R
Robert
How can I set up a login (logon) script for an active
directory group so that the members are setup properly?
Thanks...
directory group so that the members are setup properly?
Thanks...
H
Herb Martin
Robert said:
If you mean take action "based on membership in some group"
then you can use something like "ifmember.exe" from the Resource
Kit tools. (Some of these are free on the MS website.)
If you mean "assign a script directly" to a group, then you can't;
you must play some trick like IfMember (above.)
GPOs, and by extension logon/logoff; startup/shutdown scripts, are
linked to "AD Containers" (Sites, Domains, OUs.)
L
Laura E. Hunter \(MVP\)
To have login script settings apply to different users based on group
membership, there are two ways you can go:
[1] Create multiple GPOs with a different login script in each. Then filter
the ACL of the GPO and grant "Read" and "Apply Group Policy" to -only- the
group in question:
Filter the scope of Group Policy according to security group membership
http://www.microsoft.com/resources/...erv/2003/enterprise/proddocs/en-us/Filter.asp
[2] Create a single login script in a single GPO and use something like
KIXSTART or command-line utilities like ifmember.exe (Resource Kit) or
memberof.exe (www.joeware.net, in the Win32
C# downloads section) to do something like:
(Pseudocode only, this will not work syntactically):
If (memberof Accounting=true) {
copy "accountingapp.lnk" c:\documents and settings\%username%\desktop
}
Either one will work, which one you choose will depend on your environment -
replication, bandwidth, processing power of your clients, etc. (Whether you
want your clients processing multiple small GPOs or one single bigger one.)
membership, there are two ways you can go:
[1] Create multiple GPOs with a different login script in each. Then filter
the ACL of the GPO and grant "Read" and "Apply Group Policy" to -only- the
group in question:
Filter the scope of Group Policy according to security group membership
http://www.microsoft.com/resources/...erv/2003/enterprise/proddocs/en-us/Filter.asp
[2] Create a single login script in a single GPO and use something like
KIXSTART or command-line utilities like ifmember.exe (Resource Kit) or
memberof.exe (www.joeware.net, in the Win32
C# downloads section) to do something like:
(Pseudocode only, this will not work syntactically):
If (memberof Accounting=true) {
copy "accountingapp.lnk" c:\documents and settings\%username%\desktop
}
Either one will work, which one you choose will depend on your environment -
replication, bandwidth, processing power of your clients, etc. (Whether you
want your clients processing multiple small GPOs or one single bigger one.)
R
Robert
Has this gotten better in Server 2003? I come from a large
Novell background and group scripts are common... I
believe that practically anything in an NDS tree can have
a script associated with it. It makes maintenance a bitch
sometimes, but it's also very powerful. Plus the 'if
member' functionality is built in to the client. You need
no other add-ons.
Perhaps mentioning this is taboo, but since all of our
clients are in various stages of dumping Novell, it
shouldn't cause to many problems.
I've looked at Kixtart and found it to be cryptic and it
looked scary to implement...
Thanks for the info.
I guess what I need to ask, to put this in context, is I
have a group that needs access to a directory on the
server. I want to map it in the login script since people
sometimes move to other machines. What is the 'best' way
to selectivly map the drive based on the user group
membership. I've tried just giving a group security to
access the drive and assign people to that group, but some
people get the 'dead map' that they can't access 'cause
they aren't in the group... They complain about the dead
map showing up. So I need to selectivly map based on group
or security. Is there a batch file way to check for rights
on a dir so that I could test for it and map if the user
has rights? What I don't want is several copies of a
loginscript for the various groups...
Thanks...
Novell background and group scripts are common... I
believe that practically anything in an NDS tree can have
a script associated with it. It makes maintenance a bitch
sometimes, but it's also very powerful. Plus the 'if
member' functionality is built in to the client. You need
no other add-ons.
Perhaps mentioning this is taboo, but since all of our
clients are in various stages of dumping Novell, it
shouldn't cause to many problems.
I've looked at Kixtart and found it to be cryptic and it
looked scary to implement...
Thanks for the info.
I guess what I need to ask, to put this in context, is I
have a group that needs access to a directory on the
server. I want to map it in the login script since people
sometimes move to other machines. What is the 'best' way
to selectivly map the drive based on the user group
membership. I've tried just giving a group security to
access the drive and assign people to that group, but some
people get the 'dead map' that they can't access 'cause
they aren't in the group... They complain about the dead
map showing up. So I need to selectivly map based on group
or security. Is there a batch file way to check for rights
on a dir so that I could test for it and map if the user
has rights? What I don't want is several copies of a
loginscript for the various groups...
Thanks...
L
Laura E. Hunter \(MVP\)
Yeah, that's what the "Multiple GPO/Filter ACLs on GPO" thing is really all
about. And just like in NDS (I'm an ex-Novell person, it's okay.
),it's very powerful and flexible, but you really really want to have
everything well-documented and planned or you'll wind up with a big
confusing mess on your hands. (If you've inherited such a mess, Google for
"gpresult.exe" and "Resultant Set of Policies", two built-in 2K3 utilities
that will be your best friends.)
Based on that last requirement, it sounds like you want to do a single login
script with a bunch of "ifmember" logic. If you go the multiple-GPO route,
you'll be creating a separate login script for each security group.
HTH