Page 1 of 1 1
Topic Options
#198592 - 2010-05-12 04:51 PM Ingroup() and Vergence Authenticator
John_Fischer Offline
Fresh Scripter

Registered: 2010-05-12
Posts: 10
Loc: Lexington, KY, USA
I am in a pickle and would just love to hear from someone in an AD environment. Here's the predicament:

A generic ID (EDMD, for example) auto-logs into the OS (Win XP) on a domain account. No problem, we do this all the time. This kicks off Vergence which is bio-metric. User swipes card or places fingerprint and system validates them via LDAP (domain\UName) and allows them to log onto the desktop.

Now, keep in mind that EDMD is is the one actively connected to the domain. The user is only at the desktop. The HKCU belongs to EDMD, %username% and other env. variables are set for EDMD.

Vergence will allow me to run a seperate logon script (.BAT file only) for the desktop and can pass it 3 variables: Domain, Username, and Password.

So, EDMD logs on to OS, login script for EDMD runs, GP is set, etc.

User logs on, Vergence run the batch file, batch file calls KiXtart. KiXtart script does my drive mappings for me, since users will be in different groups depending upon function (Admin, Nurse, Doctor, etc...).

Kicker: Ingroup() is working as designed... It checks against all of the groups for EDMD, not the user. What I apparently need to do is get a list of the groups for the current user to check against. I have no idea how to go about this.

BATCH file run by Vergence. Works fine. passes appropriate info.
 Code:
REM MapDrives.bat
@ECHO OFF
CD KIXTART
KIX32 MCGroups.kix /f /i %1 %2 %3


KiXtart script that works normally, but not with Vergence.
 Code:
break on
GLOBAL $Credentials
;DM=Domain  UN=UserName  PW=password
for each $Arg in GetCommandLine(1)
	$Ct = $Ct + 1
 	if $Ct = 4 $DM = $Arg endif
	if $Ct = 5 $UN = $Arg endif
	if $Ct = 6 $PW = $Arg endif
next

$Credentials = $DM + "\" + $UN

;Sample of using Ingroup(). Left more out for brevity
if ingroup("MC\MIG User Group",0)
        use R: /DELETE
        use R: "\\MCTECH\Images" /user:$Credentials /password:$PW
endif

EXIT


A piece of code I found that has SOMETHING to do with this, however, I have been unable to figure out how to get it to give me any type of inumeration of groups for a specific user, then, just to complicate matters, a users ID may be in another container besides "Users".
 Code:
Break On 

$sMCsPath = "LDAP://"+GetObject("LDAP://rootDSE").Get("defaultNamingContext") 
$objDomain = GetObject($sMCsPath) 

For Each $objContainer in $objDomain 
    $objContainer.Name ? 
Next 

Exit 
_________________________
John K. Fischer
University of Kentucky
HealthCare - ITS

Top
#198593 - 2010-05-12 08:00 PM Re: Ingroup() and Vergence Authenticator [Re: John_Fischer]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4518
Loc: USA
Welcome to the board John. This was kind of neat and I thought I might be able to figure it out pretty quickly. So try this and see if it fits your needs. You will need to paste the GetUserDN() UDF - http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=188576#Post188576 to the bottom of the script.

 Code:
$user=getuserdn("username")
? $user
if $user
  $objUser=getobject("LDAP://" + $user)
  $Groups = $objUser.GetEx("memberof")
  for each $group in $groups
    $Groupname=GetObject("LDAP://" + $Group).cn
    ? $groupname
    if $groupname="Doctors"
      use x: "\\server\share"
    endif
    if $groupname="Nurses"
      use x: "\\server\share"
    endif
  next
endif




Edited by Allen (2010-05-12 09:28 PM)

Top
#198597 - 2010-05-13 12:02 PM Re: Ingroup() and Vergence Authenticator [Re: Allen]
John_Fischer Offline
Fresh Scripter

Registered: 2010-05-12
Posts: 10
Loc: Lexington, KY, USA
Fantastic! That's the exact piece of code I needed! Here's what I ended up with. I put it all together in about 5 minutes and had it run through Alpha testing in under 10. It goes into a beta group of about 50 PCs later today (after I add a few more mappings in it) then will be deployed to about 9000 PCs in our enterprise. Updating should be a breeze! One file (MCGroups.kix) to modify and allow SCCM to make sure each machine always has the latest version.

