Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Drive mapping via logon script
Drive mapping via logon script [message #159465] Thu, 30 July 2009 04:29 Go to next message
Adam  is currently offline Adam
Messages: 54
Registered: July 2009
Member
We are running a Windows 2003 native active directory domain with two
Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon scripts
from User Configuration portion of GPO. The logon scripts are VBS. One of the
scripts is for drive mapping. We have recently noticed that unless a user is
a member of at least 3 groups, the drives will not map. We've run group
policy results wizard for a test user with no reported errors and all
relavent GPOs are run successfully. No errors are reported in event logs
except for EventID: 3019 MRxSmb errors in System log (which we have always
had). Has anyone else ever run into this problem? It has us flumoxed.
Adam
Re: Drive mapping via logon script [message #159467 is a reply to message #159465] Thu, 30 July 2009 04:40 Go to previous messageGo to next message
Jorge Silva  is currently offline Jorge Silva
Messages: 398
Registered: July 2009
Senior Member
Hi
- 3 security groups, or one of them is the correct one that gives you access
to the share?
- And if you run the script after logon, I mean, logon, disconnect the
drives and manually run the script. Same result?

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services
"Adam" <Adam@discussions.microsoft.com> wrote in message
news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com...
> We are running a Windows 2003 native active directory domain with two
> Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon
> scripts
> from User Configuration portion of GPO. The logon scripts are VBS. One of
> the
> scripts is for drive mapping. We have recently noticed that unless a user
> is
> a member of at least 3 groups, the drives will not map. We've run group
> policy results wizard for a test user with no reported errors and all
> relavent GPOs are run successfully. No errors are reported in event logs
> except for EventID: 3019 MRxSmb errors in System log (which we have always
> had). Has anyone else ever run into this problem? It has us flumoxed.
> Adam
Re: Drive mapping via logon script [message #159470 is a reply to message #159465] Thu, 30 July 2009 05:05 Go to previous messageGo to next message
Meinolf Weber MVP-DS  is currently offline Meinolf Weber MVP-DS  Germany
Messages: 129
Registered: July 2009
Senior Member
Hello Adam,

Check the script code which security group are used. Also check the GPO security
settings to which users/groups it is set to a pply policy.

For even tid 3019 see:
http://support.microsoft.com/kb/315244

http://www.eventid.net/display.asp?eventid=3019&eventno= 149&source=MRxSmb&phase=1

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> We are running a Windows 2003 native active directory domain with two
> Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon
> scripts
> from User Configuration portion of GPO. The logon scripts are VBS. One
> of the
> scripts is for drive mapping. We have recently noticed that unless a
> user is
> a member of at least 3 groups, the drives will not map. We've run
> group
> policy results wizard for a test user with no reported errors and all
> relavent GPOs are run successfully. No errors are reported in event
> logs
> except for EventID: 3019 MRxSmb errors in System log (which we have
> always
> had). Has anyone else ever run into this problem? It has us flumoxed.
> Adam
Re: Drive mapping via logon script [message #159475 is a reply to message #159465] Thu, 30 July 2009 07:13 Go to previous messageGo to next message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
"Adam" <Adam@discussions.microsoft.com> wrote in message
news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com...
> We are running a Windows 2003 native active directory domain with two
> Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon
> scripts
> from User Configuration portion of GPO. The logon scripts are VBS. One of
> the
> scripts is for drive mapping. We have recently noticed that unless a user
> is
> a member of at least 3 groups, the drives will not map. We've run group
> policy results wizard for a test user with no reported errors and all
> relavent GPOs are run successfully. No errors are reported in event logs
> except for EventID: 3019 MRxSmb errors in System log (which we have always
> had). Has anyone else ever run into this problem? It has us flumoxed.
> Adam

The logon script is flawed. For example, one method sometimes used in
VBScript programs is similar to:
=========
Set objSysinfo = CreateObject("ADSystemInfo")
Set objUser = GetObject("LDAP://" & objSysInfo.UserName

For Each strGroup In objUser.memberOf
If (InStr(LCase(strGroup), "cn=testgroup") > 0) Then
' User is a member of the group "cn=testgroup".
' Do something...
End If
Next
========
But an error is raised on the "For Each" statement unless the user is a
member of at least three groups. The "For Each" statement requires that
objUser.memberOf be an array, which means that the memberOf attribute must
have at least two values. However, the memberOf attribute never includes the
"primary" group of the user (usually the group "Domain Users"), so the user
must be a member of at least three groups to avoid the error. See this link
for details, and suggested alternatives:

http://www.rlmueller.net/MemberOf.htm

Note that if the logon script uses "On Error Resume Next", all errors, such
as the above, are ignored. I recommend never using "On Error Resume Next" in
a logon script. It makes troubleshooting nearly impossible. Hiding problems
is never the fix.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Re: Drive mapping via logon script [message #159477 is a reply to message #159467] Thu, 30 July 2009 07:24 Go to previous messageGo to next message
Adam  is currently offline Adam
Messages: 54
Registered: July 2009
Member
Hello Jorge, thanks for the swift response. What we've done is to create the
share on a file server for a particular group. We give the group both share
and NTFS permissions for the share and the folder. We add the user to that
group and log the account on. No errors and no drive mapped. We add another
random group to the user and same result. We then add a third random group
and the drive then maps. We also tried this experiment with two groups that
we created just for testing. We start out making sure that the group that has
the permissions for the share is the first group added to the user's account.
We then log the account on and get no drive mapped. We then add the first
test group with same results. We then add the second test group (for a total
of three groups) and the drive maps. The last two groups were not part of
either the share or NTFS permissions on that share.

