Solved

vbscript login script for Windows Server 2003 - users can't "see" group memberships

Posted on 2009-07-10
6
561 Views
Last Modified: 2012-05-07
I have a login script, which I have variously adapted and used before on Windows domains, in which the script maps a number of drives according to group membership.  It reads the group memberships from an LDAP string and then operates a case statement on the contents of the string.

It works for me, as a Domain Admin, but for the ordinary users it skips through without "seeing" any of the groups.  Presumably this is some kind of LDAP security problem.  I'm quite sure that thhis has worked before and does work on other sites, but I can't see what is different here.  

Code snippet below, any suggestions?
' VBScript source code
'Login script for Windows 2003 Server 
 
dim test
'If test is 1 then debugging mode enabled
test = 0
 
'Debug info
if test = 1 then msgbox("Login Script Started")
 
on error RESUME NEXT
 
Dim objNetwork
Dim WshShell
dim fs
 
Set fs = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = WScript.CreateObject("WScript.Network")
Set WshShell = WScript.CreateObject("WScript.Shell")
 
 
' *** Run through User groups and add/delete drive mappings as required
' *** Then create and analyse a string of user groups
 
strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)
 
For Each strGroup in objUser.MemberOf
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN
 
'Debug info
if test = 1 then msgbox(lcase(strGroupName))
 
    Select Case lcase(strGroupName)
        Case "g_staff"
' *** Access to the IFD General Data ***
            if test = 1 then msgbox("Mapping Drive D:")
            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"
            
        Case "group2"
' *** Access to the Group2 Data ***
            if test = 1 then msgbox("Mapping drive G:")
            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"
    
        Case "group3"        
' *** Access to the Group3 Data ***
            if test = 1 then msgbox("Mapping Group3 drive I:")
            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"
                   
    End Select
 
Next
 
'Debug info
if test = 1 then msgbox("Login Script End")
 
WScript.Quit

Open in new window

0
Comment
Question by:KD Johnson
  • 4
  • 2
6 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 24822672
Hi, if you comment out On Error Resume Next, what error do you get?

Regards,

Rob.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 24822732
If the user is only a member of one group, MemberOf will not return a collection....it will only return a string, so you can't use a For Each loop.

Try the code below.  I've tested for the "type" of the MemberOf attribute, and created an array based on that, so that you *can* use a For Each loop to go through the new array.

Regards,

Rob.
' VBScript source code
'Login script for Windows 2003 Server 
 
dim test
'If test is 1 then debugging mode enabled
test = 0
 
'Debug info
if test = 1 then msgbox("Login Script Started")
 
on error RESUME NEXT
 
Dim objNetwork
Dim WshShell
dim fs
 
Set fs = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = WScript.CreateObject("WScript.Network")
Set WshShell = WScript.CreateObject("WScript.Shell")
 
 
' *** Run through User groups and add/delete drive mappings as required
' *** Then create and analyse a string of user groups
 
strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)
 
If TypeName(objuser.MemberOf) = "Empty" Then
	arrGroups = Array("DUMMYGROUPTHATDOESNOTEXIST")
ElseIf TypeName(objuser.MemberOf) = "String" Then
	arrGroups = Array(objuser.MemberOf)
Else
	arrGroups = objUser.MemberOf
End If
 
For Each strGroup In arrGroups
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN
 
'Debug info
if test = 1 then msgbox(lcase(strGroupName))
 
    Select Case lcase(strGroupName)
        Case "g_staff"
' *** Access to the IFD General Data ***
            if test = 1 then msgbox("Mapping Drive D:")
            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"
            
        Case "group2"
' *** Access to the Group2 Data ***
            if test = 1 then msgbox("Mapping drive G:")
            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"
    
        Case "group3"        
' *** Access to the Group3 Data ***
            if test = 1 then msgbox("Mapping Group3 drive I:")
            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"
                   
    End Select
 
Next
 
'Debug info
if test = 1 then msgbox("Login Script End")
 
WScript.Quit

Open in new window

0
 
LVL 1

Author Comment

by:KD Johnson
ID: 24823011
Thanks.  I didn't know why it doesn't work if there is only one group, but I had already noticed this at other sites and dealt with it by creating a dummy group "G_Test", to which everyone belongs.

The code does work as it stands - given that extra group - but for some reason the ordinary domain users are not able to read the LDAP attributes on this server.  If I log in as a Domain Admin, then the For/Next loop triggers and the drives map, the ordinary users get the starting and ending messages ... but no group output and no drive mappings.

KD
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 65

Expert Comment

by:RobSampson
ID: 24823160
Perhaps it's that as a domain admin, you are a member of Domain Admin, plus one of the groups you're looking for, hence, more than one group.  The code that posted will work for members that are only in one group.  Domain Users (or whatever is a user's primary group) is not listed with MemberOf.

Regards,

Rob.
0
 
LVL 1

Author Closing Comment

by:KD Johnson
ID: 31610454
The problem was as you describe, and now I finally understand why my script only ever worked if I added the members to the dummy group "G_Test".   Your solution is more sophisticated - and omits the error, which I had made, of creating "G_Test" and then forgetting to add the users to the group.

Apologies for the delay in getting back to this - the script problem was only part of a considerable operation in migrating that company's systems on to the new server.

Thanks.

KD
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 24997177
No problem.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
help with PowerShell script for registry permissions 8 80
ROBOFTP UNZIP 1 38
DHCP lease duration / Migration 8 50
A Function to parse a text string 4 34
Not long ago I saw a question in the VB Script forum that I thought would not take much time. You can read that question (Question ID  (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_28455246.html)28455246) Here (http…
Deploying a Microsoft Access application in a Citrix environment is not difficult but takes a few steps. However, Citrix system people are often of little help, as they typically know next to nothing about Access. The script provided here will take …
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now