Kudos: Basically all I have done here is parse my commandline parameters. Allen already had everything else I needed. I was hoping for a jump-off point to get me started and what he posted completed the job in its entirety. I can't tell you how much I appreciate the help! \:D

Generic ID auto-logs into OS with domain credentials. GP is set, etc...
User logs into desktop with domain credentials (via bio-metrics) and is validated via LDAP.
Vergence Authenticator runs MapDrives.bat:
 Code:
@echo off
set Credentials=%3\%1 %2

REM H: Will be the users home (private) folder
net use H: /delete
net use H: \\hospfilesrv\home\%1 /USER:%Credentials% /HOME /PERSISTENT:YES

REM I: will be the ERCommon folder
net use I: /delete
net use I: \\hospfilesrv\ss2\ed\ercommon /USER:%Credentials% /HOME /PERSISTENT:YES

cd "C:\Program Files\Sentillion\Vergence Authenticator\Kix"
kix32 MCGroups.kix /f %3 %1 %2 /i

This kix off the KiXtart script which does the following;
Get the DESKTOP user ID, Domain, and Password.
Finds the FQDN of the user.
Checks to see what group memberships the user has.
Assigns drives appropriately.

 Code:
;  MCGroups.KIX

break on

GLOBAL $CL
GLOBAL $Credentials

;Make sure no drives are carried over from previous desktop user!
use * /DELETE

for each $Arg in GetCommandLine(1)
	$Ct = $Ct + 1
 	if $Ct = 4 $Dm = $Arg endif
	if $Ct = 5 $UN = $Arg endif
	if $Ct = 6 $PW = $Arg endif
next
$Credentials = $DM + "\" + $UN

;Thanks to Allen from the KiXtart.org forums for
;this code and the function!  He did all the REAL work.
$user=getuserdn($Credentials)
if $user
  $objUser=getobject("LDAP://" + $user)
  $Groups = $objUser.GetEx("memberof")
  for each $group in $groups
    $Groupname=GetObject("LDAP://" + $Group).cn
    if $groupname="MIG User Group"
        use R: /DELETE
        use R: "\\server\volume" /user:$Credentials /password:$PW
    endif
    if $groupname="Local Machine Admin"
        use Z: /DELETE
        use Z: "\\server\volume"  /user:$Credentials /password:$PW
    endif
  next
endif

Function getUserDN(optional $username)
  Dim $objTrans
  if $username=""
    $username=@ldomain + "\"+ @userid
  endif
  if not instr($username,"\")
    $username=@ldomain + "\" + $username
  endif
  $objTrans = CreateObject("NameTranslate")
  if @error
    exit @error
  else
    $objTrans.Init(3, "")
    $objTrans.Set(3,$username)
    $getUserDN = $objTrans.Get(1)
    if @error
      exit @error
    endif
  endif
EndFunction
_________________________
John K. Fischer
University of Kentucky
HealthCare - ITS

Top
#198610 - 2010-05-14 05:23 AM Re: Ingroup() and Vergence Authenticator [Re: John_Fischer]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4518
Loc: USA
Glad to hear it helped.

It seemed like this had to have been done before in a UDF, so I searched and it appears that all the group functions are based on the NT provider and not LDAP. With that in mind I went ahead and merged the code into a new UDF called GetADUserGroups() - http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=198609#Post198609

To simplify your code above, it would be
 Code:
for each $groupname in GetADUserGroups($Credentials)
  if $groupname="MIG User Group"
      use R: /DELETE
      use R: "\\server\volume" /user:$Credentials /password:$PW
  endif
  if $groupname="Local Machine Admin"
      use Z: /DELETE
      use Z: "\\server\volume"  /user:$Credentials /password:$PW
  endif
next


Also... curious why you don't use kix for the vast majority of the script. Specifically, I don't see any reason why you have to map your drives in the batch.