"Jorge Silva" wrote:

> Hi
> - 3 security groups, or one of them is the correct one that gives you access
> to the share?
> - And if you run the script after logon, I mean, logon, disconnect the
> drives and manually run the script. Same result?
>
> --
> I hope that the information above helps you.
> Have a Nice day.
>
> Jorge Silva
> MVP Directory Services
> "Adam" <Adam@discussions.microsoft.com> wrote in message
> news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com...
> > We are running a Windows 2003 native active directory domain with two
> > Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon
> > scripts
> > from User Configuration portion of GPO. The logon scripts are VBS. One of
> > the
> > scripts is for drive mapping. We have recently noticed that unless a user
> > is
> > a member of at least 3 groups, the drives will not map. We've run group
> > policy results wizard for a test user with no reported errors and all
> > relavent GPOs are run successfully. No errors are reported in event logs
> > except for EventID: 3019 MRxSmb errors in System log (which we have always
> > had). Has anyone else ever run into this problem? It has us flumoxed.
> > Adam
>
Re: Drive mapping via logon script [message #159484 is a reply to message #159475] Thu, 30 July 2009 08:30 Go to previous messageGo to next message
Adam  is currently offline Adam
Messages: 54
Registered: July 2009
Member
Richard,
Here is a sample of our script:

Dim objNetwork, objUser, CurrentUser
Dim strGroup
'Defines a list for the variable values
Const some_group_name = "cn=somegroup"
Set objNetwork = CreateObject("WScript.Network")
Set objUser = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" & objUser.UserName)
strGroup = LCase(Join(CurrentUser.MemberOf))
If InStr(strGroup, some_group_name)
objNetwork.MapNetworkDrive "t:", "\\fileserver\share_name$"
End If

As you can see, we are not using a "For Each" statement so I'm not convinced
it is looking for an array. Bear in mind that I am not a wizard at VBS by any
means.
Thanks,
Adam

"Richard Mueller [MVP]" wrote:

>
> "Adam" <Adam@discussions.microsoft.com> wrote in message
> news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com...
> > We are running a Windows 2003 native active directory domain with two
> > Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon
> > scripts
> > from User Configuration portion of GPO. The logon scripts are VBS. One of
> > the
> > scripts is for drive mapping. We have recently noticed that unless a user
> > is
> > a member of at least 3 groups, the drives will not map. We've run group
> > policy results wizard for a test user with no reported errors and all
> > relavent GPOs are run successfully. No errors are reported in event logs
> > except for EventID: 3019 MRxSmb errors in System log (which we have always
> > had). Has anyone else ever run into this problem? It has us flumoxed.
> > Adam
>
> The logon script is flawed. For example, one method sometimes used in
> VBScript programs is similar to:
> =========
> Set objSysinfo = CreateObject("ADSystemInfo")
> Set objUser = GetObject("LDAP://" & objSysInfo.UserName
>
> For Each strGroup In objUser.memberOf
> If (InStr(LCase(strGroup), "cn=testgroup") > 0) Then
> ' User is a member of the group "cn=testgroup".
> ' Do something...
> End If
> Next
> ========
> But an error is raised on the "For Each" statement unless the user is a
> member of at least three groups. The "For Each" statement requires that
> objUser.memberOf be an array, which means that the memberOf attribute must
> have at least two values. However, the memberOf attribute never includes the
> "primary" group of the user (usually the group "Domain Users"), so the user
> must be a member of at least three groups to avoid the error. See this link
> for details, and suggested alternatives:
>
> http://www.rlmueller.net/MemberOf.htm
>
> Note that if the logon script uses "On Error Resume Next", all errors, such
> as the above, are ignored. I recommend never using "On Error Resume Next" in
> a logon script. It makes troubleshooting nearly impossible. Hiding problems
> is never the fix.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>
Re: Drive mapping via logon script [message #159487 is a reply to message #159484] Thu, 30 July 2009 09:09 Go to previous message
rlmueller-nospam  is currently offline rlmueller-nospam  United States
Messages: 292
Registered: July 2009
Senior Member
The Join function requires an array. If CurrentUser.memberOf is Empty, that
means the user is a member of just one one group (their "primary" group,
which is never included in this attribute). The Join function raises an
error if the parameter is Empty. If the user is a member of one other group
(besides their "primary"), then CurrentUser.memberOf is a String and Join
still raises an error.

