Creative way to bypass mapping the home folder when logging into DMZ servers
User's home folders are configured on each user's "Profile" tab in Active Directory Users and Computers. How can that be bypassed for users that login to servers in the DMZ?
The mapping attempt has to time-out before the user's desktop appears and there is an error in the event log stating that the server hosting the user's homefolder could not be contacted.
Loopback processing will not override the home folder setting in the properties of the user accounts and due to other restrictions, I cannot move user accounts out of the default "Users" container in AD.
The mapping attempt has to time-out before the user's desktop appears and there is an error in the event log stating that the server hosting the user's homefolder could not be contacted.
Loopback processing will not override the home folder setting in the properties of the user accounts and due to other restrictions, I cannot move user accounts out of the default "Users" container in AD.
Are the users that log on to the DMZ servers some type of server admins/IT staff? If so, they should have users accounts that have the home folders configured, and they should also have admin accounts that do not have home folders. Then direct and setup that only their admin accounts have the ability to log on to servers.
Hello again..
Following on from your last question on this matter, I would say that instead of specifying the home drive in the user properties, you could have a login script map the drive. The script can then be a bit more flexible. For example, you could get the script to see what the current subnet the machine is on, and based on this map/don't map the drive.
Or you could have the login script applied to users via GPO, and use loopback on the DMZ machines to over-rule this script so it doesn't run. Remember that with loopback, the user settings have to be linked to the computer objects so you could target a specific OU holding the DMZ machines, or use security filtering to target them.
And on a complete aside - is it absolutely necessary to have domain machines/servers in your DMZ? This can sort of negate the point of the DMZ. What's the purpose of having it?
If you want an example script let me know...
Following on from your last question on this matter, I would say that instead of specifying the home drive in the user properties, you could have a login script map the drive. The script can then be a bit more flexible. For example, you could get the script to see what the current subnet the machine is on, and based on this map/don't map the drive.
Or you could have the login script applied to users via GPO, and use loopback on the DMZ machines to over-rule this script so it doesn't run. Remember that with loopback, the user settings have to be linked to the computer objects so you could target a specific OU holding the DMZ machines, or use security filtering to target them.
And on a complete aside - is it absolutely necessary to have domain machines/servers in your DMZ? This can sort of negate the point of the DMZ. What's the purpose of having it?
If you want an example script let me know...
ASKER
Thanks to all for your feedback!
A login script for a small set of users seems sensible. It would be great if the script
could check the server name and if the name is any of the following 10, for example,
do not map the home folder otherwise, map it.
bluntTony, do you have any suggestions?
IF server name IS NOT (list of DMZ server names)
map home folder
otherwise
do nothing
A login script for a small set of users seems sensible. It would be great if the script
could check the server name and if the name is any of the following 10, for example,
do not map the home folder otherwise, map it.
bluntTony, do you have any suggestions?
IF server name IS NOT (list of DMZ server names)
map home folder
otherwise
do nothing
Hi there,
Do you have classfull subnetting (i.e. subnet mask using only 255 or 0)? If so, it may be better to test on the subnet the machine is on. That way you don't have to worry about maintaining the list of servers.
Other than that, are the DMZ servers sitting in their own OU, or in a security group? I'd much rather query something already in AD than create a text list or hard-code an array of server names in a script...
Do you have classfull subnetting (i.e. subnet mask using only 255 or 0)? If so, it may be better to test on the subnet the machine is on. That way you don't have to worry about maintaining the list of servers.
Other than that, are the DMZ servers sitting in their own OU, or in a security group? I'd much rather query something already in AD than create a text list or hard-code an array of server names in a script...
ASKER
I'm cutting and pasting a script together to do the following:
check list of servers in the DMZ (read all into memory)
if computer name is not in list, map a home folder
if name is in the list, do nothing
I'm not sure of the syntax of the If statement.
Here' s what I have so far:
Option Explicit
Dim objNetwork, objFSO, objTextFile, WshNetwork, objCompName
Dim strDriveLetter, strRemotePath, strUserName, objNetwork, strText
strDriveLetter = "F:"
strRemotePath = "\\Userdata\users\"
Const ForReading = 1
Set objFSO = CreateObject("Scripting.Fi
Set objTextFile = objFSO.OpenTextFile _
("\\dmzdc01\c$\DMZservers.