Top
#198622 - 2010-05-14 12:49 PM Re: Ingroup() and Vergence Authenticator [Re: Allen]
John_Fischer Offline
Fresh Scripter

Registered: 2010-05-12
Posts: 10
Loc: Lexington, KY, USA
OK, I follow you, I think, but not exactly sure where to place the new code. I placed the UDF at the bottom, and yes, the other drives should be mapped in the KiXtart script (fixed). Can you let me know if I read your instructions correctly?
 Code:
break on

use G: /DELETE
use J: /DELETE
use K: /DELETE
use L: /DELETE
use N: /DELETE
use O: /DELETE
use P: /DELETE
use Q: /DELETE
use R: /DELETE
use V: /DELETE
use W: /DELETE
use X: /DELETE
use Y: /DELETE
use Z: /DELETE

GLOBAL $CL
GLOBAL $Credentials

for each $Arg in GetCommandLine(1)
	$Ct = $Ct + 1
 	if $Ct = 4 $Dm = $Arg endif
	if $Ct = 5 $UN = $Arg endif
	if $Ct = 6 $PW = $Arg endif
next
$Credentials = $DM + "\" + $UN

use H: /DELETE
use H: "\\hospfilesrv\Home\$UN" /user:$Credentials /password:$PW
use I: /DELETE
use I: "\\hospfilesrv\ss2\ed\ercommon" /user:$Credentials /password:$PW

$user=getuserdn($Credentials)

/*
if $user
  $objUser=getobject("LDAP://" + $user)
  $Groups = $objUser.GetEx("memberof")
  for each $group in $groups
    $Groupname=GetObject("LDAP://" + $Group).cn
    if $groupname="edmgt"
        use H: /DELETE
        use H: "\\hospfilesrv\edmgt" /user:$Credentials /password:$PW
    endif
    if $groupname="Local Machine Admin"
        use Y: /DELETE
        use Y: "\\mctech02repo\backup"  /user:$Credentials /password:$PW
        use Z: /DELETE
        use Z: "\\mctech\software"  /user:$Credentials /password:$PW
    endif
  next
endif
*/

for each $groupname in GetADUserGroups($Credentials)
    if $groupname="edmgt"
        use H: /DELETE
        use H: "\\hospfilesrv\edmgt" /user:$Credentials /password:$PW
    endif
    if $groupname="Local Machine Admin"
        use Y: /DELETE
        use Y: "\\mctech02repo\backup"  /user:$Credentials /password:$PW
        use Z: /DELETE
        use Z: "\\mctech\software"  /user:$Credentials /password:$PW
    endif
next

Function getUserDN(optional $username)
  Dim $objTrans
  if $username=""
    $username=@ldomain + "\"+ @userid
  endif
  if not instr($username,"\")
    $username=@ldomain + "\" + $username
  endif
  $objTrans = CreateObject("NameTranslate")
  if @error
    exit @error
  else
    $objTrans.Init(3, "")
    $objTrans.Set(3,$username)
    $getUserDN = $objTrans.Get(1)
    if @error
      exit @error
    endif
  endif
EndFunction

function getADUserGroups(optional $username, optional $mode)
  Dim $objTrans, $objUser, $group, $array[0], $i
  if $username=""
    $username=@ldomain + "\"+ @userid
  endif
  if not instr($username,"\")
    $username=@ldomain + "\" + $username
  endif
  $objTrans = CreateObject("NameTranslate")
  if @error
    exit @error
  else
    $objTrans.Init(3, "")
    $objTrans.Set(3,$username)
    $username = $objTrans.Get(1)
    if @error
      exit @error
    else
      for each $group in getobject("LDAP://" + $username).GetEx("memberof")
        redim preserve $array[$i]
        if $mode=0
          $array[$i]=GetObject("LDAP://" + $Group).cn
        else
          $array[$i]=$group          
        endif
        $i=$i+1
      next
      $getADUserGroups=$array  
    endif
  endif
endfunction
_________________________
John K. Fischer
University of Kentucky
HealthCare - ITS

Top
#198624 - 2010-05-14 03:16 PM Re: Ingroup() and Vergence Authenticator [Re: John_Fischer]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4518
Loc: USA
You can remove the line using getuserDN() and the the function itself. It's all tied up in the new UDF now.

