Creative way to bypass mapping the home folder when logging into DMZ servers

bstillion
bstillion used Ask the Experts™
on
User's home folders are configured on each user's "Profile" tab in Active Directory Users and Computers. How can that be bypassed for users that login to servers in the DMZ?
The mapping attempt has to time-out before the user's desktop appears and there is an error in the event log stating that the server hosting the user's homefolder could not be contacted.
Loopback processing will not override the home folder setting in the properties of the user accounts and due to other restrictions, I cannot move user accounts out of the default "Users" container in AD.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013

Commented:
If it is set on the profile tab then I think it will always try to map it.  I'll see if I can figure something out but nothing is coming to me at the moment.
On a related note, if you have to have your users in the users container you can still filter a policy to just those users.
You can link at the domain level and use security filtering
http://adisfun.blogspot.com/2009/04/security-filtering-and-group-policy.html
Won't help here though.
remmett70Network Manager

Commented:
Are the users that log on to the DMZ servers some type of server admins/IT staff?  If so, they should have users accounts that have the home folders configured, and they should also have admin accounts that do not have home folders.  Then direct and setup that only their admin accounts have the ability to log on to servers.
bluntTonyHead of ICT
Top Expert 2009

Commented:
Hello again..
Following on from your last question on this matter, I would say that instead of specifying the home drive in the user properties, you could have a login script map the drive. The script can then be a bit more flexible. For example, you could get the script to see what the current subnet the machine is on, and based on this map/don't map the drive.
Or you could have the login script applied to users via GPO, and use loopback on the DMZ machines to over-rule this script so it doesn't run. Remember that with loopback, the user settings have to be linked to the computer objects so you could target a specific OU holding the DMZ machines, or use security filtering to target them.
And on a complete aside - is it absolutely necessary to have domain machines/servers in your DMZ? This can sort of negate the point of the DMZ. What's the purpose of having it?
If you want an example script let me know...
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
Thanks to all for your feedback!

A login script for a small set of users seems sensible. It would be great if the script
could check the server name and if the name is any of the following 10, for example,
do not map the home folder otherwise, map it.

bluntTony, do you have any suggestions?

IF server name IS NOT (list of DMZ server names)
              map home folder
otherwise
              do nothing
bluntTonyHead of ICT
Top Expert 2009

Commented:
Hi there,
Do you have classfull subnetting (i.e. subnet mask using only 255 or 0)? If so, it may be better to test on the subnet the machine is on. That way you don't have to worry about maintaining the list of servers.
Other than that, are the DMZ servers sitting in their own OU, or in a security group? I'd much rather query something already in AD than create a text list or hard-code an array of server names in a script...

Author

Commented:
I'm cutting and pasting a script together to do the following:
check list of servers in the DMZ (read all into memory)
if computer name is not in list, map a home folder
if name is in the list, do nothing

I'm not sure of the syntax of the If statement.
Here' s what I have so far:

Option Explicit
Dim objNetwork, objFSO, objTextFile, WshNetwork, objCompName
Dim strDriveLetter, strRemotePath, strUserName, objNetwork, strText
strDriveLetter = "F:"
strRemotePath = "\\Userdata\users\"

Const ForReading = 1

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
    ("\\dmzdc01\c$\DMZservers.txt", ForReading)
Set objNetwork = WScript.CreateObject("WScript.Network")
Set objCompName = objNetwork.ComputerName

strText = objTextFile.ReadAll
objTextFile.Close
strUserName = objNetwork.UserName

arrComputers = Split(strText, vbCrLf)

If objCompName ??????????  is in arrComputers
<do nothing>
(otherwise)
objNetwork.MapNetworkDrive strDriveLetter, strRemotePath & strUserName

Author

Commented:
The DMZ servers can be in their own OU.
The subnetting is not classful.

I would rather not maintain a text file either.

What should I do to use the OU?

bluntTonyHead of ICT
Top Expert 2009

Commented:
OK, so you can take the DN of the server, and see if the DN of the OU is a part of the server's DN, thus proving if it's in that OU. If it is, then don't map the drive.
The logic of the below is this:
1. If the drive letter exists, remove it and delete it from the registry.
2. If the server is NOT in the OU, then re-map the drive, else do nothing.
You'll just need to change the top three lines to suit your needs. Hope this helps...

strDriveLetter = "N:" 'DRIVE LETTER
strUNCPath = "\\nsanas\archive" 'PATH TO SHARE
strOUPath = "OU=DMZ,OU=MyBusiness,DC=domain,DC=local" 'FULL DN OF OU
Const HKEY_CURRENT_USER = &H80000001
 
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objNet = CreateObject("Wscript.Network")
Set objAD = CreateObject("ADSystemInfo")
 
If objFSO.DriveExists(strDriveLetter) Then
	objNet.RemoveNetworkDrive strDriveLetter,True,True
	Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
	objReg.DeleteKey HKEY_CURRENT_USER, "Network\" & Left(strDriveLetter,1)
	Set objReg = Nothing
End If
 
If InStr(objAD.ComputerName,strOUPath) = 0 Then
	objNet.MapNetworkDrive strDriveLetter,strUNCPath
End If
 
Set objNet = Nothing
Set objFSO = Nothing
Set objAD = Nothing

Open in new window

Author

Commented:
Can I use the %username% variable on the
strUNCPath since it will be different for user that logs in?

strUNCPath = "\\nsanas\archive" 'PATH TO SHARE

strUNCPath = "\\server\share\%username%"
Head of ICT
Top Expert 2009
Commented:
Try this:
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objNet = CreateObject("Wscript.Network")
Set objAD = CreateObject("ADSystemInfo")
 
strDriveLetter = "N:" 'DRIVE LETTER
strUNCPath = "\\server\share\" & objNet.UserName 'PATH TO SHARE
strOUPath = "OU=DMZ,OU=MyBusiness,DC=domain,DC=local" 'FULL DN OF OU
Const HKEY_CURRENT_USER = &H80000001
  
If objFSO.DriveExists(strDriveLetter) Then
	objNet.RemoveNetworkDrive strDriveLetter,True,True
	Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
	objReg.DeleteKey HKEY_CURRENT_USER, "Network\" & Left(strDriveLetter,1)
	Set objReg = Nothing
End If
 
If InStr(objAD.ComputerName,strOUPath) = 0 Then
	objNet.MapNetworkDrive strDriveLetter,strUNCPath
End If
 
Set objNet = Nothing
Set objFSO = Nothing
Set objAD = Nothing

Open in new window

Author

Commented:
bluntTony,

Thanks for the script. It works perfectly!

This ticket has been open for over 18 months and eventually
made it to me.
Thanks again for your help.

Bstillion

Author

Commented:
The script is concise and does exactly what is needed.

Thanks for your help!
Top Expert 2013

Commented:
Great work on this one Tony!!! Outstanding!!
bluntTonyHead of ICT
Top Expert 2009

Commented:
Thanks to you both! Glad to be a help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial