#181737 - 2007-10-17 11:15 PM
Mapping drives using remote credentials
|
Godkarmachine
Fresh Scripter
Registered: 2007-10-17
Posts: 5
|
Hi, noob here with what will probably be a noobish question:
I'm writing a login script for an environment that has some domain users and some local users. Part of the script maps drives from our file server; the local users have matching local accounts set up on the file server end, with the same user name and password; thus, they can impersonate this account and gain access to their file shares.
The problem comes when using the login script to map these shares. Right now, I am checking the server group membership with ingroup(\\servername\groupname). This works for the domain accounts, but oddly enough, it doesn't work at all for the local accounts; it seems like the ingroup command doesn't support the impersonation.
Any ideas how I can make sure that the local users can still log into their network shares?
|
|
Top
|
|
|
|
|
#181739 - 2007-10-17 11:50 PM
Re: Mapping drives using remote credentials
[Re: Witto]
|
Godkarmachine
Fresh Scripter
Registered: 2007-10-17
Posts: 5
|
It's a member of the domain; however, several of the workstations accessing it aren't, which is the reason for the local accounts.
|
|
Top
|
|
|
|
|
#181769 - 2007-10-18 08:50 PM
Re: Mapping drives using remote credentials
[Re: Sealeopard]
|
Godkarmachine
Fresh Scripter
Registered: 2007-10-17
Posts: 5
|
Assume username/password is the same for the server account as for the workstation account; is there then a way to implement this?
|
|
Top
|
|
|
|
|
#181786 - 2007-10-19 06:29 PM
Re: Mapping drives using remote credentials
[Re: Witto]
|
Godkarmachine
Fresh Scripter
Registered: 2007-10-17
Posts: 5
|
Thanks for that; however, that's not really the part I'm having a problem with.
Let me try to simplify things a bit:
Let's say I've got a user, Bob. He's got a local account on his workstation, \\WKSTA1\Bob, and a server account, \\SERVER1\Bob. There's also a group on the server, \\SERVER1\Supervisors, that has a special shared folder that holds files Bob needs to do his job.
Now, if I were checking for local group memberships for Bob, I could just use ingroup() in an IF statement. However, what I want to check is actually the group memberships for the server account. I've tried this:
If Ingroup("\\SERVER1\Supervisors")
use s: "\\SERVER1\Supv Share"
EndIf
The problem is, the if never seems to trigger (I suspect because we're technically talking about 2 separate accounts, and the ingroup() command doesn't support the impersonation). I've tested this without the if, and it mounts the drive, which just supports my theory.
Anybody got any other ideas?
|
|
Top
|
|
|
|
|
#181805 - 2007-10-21 09:37 AM
Re: Mapping drives using remote credentials
[Re: Sealeopard]
|
Witto
MM club member
Registered: 2004-09-29
Posts: 1828
Loc: Belgium
|
I thought the only things a user need to provide are:
If these match, access is granted.
I don't think there is a security hole. I think it is just about the way the system is (ab)used by users and administrators.
I think we should just stop creating local user accounts (OK, maybe one alternate local Admin with password only known by the IT Admin team). If users need to log on disconnected from the domain, I see (almost) no problem using the cached user profile.
Maybe it would be better to tell why a user or an administrator thinks he needs a local user and evaluate if it can be done with a domain user.
What I don't know is if the InGroup() will work. But I think one should use a domain user ID to evaluate membership of domain groups! That logon script should only run if using a domain user name and if connected to the domain. And AFAIK that is just the way the legacy logon script and the GPO Startup/Shutdown Logon/Logoff scripts work.
|
|
Top
|
|
|
|
Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart
|
0 registered
and 1077 anonymous users online.
|
|
|
