Solved

SBS 2011 Logon Scripts

Posted on 2011-09-29
15
5,574 Views
Last Modified: 2013-06-05
We are working with SBS 2011 and would like to implement a logon script to map shared drives for users based on their group membership. For example, the are a number of shared folder - Finance$, HR$ and Data$ (all hidden shares). There are corresponding security groups - Finance, HR and Company Users.

Each user may be a member of multiple security groups and require access to one or more of the shared folders (depending on their group membership)

Ideally, I would like to create a single logon script, that provides a mapped drive based on their group membership.

I do not have any scripting experience, other that simple batch files using the NET USE command. I'm not opposed to using other methods of scripting such as VB, but would need some assistance at a basic level.

Thanks in advance!
0
Comment
Question by:swan_solutions
  • 5
  • 3
  • 3
  • +3
15 Comments
 
LVL 4

Accepted Solution

by:
Daelt earned 500 total points
ID: 36813327
i already answered this there : http://www.experts-exchange.com/Programming/Languages/Scripting/Powershell/Q_27292664.html

Make a unique script for everyone and include this code in it, repeat it for each group & drive you want to setup.
Users will only connect the drives affected to the group(s) they belong to.

ON ERROR RESUME NEXT
set WshShell = CreateObject("WScript.Shell")
Set WshNetwork = WScript.CreateObject("WScript.Network")


DomainName=WshShell.ExpandEnvironmentStrings("%USERDOMAIN%")
LogonServer=WshShell.ExpandEnvironmentStrings("%LogonServer%")
Set UserObj = GetObject("WinNT://" & DomainName & "/" & WshNetwork.username)

'wscript.echo "Hello "&WshNetwork.username&" is connecting on "&WshNetwork.computername


'Init Groups
Dim UserGroups
Dim GroupObj
UserGroups=""

For Each GroupObj In UserObj.Groups
UserGroups=UserGroups & "[" & GroupObj.Name & "]"

Next

'wscript.echo "Member of "&UserGroups


'Modify below group and network drive ......................................................................

if InGroup("Security_Group_Name") then
WshNetwork.MapNetworkDrive "X:","\\path\Folder"
end if


' Fonction Ingroup

Function InGroup(strGroup)
InGroup=False
If InStr(UserGroups,"[" & strGroup & "]") Then
InGroup=True

End If

End Function 

Open in new window

0
 

Author Comment

by:swan_solutions
ID: 36814550
Not being familiar with scripts, I am unsure what elements to adjust.

Can you give me some guidance please?
0
 
LVL 4

Expert Comment

by:Daelt
ID: 36814686
It's writen inside the script what you have to modify (line 26)
Just replace :
"Security_group_name" at line 28
"X:" withe the letter u want at line 29
"\\path\folder" the path to the network shared folder at line 29

Copy and paste the whole code i gave you as many time you need into the script.

No need to understand coding, it's already really easy.
0
 

Author Comment

by:swan_solutions
ID: 36815063
Got it!. My mistake was to save as a .bat file (habit) instead of .vbs, which is why it didn't work first time around
0
 
LVL 11

Expert Comment

by:Ben Personick
ID: 36815115
hey I have a native batch wait a moment to see it
0
 
LVL 11

Expert Comment

by:Ben Personick
ID: 36815158
Here is the script, it allows you to check group membership entirely within normal Windows Commands, just save as DOIFMEMBER.bat.

You can easily follow the form to extend the batch file to as many groups as you like, and i also have a "common" area for resources that all users receive so you do not have to duplicate coding.