You might also consider commenting the two sections of mappings as to why you are doing it the way you are, similar to your first post here. (Glenn will love me for asking for comments ;\) ).

Top
#198626 - 2010-05-14 04:04 PM Re: Ingroup() and Vergence Authenticator [Re: Allen]
John_Fischer Offline
Fresh Scripter

Registered: 2010-05-12
Posts: 10
Loc: Lexington, KY, USA
Allen, I'm about to head out for the weekend and will not have access to a PC, but I'll be back bright and early Monday morning. You've been a tremendous assistance and I really do appreciate it.

Now, here it is in its entirety.

This is the batch file being called by the Vergence Authenticator:
 Code:
@echo off
cd "C:\Program Files\Sentillion\Vergence Authenticator\Kix"
START /W /B kix32 MCGroups.kix /f %3 %1 %2 /i

As you can see, all drive mappings are going to be placed in the KiXtart script, which follows, along with my current internal comments.
 Code:
;  MCGroups.KIX

/*Hmmm.   Might be able to "use * /DELETE" here. Need to check with E.D. Mgt. Team*/
use G: /DELETE
use J: /DELETE
use K: /DELETE
use L: /DELETE
use N: /DELETE
use O: /DELETE
use P: /DELETE
use Q: /DELETE
use R: /DELETE
use V: /DELETE
use W: /DELETE
use X: /DELETE
use Y: /DELETE
use Z: /DELETE

/* I don't think these are needed now*/
GLOBAL $CL
GLOBAL $Credentials

/* Lets parse the CommandLine and make it more friendly*/
for each $Arg in GetCommandLine(1)
	$Ct = $Ct + 1
 	if $Ct = 4 $Dm = $Arg endif
	if $Ct = 5 $UN = $Arg endif
	if $Ct = 6 $PW = $Arg endif
next
$Credentials = $DM + "\" + $UN

/* ALL users in the E.D. should have these drives*/
use I: /DELETE
use I: "\\hospfilesrv\ss2\ed\ercommon" /user:$Credentials /password:$PW
use H: /DELETE
use H: "\\hospfilesrv\Home\$UN" /user:$Credentials /password:$PW


/*
; Per C.A.B.
; This section to be implemented for a redirection if it has not been done already
; Still needs testing.  If it requires a restart or re-logon to take affect then
; we may need another solution.  Will alpha in isolated ESIS Domain.
; Oh, and the test is generic.  Will send through ESIS/Server for input.
; Also need to test and see if "HKCU" = "HKEY_CURRENT_USER" in KiXtart
; "File.txt" is merely a token.  Be better served to see what the key
;   currently says and change only if needed.

IF NOT EXIST ("H:\")
   $Text = "No Home Folder found." + @CRLF
   $Text = $Text + "Call us at 323-8586 and get one on server:" + @CRLF
   $Text = $Text + "\\hospfilesrv\home"
   MESSAGEBOX ($Text, "Home Folder Missing", 4160, 300)
   ELSE
      IF NOT EXIST ("H:\File.txt")
         COPY  "File.txt" "H:\" /h /r
         $Val1 = [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
         $Val2 = [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
         WRITEVALUE ("$Val1", "Personal", "H:\\", "REG_EXPAND_SZ")
         WRITEVALUE ("$Val1", "My Pictures", "H:\\My Pictures", "REG_EXPAND_SZ")
         WRITEVALUE ("$Val1", "My Music", "H:\\My Music", "REG_EXPAND_SZ")
         WRITEVALUE ("$Val1", "My Videos", "H:\\My Videos", "REG_EXPAND_SZ")
         WRITEVALUE ("$Val2", "Personal", "H:\\", "REG_EXPAND_SZ")
         WRITEVALUE ("$Val2", "My Pictures", "H:\\My Pictures", "REG_EXPAND_SZ")
         WRITEVALUE ("$Val2", "My Music", "H:\\My Music", "REG_EXPAND_SZ")
         WRITEVALUE ("$Val2", "My Videos", "H:\\My Videos", "REG_EXPAND_SZ")
      ENDIF
ENDIF
*/

