Pau Lo
asked on
what drives did they have mapped
We have a task of identifying what network drives a disabled AD user would have had on his/her PC in my computer when they log in to the domain each day. Any ideas how we could find this out? I know you have a login script which I guess maps drives. Can you have any other manually mapped drives accessible to the user each time they login outside of the script, if so anyway to see what they were? Any other suggestions?
Also - what other things are tied to a user account, logging in script will map drives, outlook email, anything else?
Also - what other things are tied to a user account, logging in script will map drives, outlook email, anything else?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Also from the client machine is there anyway to copy the actual loginscript to see what its doing, via command prompt or something....
If you login to your test machine as that user and that test machine is joined to the domain you will see all mapped drives that are mapped via script or GPO.
ASKER
Sorry no can do that acct is disabled for a reason and logging in with it will cause issues with potential disciplinary.
ASKER
Can you tell which drives were mapped by which means?
I.e. which were mapped via script, which GPO, which locally?
Can you give some clues how to see any mappd by GPO? I can use a test user and machine
I.e. which were mapped via script, which GPO, which locally?
Can you give some clues how to see any mappd by GPO? I can use a test user and machine
ASKER
isiek - can you share any more information on:
You need to review registry HKEY_USERS hive on each workstation to which user was logged on. Then in registry you can find these mapping
Where exactly is this key?
You need to review registry HKEY_USERS hive on each workstation to which user was logged on. Then in registry you can find these mapping
Where exactly is this key?
Yes, sure. You need to only know user's SID but this can be done using DSQUERY or PowerShell and then in registry go to:
first, locating user's SID:
now, log on to workstation and in registry localize user's SID under HKEY_USERS hive. Then go to Network key and you will see all mapped drives there.
Krzysztof
first, locating user's SID:
dsquery * -filter "(&(objectClass=User)(objectCategory=Person)(sAMAccountName=UserNameToGetSID))" -attr sAMAccountName objectSIDnow, log on to workstation and in registry localize user's SID under HKEY_USERS hive. Then go to Network key and you will see all mapped drives there.
Krzysztof
ASKER
Thanks does that include drives mapped via local gpo or script? Or just one group
All mapped drives by manual, local and script (GPO) but only with "persistent" (Reconect at logon) option :/
http://technet.microsoft.com/en-us/library/cc957210.aspx
So, if user used another mappings they would not appear in registry but mostly users have this option selected :)
Krzysztof
http://technet.microsoft.com/en-us/library/cc957210.aspx
So, if user used another mappings they would not appear in registry but mostly users have this option selected :)
Krzysztof
ASKER
This is weird, I checkd mine as a test, each morning I have my home drive mapped, and 2 other network drives. In the regedit is shows only the 2 network drives, not my home drive. I got a copy of the logon bat file and that too only seems to link to the network drives, not my home drive. How is a home drive typically mapped? I know its stored in my properties in AD, but I cant see how its mapped each time I login or why it wouldnt show in this registry key? Any ideas?
Yes, this is mapped each time you are log in and without "persistent" flag :)
Krzysztof
Krzysztof
ASKER
I see, so that wouldnt show anyway then?
Yes, but this is not so matter for Domain Admins :) They have access to account properties and then simply can read which logon script is applied, so they can see what drives are mapped. In user's profile you have also information about home drive. The rest (manually mapped with persistent flag) are stored in registry.
Summarizing them all you have the final result :]
Krzysztof
Summarizing them all you have the final result :]
Krzysztof
ASKER
Just to clarify, by what mechanism is a users H drive mapped, i.e. when I login to the domain from any PC, how does the login process know to map my network home drive? What happens during login to check where my home drive is and map it for me, if it isnt a script or a GPO?
Normally, when you are logging into PC with domain account then user properties are checked like:
1) startup scripts from GPOs (at computer level)
2) user AD profile (home drive and home path)
3) logon scripts from GPOs
4) logon script from AD profile
Krzysztof
1) startup scripts from GPOs (at computer level)
2) user AD profile (home drive and home path)
3) logon scripts from GPOs
4) logon script from AD profile
Krzysztof
ASKER
Also, can the user copy their login script at all via the command prompt. I.e. you run NET User and see your login script is accountancylogin.bat, c an you take a copy of that bat file via a command prompt, I am 99% sure I have seen this mentioned before, but cant remember the command.
Yes, you're right. Each user can run in command-line
set
command and then verify which logon script is applied. To be able to run (apply) logon script user needs at least read&execute permissions on NETLOGON share (which is by default done). So, if I know which logon script is interesting me or even all of them :) I can download them using Windows Explorer
\\domain.loca\NETLOGON
and I can see all logon scripts. Of course if user is more advanced then he/she is also able to use command-line for that as you mentioned.
Krzysztof
set
command and then verify which logon script is applied. To be able to run (apply) logon script user needs at least read&execute permissions on NETLOGON share (which is by default done). So, if I know which logon script is interesting me or even all of them :) I can download them using Windows Explorer
\\domain.loca\NETLOGON
and I can see all logon scripts. Of course if user is more advanced then he/she is also able to use command-line for that as you mentioned.
Krzysztof
ASKER
I.e. which were mapped via script, which GPO, which locally?
Can you give some clues how to see any mappd by GPO? I can use a test user and machine