May 2, 2013

Mapping Drives in Logon Scripts Is There a Better Way

It sure seems like there should be. Mapping drives for users has been a task IT has needed to do since the first network drive. Yet getting those drives correctly provisioned to users isn't a task that's come easily ' even with today's newer technologies like PowerShell and Group Policy Preferences. In fact, some of those newer technologies might even be more difficult than our old friend the net use command, depending on what you need to accomplish.
Considering how mapped drives exist in companies everywhere, you'd think a super-simple solution would exist right inside Windows itself. Without help from third-party solutions, you'll be surprised to find that'well'there isn't.
Let's take a look, however, at what you can do. I'll start by looking at some of the ways people have provisioned mapped drives to users in the past. I'll bet the very first solution you found was inside each user's object. Even back before Active Directory, each individual user could be assigned a single mapped drive as their 'Home Directory' (now called 'Home Folder') in their user environment profile.

Figure 1: User profile.
You can see in Figure 1 how each user profile has a place to connect a single home drive. Home drives are great, and you probably use them for network storage of user data, but home drives aren't enough when you've got additional network drives that need to get mapped. If you need to map two or more drives, you've got to look elsewhere for a solution.

Mapping the Drive


It's for this reason why many people's second approach to mapping drives is achieved through logon scripts. Logon scripts extended the single drive limitation of home drives frankly because they're completely malleable. You can create a logon script to accomplish whatever tasks you want, as long as your scripting prowess can handle the task.
You've surely created or modified a logon script before. With batch scripting, creating a mapped drive requires just a single line:
net use S: \\server\shared\finance
VBScript requires only one additional line to accomplish the same thing:
Set objNetwork = CreateObject("WScript.Network")
objNetwork.MapNetworkDrive "S:" , "\\server\shared\finance"

PowerShell, everyone's favorite new scripting language, brings us back to a single line, but oh what a line it is!
(New-Object -ComObject WScript.Network).MapNetworkDrive("S:", '\\Server\shared\finance')
While each of these three languages indeed maps the drive you're looking for, each has their own problems and limitations that limit how effective they really are.
Remember that in order to use any of these, you'll first have to accomplish a few things. First, you'll have to actually create that script you want to deploy. Your script will probably include additional configurations over and above any drive mappings. Maybe you'll set a few environment variables or pop up a dialog box with an acceptable use statement. All of these extra things you'll need to add into that script and test to your satisfaction before you can use it.

Installing the Logon Script


Once created, deploying the script to users most often happens as a function of Active Directory Group Policy. Because you want these scripts to run at Logon, you'll typically need to configure them in the User Configuration | Policies | Windows Settings | Scripts (Logon/Logoff) | Logon section of whatever Organizational Unit you're interested in. Figure 2 shows the console where you'll add a non-PowerShell script.

Figure 2: Logon properties.
Adding your batch or .VBS file to this location only creates a pointer to your logon script. You've also got to upload the script itself into Active Directory's replicated SYSVOL folder by clicking the Browse button after choosing to Edit the properties of the script.
You've absolutely got to be careful if you haven't tooled around much with SYSVOL. Too much or the wrong kind of file manipulation in this location can have deleterious effects on your Active Directory. Even more challenging is the pathing that Active Directory uses to simply get you to the right location. My script needed to be uploaded to
company.pri\SysVol\company.pri\Policies\{846E224F-25CF-4516-BAA0-57AA19533EC9}\User\Scripts\Logon. Your path will be similar, but with a different domain and another very different GUID in place of mine.
Once installed and replicated around your Active Directory, your users should start mapping their drives as soon as their computer picks up the new Group Policy Object.

