open in new window

LVL 1
KD JohnsonIT ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RobSampsonCommented:
Hi, if you comment out On Error Resume Next, what error do you get?

Regards,

Rob.
0
RobSampsonCommented:
If the user is only a member of one group, MemberOf will not return a collection....it will only return a string, so you can't use a For Each loop.

Try the code below.  I've tested for the "type" of the MemberOf attribute, and created an array based on that, so that you *can* use a For Each loop to go through the new array.

Regards,

Rob.
' VBScript source code
'Login script for Windows 2003 Server 
 
dim test
'If test is 1 then debugging mode enabled
test = 0
 
'Debug info
if test = 1 then msgbox("Login Script Started")
 
on error RESUME NEXT
 
Dim objNetwork
Dim WshShell
dim fs
 
Set fs = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = WScript.CreateObject("WScript.Network")
Set WshShell = WScript.CreateObject("WScript.Shell")
 
 
' *** Run through User groups and add/delete drive mappings as required
' *** Then create and analyse a string of user groups
 
strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)
 
If TypeName(objuser.MemberOf) = "Empty" Then
	arrGroups = Array("DUMMYGROUPTHATDOESNOTEXIST")
ElseIf TypeName(objuser.MemberOf) = "String" Then
	arrGroups = Array(objuser.MemberOf)
Else
	arrGroups = objUser.MemberOf
End If
 
For Each strGroup In arrGroups
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN
 
'Debug info
if test = 1 then msgbox(lcase(strGroupName))
 
    Select Case lcase(strGroupName)
        Case "g_staff"
' *** Access to the IFD General Data ***
            if test = 1 then msgbox("Mapping Drive D:")
            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"
            
        Case "group2"
' *** Access to the Group2 Data ***
            if test = 1 then msgbox("Mapping drive G:")
            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"
    
        Case "group3"        
' *** Access to the Group3 Data ***
            if test = 1 then msgbox("Mapping Group3 drive I:")
            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"
                   
    End Select
 
Next
 
'Debug info
if test = 1 then msgbox("Login Script End")
 
WScript.Quit

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
KD JohnsonIT ConsultantAuthor Commented:
Thanks.  I didn't know why it doesn't work if there is only one group, but I had already noticed this at other sites and dealt with it by creating a dummy group "G_Test", to which everyone belongs.

The code does work as it stands - given that extra group - but for some reason the ordinary domain users are not able to read the LDAP attributes on this server.  If I log in as a Domain Admin, then the For/Next loop triggers and the drives map, the ordinary users get the starting and ending messages ... but no group output and no drive mappings.

KD
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

RobSampsonCommented:
Perhaps it's that as a domain admin, you are a member of Domain Admin, plus one of the groups you're looking for, hence, more than one group.  The code that posted will work for members that are only in one group.  Domain Users (or whatever is a user's primary group) is not listed with MemberOf.

Regards,

Rob.
0
KD JohnsonIT ConsultantAuthor Commented:
The problem was as you describe, and now I finally understand why my script only ever worked if I added the members to the dummy group "G_Test".   Your solution is more sophisticated - and omits the error, which I had made, of creating "G_Test" and then forgetting to add the users to the group.

Apologies for the delay in getting back to this - the script problem was only part of a considerable operation in migrating that company's systems on to the new server.

Thanks.

KD
0
RobSampsonCommented:
No problem.  Thanks for the grade.

Regards,

Rob.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.