-Q
::----------------------------------------------------------------------------::
:: Script Name: DOIFMEMBER.bat                                                                                            ::
:: Version: 1.2                                                                                                                           ::
:: Copyright: Ben Personick                                                                                               ::
:: Date: 2010-08-21                                                                                                                       ::
::----------------------------------------------------------------------------::

:Begin-Script
        ECHO OFF
        :Start-Prep
                SET "GroupStart=FALSE"
                SET "GroupList=_"
                FOR /F "Tokens=1-3 Delims=*" %%U IN ('net user "%username%" /domain 2^>^&1 ') DO CALL :Start-Get-Group-Membership "%%U" "%%V" "%%W"
                SET GroupList=%GroupList:_, =%
                ECHO GroupList for %UserName%: %GroupList%
        :End-Prep


        :Start-Main
        
                :Start-Map-Domain-Users
                        CALL :Start-IFMEMBER "Domain Users"
                        IF "%ISMEMBER%"=="NO" GOTO :End-Script
                        ECHO "%UserName%" Is a Member of "%IFMEMBER%"
                        ECHO NET USE A: \\SERVER\Share\Somedir\ /P
                        ECHO NET USE H: \\SERVER\Home$\%UserName%\ /P
                        ECHO NET USE P: \\SERVER\Share\Public\ /P
                :End-Map-Domain-Users

                :Start-Map-Operations
                        CALL :Start-IFMEMBER "Operations"
                        IF "%ISMEMBER%"=="NO" GOTO End-Map-Operations
                        ECHO %UserName% Is a Member of %IFMEMBER%
                        ECHO NET USE O: \\SERVER\Share\Operations\ /P
                        ECHO NET USE L: \\SERVER\Share\Love\ /P
                :End-Map-Operations

                :Start-Map-Domain-Admins
                        CALL :Start-IFMEMBER "Domain Admins"
                        IF "%ISMEMBER%"=="NO" GOTO End-Map-Domain-Admins
                        ECHO NET USE I: \\SERVER\Share\IT\ /P
                :End-Map-Domain-Admins
                
        :End-Main
        GOTO End-Script

        :Start-Subs
                :Start-IFMEMBER
                        SET "IFMEMBER=%~1"&SET "ISMEMBER=NO"
                        ECHO IFMEMBER == %IFMEMBER% and ISMEMBER == %ISMEMBER%
                        FOR %%G IN (%GroupList%) DO IF /I %%G=="%IFMEMBER%" SET "ISMEMBER=YES"
                        ECHO IFMEMBER == %IFMEMBER% and ISMEMBER == %ISMEMBER%
                        GOTO :EOF
                :End-IFMEMBER
                :Start-Get-Group-Membership
                        SET "Term=%~n1"&SET "GroupA=%~n2"&SET "GroupB=%~n2"
                        ::ECHO "%Term%" "%GroupA%" "%GroupB%"
                        IF /I "%GroupStart%"=="FALSE" FOR /F %%F IN ('ECHO "%Term%" ^| Find /I "Group"') DO SET "GroupStart=TRUE"
                        IF /I "%GroupStart%" NEQ "FALSE" SET GroupList=%GroupList%, "%GroupA%", "%GroupB%"
                        GOTO :EOF
                :End-Get-Group-Membership
        :End-Subs

:End-Script
        ECHO The Script Is Exiting.

Open in new window

0
 
LVL 4

Expert Comment

by:acstechee
ID: 36815215
Hi

With SBS 2011 you should really be looking at Group policy preferences rather than logon scripts.
They are much simpler to implement and manage and can use item level targetting to define who the policy is applied to.

Have a look here;
http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx

Thanks

Gareth
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 11

Expert Comment

by:Ben Personick
ID: 36815271
One note about the script supplied above is that it is in a "testing" configuration.

  What I mean by that is that it echos the commands so you can test that it's working without actually performing any actions. (As you can probably tell if you have some experiance with batch files already.)

Notes on each command:
You'll notice I have the /P command on the Net Use, when I initially created this script it needed to map drives persistently (They exist even after a reboot).  However, you may not want that.

Additionally best practice, whether using the VBScript the other author offered, or the batch script I gave as an example is to remove all mappings and re-map the drives when the script runs.

