Greg's Tech blog


Thursday 27 of March, 2008

More on the corporate logon script....

We needed a way to control drive mapping based on group membership (or not). We built a vbscript that returns an error code based on user membership in a active directory group. If they are in the group, return 1, 0 if not.

'On Error Resume Next
' GroupCheck - GjM - returns errorlevel 1 if user is member of group, else returns 0
' EX: groupcheck.vbs 
option explicit
Dim objADSysInfo, strUser, objGroup, objNetwork, strGroup, objUser, group, bMatched
Dim strGroupToTest, objArgs

set objArgs = wscript.arguments
strGroupToTest = objargs(0)
bMatched = False

'Make no changes below this point (unless you know why!)

Set objADSysInfo = CreateObject("ADSystemInfo")
strUser = objADSysInfo.UserName
Set objUser = GetObject("LDAP://" & strUser)

For Each group in objUser.memberOf
    Set objGroup = GetObject("LDAP://" & group)
    If trim(objGroup.CN) = trim(strGroupToTest) Then 
          bMatched = True
	  'wscript.echo "Group match"
        Exit For
    End If

If bMatched then 
	'wscript.echo "User in group"
	wscript.quit 1
	'wscript.echo "User not in group"
	wscript.quit 0
End If

To make use of this, we added this to the logon script:

:: Test to see if we should run this script
cscript /nologo Groupcheck.vbs "MigratedUsers"
if %errorlevel% EQU 0 (
   echo Failed groupcheck, exiting...
   Goto :EOF

In this example, if the user is part of a group called MigratedUsers the script will continue, else it exits.

This could be adopted to run optional parts of the script based on group membershoip. For example, to map a particular drive.

Feel free to borrow this.