Logon script getting goofy results from Active Directory Query

Discussion in 'Active Directory' started by J. Bryan Wehrenberg, Sep 7, 2007.

  1. I am implementing a new logon script to map a network drive. I want to do
    this based on group membership. I found some pretty basic VB scripts to do
    this but am getting some weird results. Example:

    User A is a member of Domain Users, TechGroup1 and MapDrives groups.

    User B is a memebr of Domain Users and MapDrives Groups.

    I run the following script:

    1 Const GROUP = "cn=mapdrives"
    2
    3 Set wshNetwork = CreateObject("WScript.Network")
    4
    5 Set ADSysInfo = CreateObject("ADSystemInfo")
    6 Set CurrentUser = GetObject("LDAP://" & ADSysInfo.UserName)
    7 strGroups = LCase(Join(CurrentUser.MemberOf))
    8
    9 If InStr(strGroups, GROUP) Then
    10 wshNetwork.MapNetworkDrive "n:", "\\firstdc\files"
    11 End If

    User A will work but User B will get a type mismatch error for the "Join"
    command on line 7. Using

    WScript.Echo strGroup

    to do some troubleshooting reveals that User A returns that he is in the
    Tech Group1 and MapDrives groups only and User B only in the Domain Users
    group, which is causing a join error for some reason. Testing a large group
    of users about 10% seem to be having the issue that User B is having, not to
    mention that everyone else is not showing that they are in the Domain Users
    group. I have 2 2003 DC's and replication seems to work fine. Anyone have
    any idea why AD is returning such values, neither of which is entirely
    correct?
     
    J. Bryan Wehrenberg, Sep 7, 2007
    #1
    1. Advertisements

  2. This is a common problem because of the suggested script on the Microsoft
    site, which has a flaw. This statement raises the error:

    Set strGroups = LCase(Join(CurrentUser.MemberOf))


    The Join function will raise a type mismatch error unless there are at least
    2 groups in the memberOf collection. The Join function expects a "Variant()"
    array, but if memberOf has one group it is "String", and if memberOf has no
    groups (possible since the "primary" group is not included) it is "Empty".
    The solution would be code similar to below:
    ===========
    On Error Resume Next
    arrGroups = CurrentUser.GetEx("memberOf")
    If (Err.Number = 0) Then
    On Error GoTo 0
    strGroups = LCase(Join(arrGroups))
    If InStr(strGroups, "cn=it_user,ou=West,dc=MyDomain,dc=com") Then
    ' Map appropriate drives.
    End If
    If InStr(strGroups, "cn=it_users,ou=West,dc=MyDomain,dc=com") Then
    ' Map appropriate drives.
    End If
    ' More If statements...
    End If
    On Error GoTo 0
    ============
    I use the GetEx method to retrieve memberOf because it returns a "Variant()"
    when there is only one group, instead of a "String". An error is still
    raised if memberOf is "Empty", so I trap the error.

    I discuss some of these complications with regard to the memberOf attribute,
    plus other ways to test for group membership, in this link:


    http://www.rlmueller.net/MemberOf.htm

    Note if "Domain Users" is the "primary" group of the user, it is not
    included in memberOf. You should be able to assume that everyone is a member
    of this group.
     
    Richard Mueller [MVP], Sep 7, 2007
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.