Windows Logon Script – Group Membership

VBS Script – Map Drives Based on Group Membership

Here are two VBScripts which will show you how to map a network drive based on group membership.  These are advanced scripts drawing upon multiple VBScript methods and because there are so many elements involved, I recommend that you build-up the script gradually.  In particular, check the names of your groups and the values for the UNC paths referenced in the scripts.

Topics for VBS Group Membership

 ♦

Mission to Map a Network Drive Based on Group Membership.

Scripting for groups is one of my bugbears.  With most LDAP attributes there is only a single value, for example givenName = Guy.  However, because one group object can have many members, the group object must support multiple values.  When dealing with groups, the key LDAP attribute is MemberOf.

The scenario

You want to map network drives based on group membership.  Let us imagine that a group called Managers have their data stored on a different server from a group called Dentists.

We are going to create this script in stages.  Stage one just checks the group membership of the user who is logged on.  Stage two will actually map to different network drives depending on which group the logged-on user belongs to.

Pre-Requisites

You need an Active Directory domain for this VBscript.  Either Windows Server 2003/8.

To get the script to work as designed, pay close attention to the group membership.  Please create Global Groups called Dentists and Managers, or better amend the script to reflect your Active Directory groups.

Instructions

  1. Important:  Make sure that the person testing the script is in a group called Managers, or Dentists.  Alternatively, alter dentists on line 11, to a group that you ARE a memberOf.
  2. Optional: Edit the ‘ commented out lines.  Remember in the scenario, you want the script to map the network drive.  So edit that line to reflect a UNC share on your network.  See more here how to map a network drive. MapNetworkDrive
  3. Copy and paste the script below into notepad or a script editor such as OnScript.
  4. Save the file with .vbs extension e.g. GroupMap.vbs
  5. Double click and observe the message box.

Stage One – Script to Test Group Membership

‘ GroupMap.vbs
‘ VBScript to test group membership
‘ Script can be amended to actually MapNetworkDrive
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 3.3 – May 2010
‘ —————————————————-‘
Option Explicit
Dim objNetwork, objUser, CurrentUser
Dim strGroup

‘ Initialise Groups with Const
Const Dentists_Group = "cn=dentists"
Const Managers_Group = "cn=managers"
Const What_ever_you_Like = "cn=any_lower_case_group"
Const Users_Group = "cn=users"
Const Administrators_Group = "cn=administrators"

‘ Create objects and extract strGroup values
Set objNetwork = CreateObject("WScript.Network")
Set objUser = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" & objUser.UserName)
strGroup = LCase(Join(CurrentUser.MemberOf))

‘ If logic testing strGroup for the values in Const groups
If InStr(strGroup, lcase(Dentists_Group)) Then
WScript.Echo "Dentists "
‘ objNetwork.MapNetworkDrive "h:", "\\Server\Users\" _
‘ & objNetwork.UserName

‘ For a production script remove the WScript
‘ Activate mapnetworkdrive by removing the apostrophes (‘ Rem)
ElseIf InStr(strGroup, lcase(Managers_Group)) Then
WScript.Echo " Manager "
‘ objNetwork.MapNetworkDrive "h:", "\\YourServer\Users\"_
‘ & objNetwork.UserName

ElseIf InStr(strGroup, lcase(Administrators_Group)) Then
WScript.Echo "Administrator: " & strGroup
‘ objNetwork.MapNetworkDrive "h:", "\\Another Server\Users\" _
‘ & objNetwork.UserName

ElseIf InStr(strGroup, lcase(Users_Group)) Then
WScript.Echo " Only a User… "
‘ objNetwork.MapNetworkDrive "y:", "\\alan\home\" _
‘ & objNetwork.UserName

End If
Wscript.Echo "Finished Testing for Groups "
WScript.Quit

‘ End of example VBScript .

Learning Points

Note 1: Constants.  This week I have introduced CONST to hold the group information.  Did you edit Dentists, or to be precise dentists?  "cn=dentists" is case sensitive.

Note 2: AdSystemInfo.  Here is a good method of extracting the information from Active Directory.

Note 3: InStr.  This means: in the string value.  InStr is useful for checking if a named value is contained in a much longer string.

Note 4: If…. ElseIf.  Check my ‘If’ statement.  Modify the clauses to suit groups on your network.  For example, if your group is called Human Resources and not Dentists, then amend the script accordingly.

