Re: AD group logon script question
From: aptrsn (busn66_at_hotmail.com)
Date: 03/02/04
- Next message: Jacques Koorts: "Re: Can one use Option Explicit in COM?"
- Previous message: Joe Earnest: "Re: Questions about GetRef() and ASP, etc."
- In reply to: Richard Mueller [MVP]: "Re: AD group logon script question"
- Next in thread: Al Dunbar [MS-MVP]: "Re: AD group logon script question"
- Reply: Al Dunbar [MS-MVP]: "Re: AD group logon script question"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 02 Mar 2004 19:41:54 GMT
> I believe you are confusing OU's and groups.
Actually, it's my poor choice of terms that tend to cause the confusion. Yes
your right, the user object is contained in an OU, not a member of it. In my
case, I have structured AD in such a way that my group objects are
contained in seperate child OU's.
ie.
Test (parent OU)
Site 1 (child OU of Test)
' Contains the group object "Site 1 Users" which ALL users belong to.
Groups (child OU of Site 1 - contains all dept OU's of that Site)
CUSTSERV (child OU of Groups)
' Contains the group object "Customer Service" which only SOME users belong
to.
> I need to read your post more carefully, but in the mean time I have
sample
> logon scripts linked on this page:
I'm familiar with your site (it's outstanding!!) from previous post that you
have replied to and I have already experimented with some of your scripts.
However, I have run into the same problem if I have a user who belongs to
more than one departement/group.
I hope this clarifies what I am asking.
"Richard Mueller [MVP]" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in
message news:egiZjmIAEHA.2180@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I believe you are confusing OU's and groups. A user object is contained in
> an Organizational Unit. The OU is the parent container of the user object,
> but the user should not be considered to be a member of the OU. The user
can
> have but one parent. However, a user can be a member of an unlimited
number
> of groups. Permissions are generally granted to security groups. Then,
when
> users are made members of the group, they get the permissions of the
group,
> such as permission to a share. Group membership can be easily modified. It
> should be rare to move a user from one OU to another.
>
> It is straightforward to test for group membership. The best way to check
> for which OU the user is in is either to parse the Distinguished Name (DN)
> of the user, or use the Parent method to retrieve the DN of the parent
> container.
>
> The purpose of OU's is to group objects for your own convenience, plus to
> apply group policy. Group Policy can assign a logon script to all users in
a
> domain or OU. Then, the logon script should check group membership to
decide
> things like which drives to map.
>
> It must be noted that the "primary" group of a user requires special code
to
> reveal. I said that group memberships are straightforward to test, but
LDAP
> does not reveal memberhips in the "primary" group, unless you add more
code.
> For this reason, I would strongly recommend not changing the "primary"
> group. The only time you might alter "primary" group membership is if you
> support Macintosh clients.
>
> I need to read your post more carefully, but in the mean time I have
sample
> logon scripts linked on this page:
>
> http://www.rlmueller.net/freecode2.htm
>
> Most of the programs map drives according to user group membership. Some
> also connect to printers according to computer group membership. I also
have
> sample programs to check group membership linked on this page:
>
> http://www.rlmueller.net/freecode1.htm
>
> Clarence Washington also has sample logon scripts on his site at:
>
> http://cwashington.netreach.net
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> HilltopLab web site - http://www.rlmueller.net
> --
>
> "aptrsn" <busn66@hotmail.com> wrote in message
> news:Hn41c.23594$ko6.217414@attbi_s02...
> > I'm new to scripting for an AD enviroment, so please bear with me if I'm
> off
> > in my logic. What I currently have in the AD architecture is a "Test"
> Parent
> > OU that contains a number of sub OU's that represent sites. These sites
> then
> > contain sub OU's that represent groups, resources, etc and under the
> groups
> > OU's are several OU's that represent various departments. For example
> > purposes, the top-down heirarchy would look like the following:
> >
> >
> > Test (OU)
> >
> > Site 1 (OU)
> >
> > Groups (OU)
> >
> > CUSTSERV (OU)
> >
> > My original idea was to create several different small scripts and use
the
> > GPM to assign them to various groups. The user would have a login script
> > that would assign him/her to a primary group, for example "TestUser"
will
> > have the primary group set to "CUSTSERV":
> >
> >
> > ' USER LOGIN SCRIPT
> >
> > Const ADS_PROPERTY_APPEND = 3
> >
> > Set objUser = GetObject _
> > ("LDAP://cn=TestUser,ou=Site 1,dc=mydomain,dc=com")
> >
> > Set objOU1 = GetObject("LDAP://ou=Test,dc=mydomain,dc=com")
> > Set objOU2 = objOU1.GetObject("organizationalUnit", "ou=Site 1")
> > Set objOU3 = objOU2.GetObject("organizationalUnit", "ou=Groups")
> > Set objGroup = objOU3.GetObject("organizationalUnit", "ou=CUSTSERV")
> >
> > objGroup.GetInfoEx Array("primaryGroupToken"), 0
> > intPrimaryGroupToken = objGroup.Get("primaryGroupToken")
> >
> > objGroup.PutEx ADS_PROPERTY_APPEND, _
> > "member", Array("cn=TestUser,ou=" & objGroup)
> > objGroup.SetInfo
> > objUser.Put "primaryGroupID", intPrimaryGroupToken
> >
> > objUser.SetInfo
> >
> >
> > Then because they are a memeber of the group "Customer Service" which is
> > contained in the OU CUSTSERV, the logon script assigned to that OU via
GPM
> > would process their mapped drive to G:
> >
> >
> > ' GROUP LOGIN SCRIPT
> > Dim WshNetwork
> > On Error Resume Next
> > Set WshNetwork = WScript.CreateObject("WScript.Network")
> > WshNetwork.RemoveNetworkDrive "G:",0,true
> > WshNetwork.MapNetworkDrive "G:", "\\root\CUSTSERV"
> >
> >
> >
> > The issue I am running into is that I have some users that belong to
> > multiple groups, and what I want to do is add something to the above
> script
> > that verifies the user's primary group, and if it's not, than the drive
is
> > mapped to the next open drive letter in sequence.
> >
> > i.e.
> >
> > If J: is mapped then map K: to \\root\CUSTSERV
> > If K: is mapped then map L: to \\root\CUSTSERV
> > if L: is mapped then map M: to \\root\CUSTSERV
> > and so on.
> >
> > My guess is that I would need to define the following:
> >
> > intPrimaryGroupID = objUser.Get("primaryGroupID")
> >
> > and then test against the value of "intPrimaryGroupID" to determine if
G:
> > gets mapped or some other drive letter.
> >
> >
> > I would appreciate any suggerstions as to how I could re-write the above
> > script.
> >
> > Thanks
> >
> >
> >
>
>
- Next message: Jacques Koorts: "Re: Can one use Option Explicit in COM?"
- Previous message: Joe Earnest: "Re: Questions about GetRef() and ASP, etc."
- In reply to: Richard Mueller [MVP]: "Re: AD group logon script question"
- Next in thread: Al Dunbar [MS-MVP]: "Re: AD group logon script question"
- Reply: Al Dunbar [MS-MVP]: "Re: AD group logon script question"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