;Author:     Allen Powell
;  He combined a couple of things into a more elegant piece of code.
for each $groupname in GetADUserGroups($Credentials)
    if $groupname="edmgt"
        use H: /DELETE
        use H: "\\hospfilesrv\edmgt" /user:$Credentials /password:$PW
    endif
    if $groupname="Local Machine Admin"
        use Y: /DELETE
        use Y: "\\mctech02repo\backup"  /user:$Credentials /password:$PW
        use Z: /DELETE
        use Z: "\\mctech\software"  /user:$Credentials /password:$PW
    endif
next

;Function:   GetADUserGroups() - Get User Properties / Attributes from Active Directory  
;Author:     Allen Powell  
;Version:    1.0.0  2010/05/13 
;Action:     Get a Users Groups from Active Directory  
;Syntax:     GetADUserGroups(optional $user, optional $mode)  
;Parameters: 
;   $user(optional)   Supply the user name in the form of USERNAME or DOMAIN\USERNAME.
;                     If ommitted, will default to the current user. 
;   $mode(optional)   0 = GroupNames, 1 = Group OU Names.  Defaults to GroupNames   
;Returns:    An array of groupnames, or nothing  
;Dependencies:   None  
;Example: 
;  for each $group in GetADUsergroups("username") 
;    ? $group 
;  next 
; 
function getADUserGroups(optional $username, optional $mode)
  Dim $objTrans, $objUser, $group, $array[0], $i
  if $username=""
    $username=@ldomain + "\"+ @userid
  endif
  if not instr($username,"\")
    $username=@ldomain + "\" + $username
  endif
  $objTrans = CreateObject("NameTranslate")
  if @error
    exit @error
  else
    $objTrans.Init(3, "")
    $objTrans.Set(3,$username)
    $username = $objTrans.Get(1)
    if @error
      exit @error
    else
      for each $group in getobject("LDAP://" + $username).GetEx("memberof")
        redim preserve $array[$i]
        if $mode=0
          $array[$i]=GetObject("LDAP://" + $Group).cn
        else
          $array[$i]=$group          
        endif
        $i=$i+1
      next
      $getADUserGroups=$array  
    endif
  endif
endfunction
_________________________
John K. Fischer
University of Kentucky
HealthCare - ITS

Top
#198628 - 2010-05-14 05:20 PM Re: Ingroup() and Vergence Authenticator [Re: John_Fischer]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4518
Loc: USA
Not that there is any thing wrong with block comments, but you might just stick with using the semi colon for comments. It seems very few people who post here use the block style.
Top
#198650 - 2010-05-18 05:22 PM Re: Ingroup() and Vergence Authenticator [Re: Allen]
John_Fischer Offline
Fresh Scripter

Registered: 2010-05-12
Posts: 10
Loc: Lexington, KY, USA
 Originally Posted By: Allen
...follow up and say if it worked, OR even a Thanks would be nice

THANKS! I haven't forgotten, but I have a few things I've been working out on the Vergence side. Should have a completed script, ini and batch file tomorrow (hopefully). I'll make sure to post the info here. Oh, and I've removed the block comments and changed them to semi-colons.
_________________________
John K. Fischer
University of Kentucky
HealthCare - ITS

Top
#198651 - 2010-05-18 09:11 PM Re: Ingroup() and Vergence Authenticator [Re: John_Fischer]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4518
Loc: USA
Not directed at you specially... its my signature... way to many people never say a word after asking for help.
Top
#198735 - 2010-05-28 12:16 PM Re: Ingroup() and Vergence Authenticator [Re: Allen]
John_Fischer Offline
Fresh Scripter

Registered: 2010-05-12
Posts: 10
Loc: Lexington, KY, USA
Well, our Change Advisory Board has approved our rollout and deployment has begun. Here's what we ended up with:

Our installer adds the following registry keys to redirect "My Documents" to the H:
 Code:
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal"="H:\\"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Personal"=hex(2):48,00,3a,00,5c,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetCache]
"Enabled"=dword:00000000


