I need help with a logon script

[Richard]

We have just gone AD in our district and all of our F and P and Proxy
servers are Windows 2000 server. However, while all of our new
workstations are Windows 2000 or XP, we still have many Win 98 and
even Win95 workstations. I would like a logon script that would do
the following:
If %username% is member of "studentgroup" then (here set
SERVERNAME\studentsDIR\%username% as home directory) and also set that
user and admins ONLY to full access.

Is this doable? If so, how?

Richard

 

[Pegasus \(MVP\)]

We have just gone AD in our district and all of our F and P and Proxy
servers are Windows 2000 server. However, while all of our new
workstations are Windows 2000 or XP, we still have many Win 98 and
even Win95 workstations. I would like a logon script that would do
the following:
If %username% is member of "studentgroup" then (here set
SERVERNAME\studentsDIR\%username% as home directory) and also set that
user and admins ONLY to full access.

Is this doable? If so, how?

Richard

Please be a little more specific in your post and state
what your actual question is. Is it:
- How to detect the current OS?
- How to deal with group membership?
- How to set a home directory?
- How to set access permissions?
- Why you would want to set access permissions in
your logon script rather than setting them permanently?

 

[Richard]

Sorry! See below:

Please be a little more specific in your post and state
what your actual question is. Is it:
- How to detect the current OS? NO
- How to deal with group membership? NO
- How to set a home directory? YES
- How to set access permissions?
NO
- Why you would want to set access permissions in
your logon script rather than setting them permanently?

Because we have over 800 users so if I have to manually create a
directory for each user and set access permissions then with student
and employee turnover I would be forever busy with this task alone.

So, basically I want a script that will:

1. recognize a user buy his/her 8 letter logon name and group
(teachers are already a member of a teacher group and students a
member of a student group)
2. set that users home directory to the correct server and
subdirectory based on their name and usergroup and CREATE a directory
within the subdirectory using the 8 letter logon name if it does not
already exist
3. set permissions so that user and the admin only have rights to that
directory

Example:

logon: jdoe
jdoe belongs to bces_teacher group
jdoe must have a home directory assigned to E041XXX\TEACHERS\JDOE
This would allow jdoe to save his files to the same server\directory
wherever he logged on

I hope that was a bit more clear.

Richard

 

[Richard]

(SNIP)

I can't help thinking that you're doing things back to front.
Here is why:

- Access permissions must be set by a higher authority than
the user who currently logs on. If you set such permissions
at logon time then you have to embed the details of a suitable
admin account/password into the logon script - which is a gross
breach of security. Your students would have a field day
exploiting this security hole.

- The Home Directory is part of each user's profile. To set it
at logon time again implies that the logon script assumes
an authority that is inappropriate for the current user.

The last time I set up a server for a school, I included all
these details in the account creation script. Here is what the
script did:

- Create the user account
- Set group membership
- Create the home directory
- Set the home directory
- Set all required NTFS permissions
- Create the MS Exchange account

The process was fully automated. School administration would
supply a list of the following form:

FirstName Surname Student/Teacher

which an automatic process would massage to this form:

AccountName FirstName Surname Student/Teacher

My batch file would then grab one entry after the other and
would create the appropriate account. It did not matter if
there were 100 or 800 students.

In summary, I recommend that you do not try to use
(or abuse) the logon script for tasks that it was never
intended for.

Sorry about the long delay, but we have been extremely busy with AD
and school startup issues. It sounds as if your script may be exactly
what I am looking for. May I see a copy?

Richard