To un-map a drive as you are probably familliar with, you use NET USE [Drive Letter]: /D /Y

The /Y is an undocumented feature of NET USE, that allows you to force a connection closed instead of giving you the "Are You Sure" Prompt.

For most of my domain scripting I use an astrix in place of the drive letter (NET USE * /D).

This removes ALL mapped drives, however that may be a problem if users are mapping drives themselves (assuming you want to allow them to) as those drives will be un-mapped as well.  However generally if a user is mapping a drive it probably should be part of the group's logon script already.

Also you can map printers this way using Con2Prn, or the additional Windows Printer mapping scripts supplied in the windows Operating system.

  (The only issue with using the Windows Admin scripts for printers being that they are in different locations, and take different options depending on the os; and they also require a much more complex set of commands/switches than Con2Prn)



0
 
LVL 11

Expert Comment

by:Ben Personick
ID: 36815805
In case you were curious about the detailed workings of the script above, I have run through the script again and commented on each unique line-item.

~Q
::----------------------------------------------------------------------------::
:: Script Name: DOIFMEMBEROF.bat											  ::
:: Version: 1.1																  ::
:: Copyright: Ben Personick													  ::
:: Date: 2011-09-29															  ::
::----------------------------------------------------------------------------::

:Begin-Script
ECHO OFF
	:Start-Prep
		SET "GroupStart=FALSE" & REM Placeholder Value needed to find the groups when looking at the output of the Net User command.
		SET "GroupList=_" & REM Placeholder Value needed to properly set groups into distinct items when parsing the Net User Command.
		::Calls the function which parses the Group Membership for the currently logged on user, and assigns it to a variable.
		FOR /F "Tokens=1-3 Delims=*" %%U IN ('net user "%username%" /domain 2^>^&1 ') DO CALL :Start-Get-Group-Membership "%%U" "%%V" "%%W"
		SET "GroupList=%GroupList:_, =%" & REM Removes Characters that were only used for separating terms in the list and shoudl not be used in processing.
		::Echo the Username, and all the groups the user belongs to. (Optional)
		ECHO GroupList for %UserName%: %GroupList%
	:End-Prep


	:Start-Main

		:Start-Map-Domain-Users
			::Calls the "IFMEMBER" Function which checks to see if the group is one of the ones gathered before. (Note: There are other methods of doign this part.)
			CALL :Start-IFMEMBER "Domain Users"
			IF "%ISMEMBER%"=="NO" GOTO :End-Script & REM If the User somehow is not a member of Domain users, then there woudl be no need to map anything.
			ECHO "%UserName%" Is a Member of "%IFMEMBER%" & REM Optional Echos the info found, useful for logging. (Optional)
			ECHO NET USE A: "\\SERVER\Share\Somedir\" /P & REM Maps Drive Letter "A" to a Network Share located inside the Quotes. (Optional /P sets the Mapped Drive to be Persistent.)
			ECHO NET USE H: "\\SERVER\Home$\%UserName%\" /P & REM Map's the User's Home Drive, pretty standard to use a share system similar to this, so long as you created the users properly in AD.
			ECHO NET USE P: "\\SERVER\Share\Public\" /P
		:End-Map-Domain-Users

		:Start-Map-Operations
			CALL :Start-IFMEMBER "Operations"
			IF "%ISMEMBER%"=="NO" GOTO End-Map-Operations & REM If the user is not a member of operations, it skips to the end of this chunk, and goes to the next group.
			ECHO %UserName% Is a Member of %IFMEMBER%
			ECHO NET USE O: "\\SERVER\Share\Operations\" /P
			ECHO NET USE L: "\\SERVER\Share\Love\" /P
		:End-Map-Operations

		:Start-Map-Domain-Admins
			CALL :Start-IFMEMBER "Domain Admins"
			IF "%ISMEMBER%"=="NO" GOTO End-Map-Domain-Admins
			ECHO NET USE I: "\\SERVER\Share\IT\" /P
		:End-Map-Domain-Admins

