credog
asked on
Mapping Drives based on Group Membership - XP and 2003 Server
I'm a Linux admin that sometimes has to support AD. So my windows skills are lacking.
We have a 2003 fileserver on site and our Domain Controller is at a headquarters location off site. We use the Group Policy Management Console snappin to manage GP. So in my OU I have a very simple Login script (bat file) (see code) that is run during login. All it does is map a few drives on our local fileserver when a user logs in. We now need to map drives based on AD group membership. Since I don't want to learn VBscript now, I came across ifmemeber.exe. I rewrote the script using ifmemeber (see code) and was looking for input on how to implement. Things I'm unsure of:
1. Is syntax of the bat file correct?
2. Will ifmemeber work within AD group policy? If so, were do I need to put the ifmember.exe file. I don't seem to have it on the local fileserver. I assume I need to download the resource kit and install on our local fileserver?
3. Do I need to reference it with a UNC in the bat file like this:
\\xxx.xxx.xxx.10\some\plac e\on\serve r\ifmember .exe "operations"
4. Should I chuck this and figure out how to do it with a vbs login script?
We have a 2003 fileserver on site and our Domain Controller is at a headquarters location off site. We use the Group Policy Management Console snappin to manage GP. So in my OU I have a very simple Login script (bat file) (see code) that is run during login. All it does is map a few drives on our local fileserver when a user logs in. We now need to map drives based on AD group membership. Since I don't want to learn VBscript now, I came across ifmemeber.exe. I rewrote the script using ifmemeber (see code) and was looking for input on how to implement. Things I'm unsure of:
1. Is syntax of the bat file correct?
2. Will ifmemeber work within AD group policy? If so, were do I need to put the ifmember.exe file. I don't seem to have it on the local fileserver. I assume I need to download the resource kit and install on our local fileserver?
3. Do I need to reference it with a UNC in the bat file like this:
\\xxx.xxx.xxx.10\some\plac
4. Should I chuck this and figure out how to do it with a vbs login script?
*** Existing Login Script ***
@echo off
IF %COMPUTERNAME%.==my-filesever. GOTO END
REM ---- Delete pre-existing drive mappings ----
NET USE W: /DELETE >nul
NET USE U: /DELETE >nul
NET USE X: /DELETE >nul
REM ---- Map drives for all users ----
NET USE W: \\xxx.xxx.xxx.11\documents /YES >nul
NET USE U: \\xxx.xxx.xxx.20\data /YES >nul
NET USE x: \\xxx.xxx.xxx..11\programs /YES >nul
:END
*** Proposed New script using ifmemeber.exe ****
@echo off
IF %COMPUTERNAME%.==my-filesever. GOTO END
REM ---- Delete pre-existing drive mappings ----
NET USE W: /DELETE >nul
NET USE U: /DELETE >nul
NET USE X: /DELETE >nul
REM ---- Map drives for all users ----
NET USE W: \\xxx.xxx.xxx.11\documents /YES >nul
NET USE U: \\xxx.xxx.xxx.20\data /YES >nul
NET USE x: \\xxx.xxx.xxx..11\programs /YES >nul
REM --- Start drive mapping based on groups ---
ifmember "operations"
if not errorlevel 1 goto admin
net use O: "\\xxx.xxx.xxx.11\ops
admin:
ifmemeber "admin"
if not errorlevel 1 goto tech
net use R: "\\xxx.xxx.xxx.11\admin
tech:
ifmember "tech"
if not errorlevel 1 goto DONE
net use T: "\\xxx.xxx.xxx.5\tech
DONE:
REM --- Done mapping drives based on group ---
net time \\my-fileserver /SET /YES >nul
:END
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Nice bat file. Since I'm more of a unix person, I had to study it a little. One thing you state is "I'd suggest to put the script (and all tools it needs, including ifmember.exe) into the netlogon share (the "Scripts" folder in the Sysvol folder on the DCs)" . Not sure what that means. I don't have direct access to the DC since it is maintained by HQ people. I can add add or edit login script by doing the following:
Right click on the the GP for the startup script and select edit. In the popup I navigate to "User Configuration" > "Windows Settings" > "Scripts (Logon/Logoff) and right click on Logon and select properties. I see my script on the window. I then hit the show files button in the window and the resulting widow shows the login script on the Domain controller. I then right click on the script and select edit and notepad pops up.
I of course have full access to the local file server shares. Also, since this bat file will be for all users in GP, what would be the best way to test? Just run from the command line on a system?
Right click on the the GP for the startup script and select edit. In the popup I navigate to "User Configuration" > "Windows Settings" > "Scripts (Logon/Logoff) and right click on Logon and select properties. I see my script on the window. I then hit the show files button in the window and the resulting widow shows the login script on the Domain controller. I then right click on the script and select edit and notepad pops up.
I of course have full access to the local file server shares. Also, since this bat file will be for all users in GP, what would be the best way to test? Just run from the command line on a system?
Where you put your script and the tools is mainly a matter of personal preference (and redundancy; the GPO folder is replicated among the DCs, but the file server might be a single point of failure--but then again, if all you do is map some drives on the file server, then it doesn't matter if the script mapping those drives is unavailable, too, if the file server is down ...).
You can put them all into the GPO folder, or put them all into a shared folder on the file server (in which case the logon script needs to be configured as \\FileServer\Share\logonsc ript.cmd in the GPO), or put the script itself into the GPO folder and the tools on the file server (and then use \\FileServer\Share\SomeToo l.exe to address them).
You can test this by adding a single test user account into the GPO's Security Filtering list, instead of the default "Authenticated Users".
You can put them all into the GPO folder, or put them all into a shared folder on the file server (in which case the logon script needs to be configured as \\FileServer\Share\logonsc
You can test this by adding a single test user account into the GPO's Security Filtering list, instead of the default "Authenticated Users".
ASKER
Sorry, still a little confused. Not sure how to get it into "the GPO folder" do I just drag the ifmember.exe file to the window that opens when I select "Show Files" in the Logon Properties window when I edit the login script? Thanks
Yes, that should work. You can just try the different versions as well.
Oh, and, yes, you can of course test the script itself by running it from the command line.
Oh, and, yes, you can of course test the script itself by running it from the command line.
ASKER
I have not put this in place yet, tested locally. Will most likely go with a VB Script for unrelated reasons.
Excellent help was provided for this issue.
Excellent help was provided for this issue.
ASKER
Excellent help with this issue. For unrelated reasons we will most likely use a VB script. Thanks for the great response.
if /i "%ComputerName%"=="my-file
as line 4.
"/i" ignores the case, otherwise my-fileserver will be different from MY-FILESERVER.