what drives did they have mapped

pma111
pma111 used Ask the Experts™
on
We have a task of identifying what network drives a disabled AD user would have had on his/her PC in my computer when they log in to the domain each day. Any ideas how we could find this out? I know you have a login script which I guess maps drives. Can you have any other manually mapped drives accessible to the user each time they login outside of the script, if so anyway to see what they were? Any other suggestions?

Also - what other things are tied to a user account, logging in script will map drives, outlook email, anything else?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Is the user still logged in?

You might be able to use WMI...
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012
Commented:
You need to review registry HKEY_USERS hive on each workstation to which user was logged on. Then in registry you can find these mapping

that's the only one possibility except some 3rd party tool which I don't know :)

Regards,
Krzysztof
ǩa̹̼͍̓̂ͪͤͭ̓u͈̳̟͕̬ͩ͂̌͌̾̀ͪf̭̤͉̅̋͛͂̓͛̈m̩̘̱̃e͙̳͊̑̂ͦ̌ͯ̚d͋̋ͧ̑ͯ͛̉Glanced up at my screen and thought I had coded the Matrix...  Turns out, I just fell asleep on the keyboard.
Most Valuable Expert 2011
Top Expert 2015
Commented:
If you can log in as that user, then in a command prompt you could run:

net use
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Gary DewrellSenior Network Administrator
Commented:
Big task.  Mapped drives can be done by login script, GPO, and at teh PC  itself.  
Mappings by login script and GPO would happen no matter what PC the user logged into.
You absolutely can check the login scripts and GPO's.

You could login to his PC as him to see what drives mappings he had set to "Allways Map" but you would not be able to tell which drives he mapped on an as needed bases.

Author

Commented:
Can you tell which drives were mapped by which means?

I.e. which were mapped via script, which GPO, which locally?

Can you give some clues how to see any mappd by GPO? I can use a test user and machine

Author

Commented:
Also from the client machine is there anyway to copy the actual loginscript to see what its doing, via command prompt or something....
Gary DewrellSenior Network Administrator

Commented:
If you login to your test machine as that user and that test machine is joined to the domain you will see all mapped drives that are mapped via script or GPO.

Author

Commented:
Sorry no can do that acct is disabled for a reason and logging in with it will cause issues with potential disciplinary.

Author

Commented:
Can you tell which drives were mapped by which means?

I.e. which were mapped via script, which GPO, which locally?

Can you give some clues how to see any mappd by GPO? I can use a test user and machine

Author

Commented:
isiek - can you share any more information on:

You need to review registry HKEY_USERS hive on each workstation to which user was logged on. Then in registry you can find these mapping


Where exactly is this key?
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Yes, sure. You need to only know user's SID but this can be done using DSQUERY or PowerShell and then in registry go to:

first, locating user's SID:

dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(sAMAccountName=UserNameToGetSID))" -attr sAMAccountName objectSID

Open in new window


now, log on to workstation and in registry localize user's SID under HKEY_USERS hive. Then go to Network key and you will see all mapped drives there.

Krzysztof

Author

Commented:
Thanks does that include drives mapped via local gpo or script? Or just one group
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
All mapped drives by manual, local and script (GPO) but only with "persistent" (Reconect at logon) option :/
http://technet.microsoft.com/en-us/library/cc957210.aspx

So, if user used another mappings they would not appear in registry but mostly users have this option selected :)

Krzysztof

Author

Commented:
This is weird, I checkd mine as a test, each morning I have my home drive mapped, and 2 other network drives. In the regedit is shows only the 2 network drives, not my home drive. I got a copy of the logon bat file and that too only seems to link to the network drives, not my home drive. How is a home drive typically mapped? I know its stored in my properties in AD, but I cant see how its mapped each time I login or why it wouldnt show in this registry key? Any ideas?
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Yes, this is mapped each time you are log in and without "persistent" flag :)

Krzysztof

Author

Commented:
I see, so that wouldnt show anyway then?
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Yes, but this is not so matter for Domain Admins :) They have access to account properties and then simply can read which logon script is applied, so they can see what drives are mapped. In user's profile you have also information about home drive. The rest (manually mapped with persistent flag) are stored in registry.

Summarizing them all you have the final result :]

Krzysztof

Author

Commented:
Just to clarify, by what mechanism is a users H drive mapped, i.e. when I login to the domain from any PC, how does the login process know to map my network home drive? What happens during login to check where my home drive is and map it for me, if it isnt a script or a GPO?
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Normally, when you are logging into PC with domain account then user properties are checked like:

1) startup scripts from GPOs (at computer level)

2) user AD profile (home drive and home path)

3) logon scripts from GPOs

4) logon script from AD profile

Krzysztof

Author

Commented:
Also, can the user copy their login script at all via the command prompt. I.e. you run NET User and see your login script is accountancylogin.bat, c an you take a copy of that bat file via a command prompt, I am 99% sure I have seen this mentioned before, but cant remember the command.
Krzysztof PytkoSenior Active Directory Engineer
Top Expert 2012

Commented:
Yes, you're right. Each user can run in command-line

set
command and then verify which logon script is applied. To be able to run (apply) logon script user needs at least read&execute permissions on NETLOGON share (which is by default done). So, if I know which logon script is interesting me or even all of them :) I can download them using Windows Explorer

\\domain.loca\NETLOGON
and I can see all logon scripts. Of course if user is more advanced then he/she is also able to use command-line for that as you mentioned.

Krzysztof

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial