Windows Server - Login script with drive mappings based on DL

Asked By Paco7

29-Nov-07 09:52 AM

I am trying to write a login script for the company I work for and I want to
run a different section of th escript based on the membership of a DL.

I was using IFMEMBER, but that only works on security groups.

Does anyone know how I can accomplish this, without having to create
duplicate security groups for the various DL I was hoping to use?

I am using a good old fashioned batch file, not VB Script (I don't know VB).

Example:

(text is wrapped, there is only 1 space between IFMEMBER.EXE and Domain\group)

%logonserver%\netlogon\Process\IFMEMBER.EXE DOMAIN\___Office-Coppell_TX___
IF ERRORLEVEL 1 goto CP_LAUNCH

This is just bypassed since this is a DL, I have tested my script with a
security group and it works, so I know the script is ok.

Even a way to use an AD attribute to run specific areas of the script, such
as the physicalDeliveryOfficeName attribute, since I have that populated in
AD.

--
Thanks,

Paco

29-Nov-07 12:35 PM

A batch file cannot retrieve information from Active Directory unless you
use third party tools like IfMember.exe. Perhaps you can use a command line
tool, like dsquery or Joe Richards' adfind or MemberOf. You may need to
retrieve the NT name of the user, from the %username% environment variable,
then use that in a query. See these links for Joe's tools:

http://joeware.net/freetools/tools/adfind/index.htm

http://www.joeware.net/freetools/tools/memberof/index.htm


--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

29-Nov-07 01:13 PM

I actually already tried the ifmember and was able to get it to dump the
distribution list, but I couldn't figure out how to use that in a script.

Also, I am pleased that you responded, I have used your site for many years
and continue to check back for good stuff!

I think I have found something that will work for me on
http://cswashington.netreach.net and was wondering if you could give me your
opinion on it?

http://cwashington.netreach.net/depo/view.asp?Index=246&ScriptType=vbscript

--
Thanks,

Paco

29-Nov-07 04:22 PM

The script you linked will work, but it is VBScript. It shows how VBScript
can retrieve the value of any single-valued string attribute, parse it, and
use it to make decisions in VBScript.

Of course if you are using VBScript, I still think it makes sense to use
group membership. If you are not concerned with group nesting, and you just
want to know if the user is a direct member of a group, the code can be
relatively simple. For example:
==========
Set objNetwork = CreateObject("Wscript.Network")

' Bind to current user object.
Set objSysInfo = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & objSysInfo.UserName)

' Bind to group to test membership.
Set objGroup = GetObject("LDAP://cn=TestGroup,ou=West,dc=MyDomain,dc=com")

' Check membership.
If (objGroup.IsMember(objUser.AdsPath) = True) Then
' The current user is a member of the group. Map a drive.
objNetwork.MapNetworkDrive "K:", "\\MyServer\GroupShare"
End If
===========
I use the LDAP provider because it is faster and reveals many more
attributes. The cwashington script uses the WinNT provider, which can be
easier to understand. My script above requires Windows 2000 or above (for
the ADSystemInfo object) while the cwashington script requires Windows 95
(and DSClient). My script can be revised to support Win9x as well. Other
differences are a matter of style, although I would recommend not using "On
Error Resume Next" as it makes troubleshooting nearly impossible. Note that
the IsMember method of the group object that I use in my example works for
both security and distribution groups. It will not reveal membership in the

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

29-Nov-07 05:45 PM

Good info, thanks.  I want to use membership of a Distribution List to
determine what drives get mapped, the problem is I have found nothing that
will allow me to do that.  Everything I have see, and used over the years,
only allows parsing security groups for that membership, not even mail
enabled security groups.

--
Thanks,

Paco

30-Nov-07 01:43 PM

Interesting, but it seems unusual to use non-security enabled objects to
arbitrate access. Once mapped, of course, the user will still need access to
the underlying folders, or there wouldn't be much point.

/Al

30-Nov-07 02:31 PM

I agree, and they do have the access to the various drives to be mapped just
not applied by a single security group; and I was trying to avoid having to
create a security group with the same membership as the various site specific
DL.

I guess worst case I can use an ldap dump periodically to dump the DL
membership and then another to update the security group membership.

Thanks to all who replied.
--
Thanks,

Paco