Here's the install batch file:
 Code:
@ECHO OFF
CLS
ECHO.
ECHO.
ECHO You MUST be logged in as the user WITH Admin Rights
ECHO to successfully complete this installation.
ECHO If you are NOT, abort this script now.
ECHO.
ECHO.
PAUSE
ECHO.
ECHO.
ECHO Setting up the registry for "My Documents" redirection
ECHO Setting up the registry to turn OFF "File Synchronization"
regedit /s PersonalRedirect.reg
ECHO.
ECHO.
ECHO Copying necessary files...
COPY MapDrives.bat "C:\Program Files\Sentillion\Vergence Authenticator" /y
rem COPY Authenticator.ini "C:\Program Files\Sentillion\Vergence Authenticator" /y
MD "C:\Program Files\Sentillion\Vergence Authenticator\Kix"
COPY .\Kix\*.exe "C:\Program Files\Sentillion\Vergence Authenticator\Kix" /y
COPY .\Kix\*.chm "C:\Program Files\Sentillion\Vergence Authenticator\Kix" /y
COPY .\Kix\*.dll "C:\Program Files\Sentillion\Vergence Authenticator\Kix" /y
COPY .\Kix\*.kix "C:\Program Files\Sentillion\Vergence Authenticator\Kix" /y
COPY .\Kix\*.lnk "C:\Documents and Settings\All Users\Desktop" /y
ECHO.
ECHO.
ECHO Now the hard part.  You need to make 2 changes to Authenticator.ini.
ECHO I will open it for you in a moment.
ECHO Find the line "Path=" ABOUT 20 to 25 lines down.  Change it to:
ECHO.
ECHO Path="C:\Program Files\Sentillion\Vergence Authenticator\MapDrives.bat"
ECHO.
ECHO Next you need to find the line "Valsa=CredAgent.exe" (A few lines further down)
ECHO All you need to do is put a semi-colon (;) in front of it.
ECHO.
ECHO I will open Authenticator.ini after this pause.
ECHO.
PAUSE
NOTEPAD "C:\Program Files\Sentillion\Vergence Authenticator\Authenticator.ini"
ECHO.
ECHO.
ECHO When you are finished with the file please remove the user's Admin rights.
ECHO Do that now please.
ECHO.
ECHO.
ECHO Installation is complete.
ECHO Please restart the PC.
ECHO.
PAUSE

Once the install is completed and the file MapDrives.bat is placed, when a user logs in the DESKTOP it is executed. The IF statement needs to be there because (according to vendor) this file will run at both logon and logoff (I don't know why, but they say it does. Seems poorly planned to me).
 Code:
@echo off
IF %3 == "" GOTO END
cd "C:\Program Files\Sentillion\Vergence Authenticator\Kix"
kix32.exe MCGroups.kix /f %3 %1 %2 /i
EXIT
:END

Obviously, all that does is run the KiXtart script, which is here:
 Code:
;Program:    MCGroups.KIX
;Author:     John K. Fischer with tremendous help from
;            Allen Powell of www.KiXtart.org
;Version:    1.0.0  May 27, 2010
;Action:     
;Dependencies:   Kix32.exe 4.61
; 

use G: /DELETE
use H: /DELETE
use I: /DELETE
use J: /DELETE
use K: /DELETE
use L: /DELETE
use N: /DELETE
use O: /DELETE
use P: /DELETE
use Q: /DELETE
use R: /DELETE
use V: /DELETE
use W: /DELETE
use X: /DELETE
use Y: /DELETE
use Z: /DELETE

; Have to delete these so they can be mapped for the DT user.
; Can only have one logged in user per server connection and
; the Generic ID already connected.  S: and T: can be left
; alone since we are not attempting a second connection to
; that particular server
use M: /DELETE
use U: /DELETE

GLOBAL $CL, $Credentials, $Dm, $UN, $PW, $Folder

; Lets parse the CommandLine and make it more friendly
for each $Arg in GetCommandLine(1)
	$Ct = $Ct + 1
 	if $Ct = 4 $Dm = $Arg endif
	if $Ct = 5 $UN = $Arg endif
	if $Ct = 6 $PW = $Arg endif
next
$Credentials = $DM + "\" + $UN

