Re: Drive Mapping Script Based on Group Membership Fails Due to LD

Sorry, I should have made that clear. Line 9 is identical to line 9 from the
stock script from the link I posted on my original thread post. The first 9
lines read:

1>'On Error Resume Next
2>
3>Set objSysInfo = CreateObject("ADSystemInfo")
4>Set objNetwork = CreateObject("Wscript.Network")
5>
6>strUserPath = "LDAP://"; & objSysInfo.UserName
7>Set objUser = GetObject(strUserPath)
8>
9>For Each strGroup in objUser.MemberOf

At one point I thought it was a simple syntax error, but I ran a
wscript.echo line that returned the strUserPath object (worked on all three
accounts) and there is no syntax error that I see.

I also ran a wscript.echo that returned objUser.CN. Again, this worked for
my Domain Admins user but not for the other two. I think there must either
be a syntax error (resulting from the returned user DN) when i pass the
strUserPath variable into the GetObject function OR a permission problem that
is not allowing the GetObject function to be executed with limited
credentials... Any thoughts?

--
Nicholas Whitesel
MIS Support / Help Desk


"Paul Bergson [MVP-DS]" wrote:

Ok so what is line 9? Is the script small enough that you can post it?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Nicholas Whitesel" <nicholas.whitesel@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:1E239AE6-3B14-4447-872F-6D00621E38D6@xxxxxxxxxxxxxxxx
Ok, I logged on locally and ran the script locally under three scenarios.

The first attempt I logged on locally using my administrator login that is
a
member of both the Local and Domain Admins group; The script runs to
perfection.

For the second scenario, I logged in as a user who is a member of the
local
administrator group, but only a member of the Domain Users group (not
Domain
Admins). The outcome resulted in the following error message:

WINDOWS SCRIPT HOST
Script: \\smrserv1\scripts$\MapLocalPublic.vbs
Line: 9
Char: 1
Error: 0x80005000
Code: 80005000
Source: (null)

For the third scenario I logged in under a roaming profile who is a member
of the Domian Users group (not Domain Admins). The resulting error code
is
as follows:

WINDOWS SCRIPT HOST
Script: \\smrserv1\scripts$\MapLocalPublic.vbs
Line: 9
Char: 1
Error: Object not a collection
Code: 800A01C3
Source: Microsoft VBScript runtime error

I also inserted a Wscript.echo line that returned the strUserpath variable
and it returned the fully qualified LDAP user path. So my thinking there
is
that the GetObject command is failing (for some reason), but have so
little
experience scripting and with active directory, that I have no idea why.

I appreciate all of the time and effort you have put into helping me
resolve
this.
--
Nicholas Whitesel
MIS Support / Help Desk


"Paul Bergson [MVP-DS]" wrote:

Poor word choice on my part. Logon on to the machine and run on the
local
machine as the domain authenticated user and see if it works.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Nicholas Whitesel" <nicholas.whitesel@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in
message news:4AADAB49-59AF-4243-8D6E-1BE29F5709BB@xxxxxxxxxxxxxxxx
The script I am running is located on a network drive with
read/excecute
priveleges granted to members of the Domain Users security group.

I am more interested in running the script as a domain user rather than
a
local user. I have tried running the script using a raoming profile
and a
local profile (both with non-elevated permissions.) I also tried using
the
ADSIEDIT.MSC tool to grant list and read priveleges to the Domain Users
group; however, the only thing that seems to work is adding the user to
the
Domain Admins security group. I must be missing something...

--
Nicholas Whitesel
MIS Support / Help Desk


"Paul Bergson [MVP-DS]" wrote:

The easiest way to test to see if a script can be run as a local user
is
once logged on run it locally. I see no special calls in the script
you
pointed to that require special rights.

Where is the script located that it is failing in the logon script?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"wheresITat" <wheresITat@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:D2628800-C136-4328-B3AA-DB9AFE0F70C3@xxxxxxxxxxxxxxxx
I recently tried to deploy a logon script using VBScript that uses an
LDAP
query to gain knowledge about the currently logged on user's group
membership. The script then maps drives based on the user's group
membership.

The problem I encountered is that when I try running the script as a
user
who is not a member of the Domain Admins security group, the script
fails.
When logged in as an administrator, the script runs to perfection.

What specific security setting can I change to allow members of the
Domain
Users security group permission to run the script?

Here is the URL of the article containing the script:
http://www.microsoft.com/technet/scriptcenter/resources/qanda/dec04/hey1210.mspx










.

Relevant Pages

  • PROBLEM SOLVED!
    ... Paul, thank you so much for your help. ... Line 9 of the script was assuming that the user was a member of more than ... priveleges granted to members of the Domain Users security group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: active directory question
    ... Thank you for the time you took to review this script. ... Later you seem to use ADO to find the trustee. ... The only attribute you need retrieve is "member". ...
    (microsoft.public.scripting.vbscript)
  • Re: Drive Mapping Script Based on Group Membership Fails Due to LD
    ... stock script from the link I posted on my original thread post. ... my Domain Admins user but not for the other two. ... I logged in as a user who is a member of the ... priveleges granted to members of the Domain Users security group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Script to populate Distribution list
    ... that list several diffrent zip codes for the same location is there a way to ... > ' Check if user already a member of the group. ... This would slow the script ... > methods require the AdsPath of the user. ...
    (microsoft.public.scripting.vbscript)
  • Re: Error using LDAP query
    ... I know you said this line is failing: ... CreateObject) failed to set oADSysInfo to a valid object. ... try running this simple script as a user (non-Domain ... >> member of at least 2 other groups, ...
    (microsoft.public.windows.server.scripting)