Solved

vbscript login script for Windows Server 2003 - users can't "see" group memberships

Posted on 2009-07-10
6
563 Views
Last Modified: 2012-05-07
I have a login script, which I have variously adapted and used before on Windows domains, in which the script maps a number of drives according to group membership.  It reads the group memberships from an LDAP string and then operates a case statement on the contents of the string.

It works for me, as a Domain Admin, but for the ordinary users it skips through without "seeing" any of the groups.  Presumably this is some kind of LDAP security problem.  I'm quite sure that thhis has worked before and does work on other sites, but I can't see what is different here.  

Code snippet below, any suggestions?
' VBScript source code
'Login script for Windows 2003 Server 
 
dim test
'If test is 1 then debugging mode enabled
test = 0
 
'Debug info
if test = 1 then msgbox("Login Script Started")
 
on error RESUME NEXT
 
Dim objNetwork
Dim WshShell
dim fs
 
Set fs = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = WScript.CreateObject("WScript.Network")
Set WshShell = WScript.CreateObject("WScript.Shell")
 
 
' *** Run through User groups and add/delete drive mappings as required
' *** Then create and analyse a string of user groups
 
strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)
 
For Each strGroup in objUser.MemberOf
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN
 
'Debug info
if test = 1 then msgbox(lcase(strGroupName))
 
    Select Case lcase(strGroupName)
        Case "g_staff"
' *** Access to the IFD General Data ***
            if test = 1 then msgbox("Mapping Drive D:")
            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"
            
        Case "group2"
' *** Access to the Group2 Data ***
            if test = 1 then msgbox("Mapping drive G:")
            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"
    
        Case "group3"        
' *** Access to the Group3 Data ***
            if test = 1 then msgbox("Mapping Group3 drive I:")
            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"
                   
    End Select
 
Next
 
'Debug info
if test = 1 then msgbox("Login Script End")
 
WScript.Quit

Open in new window

0
Comment
Question by:KD Johnson
  • 4
  • 2
6 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 24822672
Hi, if you comment out On Error Resume Next, what error do you get?

Regards,

Rob.
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 500 total points
ID: 24822732
If the user is only a member of one group, MemberOf will not return a collection....it will only return a string, so you can't use a For Each loop.

Try the code below.  I've tested for the "type" of the MemberOf attribute, and created an array based on that, so that you *can* use a For Each loop to go through the new array.

Regards,

Rob.
' VBScript source code
'Login script for Windows 2003 Server 
 
dim test
'If test is 1 then debugging mode enabled
test = 0
 
'Debug info
if test = 1 then msgbox("Login Script Started")
 
on error RESUME NEXT
 
Dim objNetwork
Dim WshShell
dim fs
 
Set fs = CreateObject("Scripting.FileSystemObject")
Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = WScript.CreateObject("WScript.Network")
Set WshShell = WScript.CreateObject("WScript.Shell")
 
 
' *** Run through User groups and add/delete drive mappings as required
' *** Then create and analyse a string of user groups
 
strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)
 
If TypeName(objuser.MemberOf) = "Empty" Then
	arrGroups = Array("DUMMYGROUPTHATDOESNOTEXIST")
ElseIf TypeName(objuser.MemberOf) = "String" Then
	arrGroups = Array(objuser.MemberOf)
Else
	arrGroups = objUser.MemberOf
End If
 
For Each strGroup In arrGroups
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN
 
'Debug info
if test = 1 then msgbox(lcase(strGroupName))
 
    Select Case lcase(strGroupName)
        Case "g_staff"
' *** Access to the IFD General Data ***
            if test = 1 then msgbox("Mapping Drive D:")
            objNetwork.MapNetworkDrive "D:", "\\SERVER\GROUPS\GENERAL"
            
        Case "group2"
' *** Access to the Group2 Data ***
            if test = 1 then msgbox("Mapping drive G:")
            objNetwork.MapNetworkDrive "G:", "\\SERVER\GROUPS\GROUP2"
    
        Case "group3"        
' *** Access to the Group3 Data ***
            if test = 1 then msgbox("Mapping Group3 drive I:")
            objNetwork.MapNetworkDrive "I:", "\\SERVER\GROUPS\Group3"
                   
    End Select
 
Next
 
'Debug info
if test = 1 then msgbox("Login Script End")
 
WScript.Quit

Open in new window

0
 
LVL 1

Author Comment

by:KD Johnson
ID: 24823011
Thanks.  I didn't know why it doesn't work if there is only one group, but I had already noticed this at other sites and dealt with it by creating a dummy group "G_Test", to which everyone belongs.

The code does work as it stands - given that extra group - but for some reason the ordinary domain users are not able to read the LDAP attributes on this server.  If I log in as a Domain Admin, then the For/Next loop triggers and the drives map, the ordinary users get the starting and ending messages ... but no group output and no drive mappings.

KD
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 65

Expert Comment

by:RobSampson
ID: 24823160
Perhaps it's that as a domain admin, you are a member of Domain Admin, plus one of the groups you're looking for, hence, more than one group.  The code that posted will work for members that are only in one group.  Domain Users (or whatever is a user's primary group) is not listed with MemberOf.

Regards,

Rob.
0
 
LVL 1

Author Closing Comment

by:KD Johnson
ID: 31610454
The problem was as you describe, and now I finally understand why my script only ever worked if I added the members to the dummy group "G_Test".   Your solution is more sophisticated - and omits the error, which I had made, of creating "G_Test" and then forgetting to add the users to the group.

Apologies for the delay in getting back to this - the script problem was only part of a considerable operation in migrating that company's systems on to the new server.

Thanks.

KD
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 24997177
No problem.  Thanks for the grade.

Regards,

Rob.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
When you see single cell contains number and text, and you have to get any date out of it seems like cracking our heads.
Learn the basics of if, else, and elif statements in Python 2.7. Use "if" statements to test a specified condition.: The structure of an if statement is as follows: (CODE) Use "else" statements to allow the execution of an alternative, if the …
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question