Set objNetwork = WScript.CreateObject("WScr
Set objCompName = objNetwork.ComputerName
strText = objTextFile.ReadAll
objTextFile.Close
strUserName = objNetwork.UserName
arrComputers = Split(strText, vbCrLf)
If objCompName ?????????? is in arrComputers
<do nothing>
(otherwise)
objNetwork.MapNetworkDrive
check list of servers in the DMZ (read all into memory)
if computer name is not in list, map a home folder
if name is in the list, do nothing
I'm not sure of the syntax of the If statement.
Here' s what I have so far:
Option Explicit
Dim objNetwork, objFSO, objTextFile, WshNetwork, objCompName
Dim strDriveLetter, strRemotePath, strUserName, objNetwork, strText
strDriveLetter = "F:"
strRemotePath = "\\Userdata\users\"
Const ForReading = 1
Set objFSO = CreateObject("Scripting.Fi
Set objTextFile = objFSO.OpenTextFile _
("\\dmzdc01\c$\DMZservers.
Set objNetwork = WScript.CreateObject("WScr
Set objCompName = objNetwork.ComputerName
strText = objTextFile.ReadAll
objTextFile.Close
strUserName = objNetwork.UserName
arrComputers = Split(strText, vbCrLf)
If objCompName ?????????? is in arrComputers
<do nothing>
(otherwise)
objNetwork.MapNetworkDrive
ASKER
The DMZ servers can be in their own OU.
The subnetting is not classful.
I would rather not maintain a text file either.
What should I do to use the OU?
The subnetting is not classful.
I would rather not maintain a text file either.
What should I do to use the OU?
OK, so you can take the DN of the server, and see if the DN of the OU is a part of the server's DN, thus proving if it's in that OU. If it is, then don't map the drive.
The logic of the below is this:
1. If the drive letter exists, remove it and delete it from the registry.
2. If the server is NOT in the OU, then re-map the drive, else do nothing.
You'll just need to change the top three lines to suit your needs. Hope this helps...
The logic of the below is this:
1. If the drive letter exists, remove it and delete it from the registry.
2. If the server is NOT in the OU, then re-map the drive, else do nothing.
You'll just need to change the top three lines to suit your needs. Hope this helps...
strDriveLetter = "N:" 'DRIVE LETTER
strUNCPath = "\\nsanas\archive" 'PATH TO SHARE
strOUPath = "OU=DMZ,OU=MyBusiness,DC=domain,DC=local" 'FULL DN OF OU
Const HKEY_CURRENT_USER = &H80000001
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objNet = CreateObject("Wscript.Network")
Set objAD = CreateObject("ADSystemInfo")
If objFSO.DriveExists(strDriveLetter) Then
objNet.RemoveNetworkDrive strDriveLetter,True,True
Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
objReg.DeleteKey HKEY_CURRENT_USER, "Network\" & Left(strDriveLetter,1)
Set objReg = Nothing
End If
If InStr(objAD.ComputerName,strOUPath) = 0 Then
objNet.MapNetworkDrive strDriveLetter,strUNCPath
End If
Set objNet = Nothing
Set objFSO = Nothing
Set objAD = Nothing
ASKER
Can I use the %username% variable on the
strUNCPath since it will be different for user that logs in?
strUNCPath = "\\nsanas\archive" 'PATH TO SHARE
strUNCPath = "\\server\share\%username%
strUNCPath since it will be different for user that logs in?
strUNCPath = "\\nsanas\archive" 'PATH TO SHARE
strUNCPath = "\\server\share\%username%
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
bluntTony,
Thanks for the script. It works perfectly!
This ticket has been open for over 18 months and eventually
made it to me.
Thanks again for your help.
Bstillion
Thanks for the script. It works perfectly!
This ticket has been open for over 18 months and eventually
made it to me.
Thanks again for your help.
Bstillion
ASKER
The script is concise and does exactly what is needed.
Thanks for your help!
Thanks for your help!
Great work on this one Tony!!! Outstanding!!
Thanks to you both! Glad to be a help.
On a related note, if you have to have your users in the users container you can still filter a policy to just those users.
You can link at the domain level and use security filtering
http://adisfun.blogspot.co
Won't help here though.