The link I included before included this situation (using the Join
function). The solution I suggest in the link would be:
============
Dim objNetwork, objUser, CurrentUser
Dim strGroup, arrGroups
'Defines a list for the variable values
Const some_group_name = "cn=somegroup"

Set objNetwork = CreateObject("WScript.Network")
Set objUser = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" & objUser.UserName)

On Error Resume Next
arrGroups = CurrentUser.memberOf
If (Err.Number <> 0) Then
On Error GoTo 0
strGroups = ""
Else
On Error GoTo 0
strGroup = LCase(Join(arrGroups))
End If

If InStr(strGroup, some_group_name)
objNetwork.MapNetworkDrive "t:", "\\fileserver\share_name$"
End If
=============
Note that I use "On Error Resume Next" just for the statement expected to
possibly raise an error, then I restore normal error handling with "On Error
GoTo 0".

I would also caution that the InStr function can return a positive value
(interpreted as True) even when the user is not a member of the intended
group, if you are not careful. For example, if some_group_name is "sales",
then the membership in any of the following groups will result in True:

cn=Salesmen,ou=West,dc=MyDomain,dc=com
cn=Engineering,ou=Sales,dc=MyDomain,dc=com
cn=West Sales,ou=Engr,dc=MyDomain,dc=com
cn=Sales Training,ou=West,dc=MyDomain,dc=com

You can improve the situation by assigning the value "cn=sales,". Better yet
would be to use the full Distinguished Name of the group. Their could be
several groups with Common Name "Sales" as long as they are in different
OU's or containers.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

"Adam" <Adam@discussions.microsoft.com> wrote in message
news:9DDFA022-EEE9-48A4-8959-E14C2C7C05A3@microsoft.com...
> Richard,
> Here is a sample of our script:
>
> Dim objNetwork, objUser, CurrentUser
> Dim strGroup
> 'Defines a list for the variable values
> Const some_group_name = "cn=somegroup"
> Set objNetwork = CreateObject("WScript.Network")
> Set objUser = CreateObject("ADSystemInfo")
> Set CurrentUser = GetObject("LDAP://" & objUser.UserName)
> strGroup = LCase(Join(CurrentUser.MemberOf))
> If InStr(strGroup, some_group_name)
> objNetwork.MapNetworkDrive "t:", "\\fileserver\share_name$"
> End If
>
> As you can see, we are not using a "For Each" statement so I'm not
> convinced
> it is looking for an array. Bear in mind that I am not a wizard at VBS by
> any
> means.
> Thanks,
> Adam
>
> "Richard Mueller [MVP]" wrote:
>
>>
>> "Adam" <Adam@discussions.microsoft.com> wrote in message
>> news:CA3988F2-4DBA-4FBC-B544-928AC95684D0@microsoft.com...
>> > We are running a Windows 2003 native active directory domain with two
>> > Windows Server 2003 Ent. Ed. DCs. We have setup GPOs which call logon
>> > scripts
>> > from User Configuration portion of GPO. The logon scripts are VBS. One
>> > of
>> > the
>> > scripts is for drive mapping. We have recently noticed that unless a
>> > user
>> > is
>> > a member of at least 3 groups, the drives will not map. We've run group
>> > policy results wizard for a test user with no reported errors and all
>> > relavent GPOs are run successfully. No errors are reported in event
>> > logs
>> > except for EventID: 3019 MRxSmb errors in System log (which we have
>> > always
>> > had). Has anyone else ever run into this problem? It has us flumoxed.
>> > Adam
>>
>> The logon script is flawed. For example, one method sometimes used in
>> VBScript programs is similar to:
>> =========
>> Set objSysinfo = CreateObject("ADSystemInfo")
>> Set objUser = GetObject("LDAP://" & objSysInfo.UserName
>>
>> For Each strGroup In objUser.memberOf
>> If (InStr(LCase(strGroup), "cn=testgroup") > 0) Then
>> ' User is a member of the group "cn=testgroup".
>> ' Do something...
>> End If
>> Next
>> ========
>> But an error is raised on the "For Each" statement unless the user is a
>> member of at least three groups. The "For Each" statement requires that
>> objUser.memberOf be an array, which means that the memberOf attribute
>> must
>> have at least two values. However, the memberOf attribute never includes
>> the
>> "primary" group of the user (usually the group "Domain Users"), so the
>> user
>> must be a member of at least three groups to avoid the error. See this
>> link
>> for details, and suggested alternatives:
>>
>> http://www.rlmueller.net/MemberOf.htm
>>
>> Note that if the logon script uses "On Error Resume Next", all errors,
>> such
>> as the above, are ignored. I recommend never using "On Error Resume Next"
>> in
>> a logon script. It makes troubleshooting nearly impossible. Hiding
>> problems
>> is never the fix.
>>
>> --
>> Richard Mueller
>> MVP Directory Services
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>
>>
Previous Topic:Group policy management console search filter problem
Next Topic:AD user question
Goto Forum:
  


Current Time: Sat Jan 20 08:30:20 MST 2018

Total time taken to generate the page: 0.02176 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software