How Can I Map Drives Based on Membership in a Group?

ScriptingGuy1

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I map drives in a logon script based on a security group each user belong to?

— RO

SpacerHey, Scripting Guy! AnswerScript Center

Hey, RO. Considering the fact that this question has been asked by approximately 3,755,392 of our readers – oops, there’s another one; make that 3,755,393 of our readers – we decided it might be a good idea for us to answer it. So here goes.

There are two issues here. First, you need to determine which groups a user belongs to; second you need to map a drive based on the user’s membership in a particular group. Because there are two issues to deal with, let’s take our usual tack and show you how to do step 1, show you how to do step 2, and then bring them both together for a grand finale that actually performs the task in question.

For starters, you need to determine which groups the user belongs to; before you can actually do that however, you need to determine who the user is in the first place. Because you’re running this as a logon script, that’s actually pretty easy: you can use the ADSystemInfo object to determine the distinguished name of the user who just logged on:

Set objSysInfo = CreateObject(“ADSystemInfo”)
Wscript.Echo strUser.UserName

Why do we want the distinguished name as opposed to, say, the user’s logon name? Well, the distinguished name (which looks like CN=Ken Myer, OU=Finance, DC=fabrikam, DC=com) gives us a nearly-complete path to the user’s Active Directory user account; in fact, all we have to do is tack LDAP:// to the front and we’re on our way. A logon name like kmyer isn’t nearly as useful; if that’s all we have, we’d have to do an Active Directory search to determine the ADsPath for this account. Starting off with the distinguished name lets us bypass all those steps.

As soon as we tack on LDAP:// and construct an ADsPath we then bind to the user account in Active Directory and report back the groups the user belongs to; this can be done simply by enumerating the values in the MemberOf attribute. Thus:

On Error Resume Next

Set objSysInfo = CreateObject(“ADSystemInfo”) Set objNetwork = CreateObject(“Wscript.Network”)

strUserPath = “LDAP://” & objSysInfo.UserName Set objUser = GetObject(strUserPath)

For Each strGroup in objUser.MemberOf strGroupPath = “LDAP://” & strGroup Set objGroup = GetObject(strGroupPath) Wscript.Echo objGroup.CN Next

Note that what we do here is construct an ADsPath for the group using this line of code:

strGroupPath = “LDAP://” & strGroup

We then bind to the group itself and echo the value of the CN. Why? Well, the MemberOf attributes returns the distinguished name of each group the user belongs to; thus you get names like CN=Finance Users, OU=Finance, DC=fabrikam, DC=com. That’s OK, but we’d rather just have a group name (i.e., a CN) like Finance Users. So we go ahead and bind to the group and grab the CN.

As for step 2, mapping a network drive, that’s pretty easy; this code maps drive X to the share \\atl-fs-01\finance:

Set objNetwork = CreateObject(“Wscript.Network”)
objNetwork.MapNetworkDrive “X:”, “\\atl-fs-01\finance”

All we have to do is create an instance of the WSH Network object, then call the MapNetworkDrive method, passing the method two parameters: the drive letter, and the file share we want to map to.

So here – at last! – is a script that determines the groups a user belongs to, and then maps drive X to the appropriate network share based on group membership. To do this, we return a list of all the groups, and then use a Select Case statement to see if the user belongs to one of our target groups. For example, this code check to see if the user belongs to the Finance Users group; if he or she does, then the script maps drive X to the share \\atl-fs-01\finance:

Case “Finance Users”
        objNetwork.MapNetworkDrive “X:”, “\\atl-fs-01\finance”

Here’s the finished script:

On Error Resume Next

Set objSysInfo = CreateObject(“ADSystemInfo”) Set objNetwork = CreateObject(“Wscript.Network”)

strUserPath = “LDAP://” & objSysInfo.UserName Set objUser = GetObject(strUserPath)

For Each strGroup in objUser.MemberOf strGroupPath = “LDAP://” & strGroup Set objGroup = GetObject(strGroupPath) strGroupName = objGroup.CN

Select Case strGroupName Case “Finance Users” objNetwork.MapNetworkDrive “X:”, “\\atl-fs-01\finance”

Case “Human Resource Users” objNetwork.MapNetworkDrive “X:”, “\\atl-fs-01\hr”

Case “Manufacturing Users” objNetwork.MapNetworkDrive “X:”, “\\atl-fs-01\manufacturing”

Case “Shipping and Receiving Users” objNetwork.MapNetworkDrive “X:”, “\\atl-fs-01\shipping” End Select Next

A couple of caveats regarding this script. First, the script assumes users belong to only one of the groups in question. Suppose a user belongs to both Manufacturing Users and Shipping and Receiving Users. In that case, drive X will be mapped to \\atl-fs-01\manufacturing, but an error will occur when the script tries to map drive X to \\atl-fs-01\shipping; that error occurs because the drive is already in use. If your users might belong to multiple groups, you’ll have to account for that, perhaps by allowing for multiple drive mappings (for example, map drive X and then, if drive X is taken, map the drive for the next group to drive Y). We’ll save that lesson for another day.

In addition, this script assumes that users are listed by name in the security groups. However, what if user Ken Myer happens to be a member of the Accounting Group, and the group (not the individual user) is a member of Finance Users? In that case, the drive will not be mapped properly, because this script cannot account for nested groups (groups inside of groups). That’s a more complicated script, and something will show you how to do in the near future.


0 comments

Discussion is closed.

Feedback usabilla icon