; ALL users in the E.D. should have this drive
$Folder = "\\hospfilesrv\" + $UN + "$$"
use H: $Folder /user:$Credentials /password:$PW

; Check and make sure user has a home folder and give the
; instructions if they do not.
IF NOT EXIST ("H:\")
   $Text = "Home Folder does not exist." + @CRLF
   $Text = $Text + "Please call 323-8586 and request access for the following folder: " + @CRLF
   $Text = $Text + "\\hospfilesrv\$UN$$"
   MESSAGEBOX ($Text, "Home Folder Missing", 4160, 20)
ENDIF


;Author:     Allen Powell
; He combined a couple of things into a more elegant piece of code.
; This is where all of the drive mappings should be located and they
; are all based upon a users group membership in Active Directory.
for each $groupname in GetADUserGroups($Credentials)
    if instr($groupname,"ERcommon")
        use I: "\\hospfilesrv\ss2\ed\ercommon" /user:$Credentials /password:$PW
    endif
    if $groupname="neotransport"
        use J: "\\hospfilesrv\neotransport$" /user:$Credentials /password:$PW
    endif
    if $groupname="edmgt"
        use K: "\\hospfilesrv\edmgt" /user:$Credentials /password:$PW
    endif
    if $groupname="EDTRANSPORT on HOSPFILESRV READ WRITE"
        use L: "\\hospfilesrv\edtransport" /user:$Credentials /password:$PW
    endif
    if $groupname="Softmed"
        use M: "\\hospfilesrv\him\employee\updates\vpn\unsignedorders" /user:$Credentials /password:$PW
        use U: "\\hospfilesrv\him" /user:$Credentials /password:$PW
    endif
    if $groupname="Local Machine Admin"
        use Y: "\\mctech02repo\backup"  /user:$Credentials /password:$PW
        use Z: "\\mctech\software"  /user:$Credentials /password:$PW
    endif
next

;Function:   GetADUserGroups() - Get User Properties / Attributes from Active Directory  
;Author:     Allen Powell  
;Version:    1.0.0  2010/05/13 
;Action:     Get a Users Groups from Active Directory  
;Syntax:     GetADUserGroups(optional $user, optional $mode)  
;Parameters: 
;   $user(optional)   Supply the user name in the form of USERNAME or DOMAIN\USERNAME.
;                     If ommitted, will default to the current user. 
;   $mode(optional)   0 = GroupNames, 1 = Group OU Names.  Defaults to GroupNames   
;Returns:    An array of groupnames, or nothing  
;Dependencies:   None  
;Example: 
;  for each $group in GetADUsergroups("username") 
;    ? $group 
;  next 
; 
function getADUserGroups(optional $username, optional $mode)
  Dim $objTrans, $objUser, $group, $array[0], $i
  if $username=""
    $username=@ldomain + "\"+ @userid
  endif
  if not instr($username,"\")
    $username=@ldomain + "\" + $username
  endif
  $objTrans = CreateObject("NameTranslate")
  if @error
    exit @error
  else
    $objTrans.Init(3, "")
    $objTrans.Set(3,$username)
    $username = $objTrans.Get(1)
    if @error
      exit @error
    else
      for each $group in getobject("LDAP://" + $username).GetEx("memberof")
        redim preserve $array[$i]
        if $mode=0
          $array[$i]=GetObject("LDAP://" + $Group).cn
        else
          $array[$i]=$group          
        endif
        $i=$i+1
      next
      $getADUserGroups=$array  
    endif
  endif
endfunction


Our end users are loving this. They are finally getting a private folder that will be available no matter where they are, they still have a shared documents folder on the local PC, and they are getting the proper mappings for $hares they need to access.

Here is part of what I had to submit to the CAB for them to look over, along with a demo and a beta group of 5 machines.

