Mapping Drives based on Group Membership - XP and 2003 Server

I'm a Linux admin that sometimes has to support AD.  So my windows skills are lacking.

We have a 2003 fileserver on site and our Domain Controller is at a headquarters location off site.  We use the Group Policy Management Console snappin to manage GP.  So in my OU I have a very simple Login script (bat file) (see code) that is run during login.  All it does is map a few drives on our local fileserver when a user logs in.  We now need to map drives based on AD group membership.  Since I don't want to learn VBscript now, I came across ifmemeber.exe.  I rewrote the script using ifmemeber (see code) and was looking for input on how to implement.  Things I'm unsure of:

1. Is syntax of the bat file correct?

2. Will ifmemeber work within AD group policy?  If so, were do I need to put the ifmember.exe file.  I don't seem to have it on the local fileserver.  I assume I need to download the resource kit and install on our local fileserver?

3. Do I need to reference it with a UNC in the bat file like this:
\\xxx.xxx.xxx.10\some\place\on\server\ifmember.exe "operations"

4. Should I chuck this and figure out how to do it with a vbs login script?
*** Existing Login Script ***
@echo off
IF %COMPUTERNAME%.==my-filesever. GOTO END
REM ---- Delete pre-existing drive mappings ----
    NET USE W: /DELETE >nul
    NET USE U: /DELETE >nul
    NET USE X: /DELETE >nul
REM ---- Map drives for all users ----
    NET USE W: \\xxx.xxx.xxx.11\documents /YES >nul
    NET USE U: \\xxx.xxx.xxx.20\data /YES >nul
    NET USE x: \\xxx.xxx.xxx..11\programs /YES >nul
:END

*** Proposed New script using ifmemeber.exe ****

@echo off
IF %COMPUTERNAME%.==my-filesever. GOTO END
REM ---- Delete pre-existing drive mappings ----
    NET USE W: /DELETE >nul
    NET USE U: /DELETE >nul
    NET USE X: /DELETE >nul

REM ---- Map drives for all users ----
    NET USE W: \\xxx.xxx.xxx.11\documents /YES >nul
    NET USE U: \\xxx.xxx.xxx.20\data /YES >nul
    NET USE x: \\xxx.xxx.xxx..11\programs /YES >nul

REM --- Start drive mapping based on groups ---
    ifmember "operations"
        if not errorlevel 1 goto admin
        net use O: "\\xxx.xxx.xxx.11\ops

admin:  
    ifmemeber "admin"
        if not errorlevel 1 goto tech
        net use R: "\\xxx.xxx.xxx.11\admin

tech:
    ifmember "tech"
        if not errorlevel 1 goto DONE
        net use T: "\\xxx.xxx.xxx.5\tech

DONE:
REM --- Done mapping drives based on group ---

    net time \\my-fileserver /SET /YES >nul

:END

Open in new window

credogAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

oBdACommented:
I'd suggest to put the script (and all tools it needs, including ifmember.exe) into the netlogon share (the "Scripts" folder in the Sysvol folder on the DCs).
ifmember is part of the W2k3 ResKit; you can install the ResKit wherever you want, then simply copy ifmember.exe into the folder with the script.
Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?familyid=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en

Then either use the script name (only!) in the properties of the user in ADUC as logon script, or enter
%logonserver%\netlogon\YourLogonScriptName.cmd
as logon script in a GPO (do NOT use the "Browse" button, just enter the path); this makes editing the logon script a lot easier than having to look for it using the GPMC.
Below is a slightly different version; you can remove the PAUSE at the end when you're done with testing.
Oh, and do NOT use "net time ..." in a logon script. Windows clients running W2k or later in an AD domain will sync their time *by* *default* (and users aren't allowed to change the time anyway).

@echo off
setlocal

call :map W: "\\xxx.xxx.xxx.11\documents"
call :map U: "\\xxx.xxx.xxx.20\data"
call :map X: "\\xxx.xxx.xxx.11\programs"
call :map O: "\\xxx.xxx.xxx.11\ops" "Operations"
call :map R: "\\xxx.xxx.xxx.11\admin" "Admin"
call :map T: "\\xxx.xxx.xxx.5\tech" "Tech"
PAUSE

:: *** Leave the script, only subroutines following from here on:
goto :eof
:: **********************************************************************
:: *** Procedure Map
:: *** Maps a drive, optionally according to group membership.
:: *** Arguments: %1: Drive letter; %2: Share name; %3: Group name
:: *** If %3 is empty, group checking will be skipped.
:Map
set Drive=%~1
set Share=%~2
set Group=%~3
if not "%Group%"=="" (
  ifmember.exe "%Group%" >NUL 2>&1
  if errorlevel 9009 (
    echo Skipped %Drive%, ifmember.exe not found!
    goto :eof
  )
  if not errorlevel 1 goto :eof
)
if exist %Drive%\ net use %Drive% /delete >NUL 2>&1
net use %Drive% "%Share%" /persistent:no
goto :eof
:: **********************************************************************

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
oBdACommented:
Missed the server check, sorry; add the line
if /i "%ComputerName%"=="my-filesever" goto :eof
as line 4.
"/i" ignores the case, otherwise my-fileserver will be different from MY-FILESERVER.
0
credogAuthor Commented:
Nice bat file.  Since I'm more of a unix person, I had to study it a little.  One thing you state is "I'd suggest to put the script (and all tools it needs, including ifmember.exe) into the netlogon share (the "Scripts" folder in the Sysvol folder on the DCs)" .  Not sure what that means.  I don't have direct access to the DC since it is maintained by HQ people.  I can add add or edit login script by doing the following:

Right click on the the GP for the startup script and select edit.  In the popup I navigate to "User Configuration" > "Windows Settings" > "Scripts (Logon/Logoff) and right click on Logon and select properties.  I see my script on the window.  I then hit the show files button in the window and the resulting widow shows the login script on the Domain controller.  I then right click on the script and select edit and notepad pops up.

I of course have full access to the local file server shares.   Also, since this bat file will be for all users in GP, what would be the best way to test?  Just run from the command line on a system?
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

oBdACommented:
Where you put your script and the tools is mainly a matter of personal preference (and redundancy; the GPO folder is replicated among the DCs, but the file server might be a single point of failure--but then again, if all you do is map some drives on the file server, then it doesn't matter if the script mapping those drives is unavailable, too, if the file server is down ...).
You can put them all into the GPO folder, or put them all into a shared folder on the file server (in which case the logon script needs to be configured as \\FileServer\Share\logonscript.cmd in the GPO), or put the script itself into the GPO folder and the tools on the file server (and then use \\FileServer\Share\SomeTool.exe to address them).
You can test this by adding a single test user account into the GPO's Security Filtering list, instead of the default "Authenticated Users".
0
credogAuthor Commented:
Sorry, still a little confused.  Not sure how to get it into "the GPO folder"  do I just drag the ifmember.exe file to the window that opens when I select "Show Files" in the Logon Properties window when I edit the login script?  Thanks
0
oBdACommented:
Yes, that should work. You can just try the different versions as well.
Oh, and, yes, you can of course test the script itself by running it from the command line.
0
credogAuthor Commented:
I have not put this in place yet,  tested locally.  Will most likely go with a VB Script for unrelated reasons.
Excellent help was provided for this issue.
0
credogAuthor Commented:
Excellent help with this issue.  For unrelated reasons we will most likely use a VB script.  Thanks for the great response.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.