	:End-Main
	GOTO End-Script & REM Stops the script from re-running the sub routines located below once it gets to the end of the main function.
	::Subroutines go in this section, they contain functions called by the main code.
	:Start-Subs
		:Start-IFMEMBER
			SET "IFMEMBER=%~1"&SET "ISMEMBER=NO" & REM Takes the Group Supplied to the function, and sets the return Value to Negative as membership is not yet determined.
			ECHO IFMEMBER == %IFMEMBER% and ISMEMBER == %ISMEMBER% & REM Displays the current values of IFMEMBER and ISMEMBER, For Logging/Debugging purposes Only. (Optional)
			::This FOR-Loop parses the group list, and for each group in the list, checks to see if the group supplied to the function exists, if it does it changes "ISMEMBER" to be Affirmative.
			FOR %%G IN (%GroupList%) DO IF /I %%G=="%IFMEMBER%" SET "ISMEMBER=YES"
			ECHO IFMEMBER == %IFMEMBER% and ISMEMBER == %ISMEMBER% & REM Displays the current values of IFMEMBER and ISMEMBER, For Logging/Debugging purposes Only. (Optional)
			GOTO :EOF & REM Because the subroutine was Called it acts the same as batch file, and needs to hit the end of the file in order to return to the calling function.
		:End-IFMEMBER
		:Start-Get-Group-Membership
			SET "Term=%~n1"&SET "GroupA=%~n2"&SET "GroupB=%~n2" & REM Places the output recieved from the NET USER command into full variables. Not strictly speaking nessessary.
			::ECHO "%Term%" "%GroupA%" "%GroupB%" & REM Used for Debugging Only. (Optional)
			::This line checks to see if the line Contains the begining of the Group List, if it does it sets the Variable "GroupStart" to TRUE, and will no longer execute.
			IF /I "%GroupStart%"=="FALSE" FOR /F %%F IN ('ECHO "%Term%" ^| Find /I "Group"') DO SET "GroupStart=TRUE"
			::This Line Checks to See if the Group List was Found in the Previous line, if it was it Adds the groups presented to the function to the "GroupList" Variable.
			IF /I "%GroupStart%" NEQ "FALSE" SET GroupList=%GroupList%, "%GroupA%", "%GroupB%"
			GOTO :EOF
		:End-Get-Group-Membership
	:End-Subs

:End-Script
ECHO The Script Is Exiting. & REM For Logging Purposes Only. (Optional)

Open in new window

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36841797
I agree with acstechee, current methods are to use Group Policy and with server 2008 and newer, group policy preferences. Login scripts are a very old technology and ifmember is part of the WinNT resource kit, however it still works.
If untested in "Using Group Policy Preferences to Map Drives Based on Group Membership" please see the following:
http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx
0
 
LVL 11

Expert Comment

by:Ben Personick
ID: 36893453
RobWill,

  Please note, My script DOES NOT use the IFMEMBER Executable, instead it ONLY uses native Windows commands (Specifically "NET USER".

  I named it "IFMEMBER.bat" simply because it replicates the function provided by the IFMEMBER utility which people often have used, but DOES NOT work on Windows 64bit.

-Q
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36894056
Sorry Q, I missed that, still I would not fault anyone for using it or logon scripts, but although they work fine, modern practices are more to using group policy for drive mapping.
0
 

Author Closing Comment

by:swan_solutions
ID: 36994017
This has worked nicely. Thanks
0
 

Expert Comment

by:voipguy
ID: 37820125
@RobWill, so your .bat will not work on sbs 2011 x64?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 37820192
.bat's work fine on 64 bit
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Over the years I have built up my own little library of code snippets that I refer to when programming or writing a script.  Many of these have come from the web or adaptations from snippets I find on the Web.  Periodically I add to them when I come…
Not long ago I saw a question in the VB Script forum that I thought would not take much time. You can read that question (Question ID  (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_28455246.html)28455246) Here (http…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now