 Code:
Pre-requisites:

System:
1. Must have “File Synchronization” turned off in registry
 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetCache]
 "Enabled"=dword:00000000
2.Generic ID MUST have “My Documents” redirected to H:\
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal"="H:\\"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Personal"=hex(2):48,00,3a,00,5c,00,00,00

Vergence:
1. "C:\Program Files\Sentillion\Vergence Authenticator" must contain:
   a. "MapDrives.bat"
   b. Authenticator.ini with the following line changes:
      Path="C:\Program Files\Sentillion\Vergence Authenticator\MapDrives.bat"
      ;Valsa=CredAgent.exe
2. KiXtart:
   a. "C:\Program Files\Sentillion\Vergence Authenticator\Kix" must contain:
      Document Archives.lnk
      KiX32.exe
      KiXtart.dll
      MCGroups.KIX
      Kixhelp453.chm
3. Generic ID:
   a.Must be a member of the "Softmed" group (for S: and T:)

4. Desktop user ID:
   a. Must have a home folder \\hospfilesrv\home\%Username%$ (for H:)
      i. Must be accessible as \\hospfilesrv\%Username%$
   b. Must be a member of one of the following groups (for I:)
      i. "ercommon"
      ii. "ERcommon on HOSPFILESERVER READ WRITE"
      iii. "ERcommon on HOSPFILESERVER READ ONLY"
   c. E.D. Transporters: "EDTRANSPORT on HOSPFILESRV READ WRITE" (for J:)
   d. E.D. Managers: "edmgt" (for K:)
   e. "Softmed" (for M: and U:)
 
 
Workflow:
1. Generic ID logs into the OS and Vergence presents a login screen for the Desktop user
   a.Drives S: and T: are mapped for Softmed under these credentials
2. Desktop user logs in via “Tap & Go” or the keyboard
3. Vergence launches “MapDrives.bat” via Authenticator.ini passing:
   a. Desktop Username as %1
   b. Desktop Password as %2
   c. Desktop Domain as %3
4. “Mapdrives.bat” then
   a. Checks to see if this is a logon or logoff
      i. If Logoff:
         1. exit the batch file
         2. end all scripting
         3. present the Vergence login screen for next user
      ii. If Logon: launch “MCGroup.KIX”, passing same credentials as above
5. “MCGroup.KIX” then:
   a. Clears all drives that may be left from previous user
   b. Attempts to create users Home folder (H:)
      i. Success = Yes
         1. Continue Script
      ii. Success = No
         1. Notify user to call help-desk and have a home folder created
         2. Continue Script
   c. Query LDAP and create an array of all groups the Desktop user is a member of
   d. Map appropriate drives based upon group membership
      i. “Ercommon*”, I:
         1. \\hospfilesrv\ss2\ed\ercommon
      ii. “Softmed”, M: and U:
         1. \\hospfilesrv\him\employee\updates\vpn\unsignedorders
         2. \\hospfilesrv\him
      iii. “neotransport”, J:
         1. \\hospfilesrv\neotransport$
      iv. “edmgt”, K:
         1. \\hospfilesrv\edmgt
      v. "EDTRANSPORT on HOSPFILESRV READ WRITE", L:
         1. \\hospfilesrv\edtransport
      vi. “Local machine Admin”, Y: and Z:
         1. \\mctech02repo\backup
         2. \\mctech\software
6. Desktop user is presented with the desktop and PC is ready for use


Again, my thanks to Allen Powell. Without his assistance this might never have come to fruition so quickly.

And now, I wish all of you a great weekend and wonderful next week. I'll be on vacation in the mountains!
_________________________
John K. Fischer
University of Kentucky
HealthCare - ITS

Top
#198738 - 2010-05-28 03:11 PM Re: Ingroup() and Vergence Authenticator [Re: John_Fischer]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4518
Loc: USA
Glad to help. The check is in the mail, right? \:\)
Top
#198743 - 2010-05-28 07:00 PM Re: Ingroup() and Vergence Authenticator [Re: Allen]
Allen Administrator Offline
KiX Supporter
*****

Registered: 2003-04-19
Posts: 4518
Loc: USA
 Code:
cd "C:\Program Files\Sentillion\Vergence Authenticator\Kix"


Curious why you are not running the script from the netlogon folder of your DCs?

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart 
Hop to:
Shout Box

Who's Online
0 registered and 315 anonymous users online.
Newest Members
Praveer, Ollero, rayyo, Foxlicht, DonChild
17742 Registered Users

Generated in 0.038 seconds in which 0.012 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org