Note 5:  When you are happy with .Echo message, why not remove the comment ‘ objNetwork and get the MapNetworkDrive method working.  Remember to uncomment the ‘ & objNetwork like as well.  Here is more help onMapNetworkDrive.

Note 6: I concatenated ‘& strGroup’ to the Administrators group, you may like to add & strGroup to the other groups.  As ever what I want to do is get you started and give you the confidence to experiment for yourself.

Note 7: See more on MemberOf here

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

Stage Two – Actually map the network drive

The purpose of this script is to actually map a network drive.  The precise path is dependent on the group to which the logged on user belongs.  For example, if you are an Administrator the script maps to \\ grand \home.  What is more it maps to a sub directory based on the user’s name.  If the user is called guyt then this would be:
\\ grand \home \guyt.

If this is not clear then I suggest a refresher on MapNetworkDrive

Pre-requisite

Study the logic of my UNC paths and amend for your network. For example, it’s unlikely that your server is called \\ grand, therefore replace with \\ yourservername.

‘ GroupMap2.vbs
‘ VBS Map Drive Based on Group Membership
‘ Author Guy Thomas https://computerperformance.co.uk/
‘ Version 3.7 – May 2010
‘ —————————————————-‘
Option Explicit
Dim objNetwork, objUser, CurrentUser
Dim strGroup

‘ Initialise Groups with Const
Const Dentists_Group = "cn=dentists"
Const Managers_Group = "cn=managers"
Const What_ever_you_Like = "cn=any_lower_case_group"
Const Users_Group = "cn=users"
Const Administrators_Group = "cn=AdmiNistrators"

‘ Create objects and extract strGroup values
Set objNetwork = CreateObject("WScript.Network")
Set objUser = CreateObject("ADSystemInfo")
Set CurrentUser = GetObject("LDAP://" & objUser.UserName)
strGroup = LCase(Join(CurrentUser.MemberOf))

‘ If logic testing strGroup for the values in Const groups
If InStr(strGroup, lcase(Dentists_Group)) Then
‘ WScript.Echo "Dentists "
objNetwork.MapNetworkDrive "h:", "\\Server\Users\" _
& objNetwork.UserName

‘ For a production script remove the WScript
‘ Activate mapnetworkdrive by removing the apostrophes (‘ Rem)
ElseIf InStr(strGroup, lcase(Managers_Group)) Then
‘ WScript.Echo " Manager "
objNetwork.MapNetworkDrive "h:", "\\YourServer\Users\"_
& objNetwork.UserName

ElseIf InStr(strGroup, lcase(Administrators_Group)) Then
‘ WScript.Echo "Administrator: " & strGroup
objNetwork.MapNetworkDrive "y:", "\\grand\home\" _
& objNetwork.UserName

ElseIf InStr(strGroup, lcase(Users_Group)) Then
WScript.Echo " Only a User… "
objNetwork.MapNetworkDrive "h:", "\\alan\home\" _
& objNetwork.UserName

End If
Wscript.Echo "Finished mapping Groups – check drives "
WScript.Quit

‘ End of example VBScript .

Learning Points

Note 1:  If you have problems with this script, then double check the names of your groups, also seek out each UNC path and make sure it reflects a server and share on your network.

Note 2:  Each UNC path has _ & objNetwork.UserName appended.  This means that the network share must have a subfolder named after the logged on user.  If this is not the case, change to plain:
objNetwork.MapNetworkDrive "h:", "\\ alan\home"   Observe that I have removed the final backslash from \home".

Summary:  Map Drives Based on Group Membership

The secret of this mastering group membership scripts is planning; which groups, which UNC paths.  Once you have your plan, build the script in stages, get each method working, then bolt it all together.

 

Download my Logon Script eBook for only $6.25

Logon ScriptThe extra features you get in your eBook include, more pages full of detailed examples.  Also, ten ‘how to…’ sections, with screen shots showing which menus to use.  Go for Guy’s eBook – and get a printable version with copy enabled and no expiry date.

  Jumbo Script 7 Package

If you like this page then please share it with your friends

 


See more logon scripts examples

Logon Script Home   •EnumNetworkDrives   • Map Network Drive Group   • Free Import CSV Tool

Map Network Drive Script   • Vbscript Map Network Drive Username   • Map Multiple Network Drives

ObjNetwork.MapNetworkDrive   • Disconnect Network Drives   • Logon script group policy