Decisions in Mapping Drives ' The 'In the Script' Way


You're probably having a minor 'a-ha!' moment at this point. 'Yes, Greg,' you might be thinking, 'mapping a drive or two still isn't that difficult a procedure, but my needs are more complex than just a simple mapped drive. I have some users who need some drives some of the time. I also have other users who need other drives, but only in certain circumstances. Mapping drives for me isn't an all-or-nothing situation!'
Here's where you'll find the true challenges in scripting solutions for mapping drives. Indeed batch, VBScript, PowerShell, and even the non-Microsoft languages like KIX and others have built-in capabilities for creating conditional statements. But what if the entire concept of a conditional statement sends shivers up your spine. How are you to make decisions in your logon scripts if your decisions are more complex than are your abilities in scripting?
Let me help you out with some of those complex script routines that might scare you. It's this kind of complexity that keeps many administrators in fear of scripting itself. That said, with what I show you, it is possible to make at least some decisions in your drive mapping logon scripts.
One of the easiest ways to get users to unique drives is by naming the drives after their username. This is easy because the variable %username% automatically maps to a user at the time of their logon. This means that with batch scripting you could potentially map a unique drive with:
net use S: \\server\shared\finance\%username%
This is great if you're looking for mapped drives that relate to usernames. Also, any environment variable that's native or otherwise present at the user's desktop could be used to map a drive. %username% is always available, but as you can imagine it's of limited use.
I'll bet that what you're looking for is somewhat different. Many admins instead want to assign drive mappings based on group membership. That's a task that requires a bit more scripting. You can accomplish this in VBScript with a few additional lines:
Set objNetwork = CreateObject("WScript.Network")
Set objUser = CreateObject("ADSystemInfo")
Set objCurrentUser = GetObject("LDAP://" & objUser.UserName)
strGroup = LCase(Join(objCurrentUser.MemberOf))
If InStr(strGroup, lcase("Finance")) Then
objNetwork.MapNetworkDrive "R:", "\\server\shared\finance"
End If

At the point of logon, the script above takes a look through all the groups in which the user is a member. If that user is in the Finance group, then the script will map the R: drive to the
server\shared\finance share. You can add additional mapped drives by adding more If-Then statements. This script checks for finance, accounting, and IT group membership, then maps the corresponding R:, S:, or T: drive.
Set objNetwork = CreateObject("WScript.Network")
Set objUser = CreateObject("ADSystemInfo")
Set objCurrentUser = GetObject("LDAP://" & objUser.UserName)
strGroup = LCase(Join(objCurrentUser.MemberOf))
If InStr(strGroup, lcase("Finance")) Then
objNetwork.MapNetworkDrive "R:", "\\server\shared\finance"
End If
If InStr(strGroup, lcase("Accounting")) Then
objNetwork.MapNetworkDrive "S:", "\\server\shared\accounting"
End If
If InStr(strGroup, lcase("IT")) Then
objNetwork.MapNetworkDrive "T:", "\\server\shared\IT"
End If

Both of these are neat little scripts, but they're also not terribly scalable. If you've got only two or three different groups in your Active Directory that require attention, you can probably replicate this code a few times and accomplish what you need. But if you've got more than a few (and who doesn't), you can imagine the level of complexity that scales as the size of the script grows. More importantly, as your number of mapped drives grows in number you can see how drives might begin conflicting with each other.

Decisions in Mapping Drives ' The 'How It's Applied' Way


To combat these conflicting problems some scripters take a different tactic. Rather than adding the logic into the script directly, they create separate scripts that get applied based on the rules of Active Directory. This alternate way I'll call the 'how it's applied' method rather than the 'in the script' method.
Remember that any logon script can be applied based on the Organizational Unit of either the user or the computer. In the case of users, logon scripts are applied based on where in Active Directory a user's account is located. If the user's account is part of the Finance OU, you'll assign their logon script to the Finance OU and know that they'll get their assignments.
Scripts can also be assigned to OUs full of computers, even though such scripts are Startup and Shutdown scripts rather than Logon and Logoff scripts. In a perfect world, adding a startup script would allow drives to be mapped based on which computer the user is logging in. However, be aware that startup scripts don't operate that way. A startup script runs as the computer 'starts up', before any user has attempted to login. Thus, you can't easily use a startup script to map drives in this way, although other startup activities that aren't user-centric are possible.
As you can imagine, this combination of users, computers, logons, and startups can immediately create a complex web of conditional statements. A user who is a member of multiple groups could have an overlap of drive letters. Different users logging into the same computer won't get the same mapped drives. Chaos ensues!

Figure 3: Group Policy Preferences Item Level Targeting
By itself Active Directory deploys scripts based on that user's or computer's OU membership. You've got options based on user, or computer, but not necessarily both at the same time. Active Directory Group Policy Preferences get around some of these limitations through their use of Item Level Targeting, seen in Figure 3. There a Group Policy Preference that's been targeted to a specific OU won't actually be invocated unless the items resolve as true. In Figure 3, the drive mapping won't be applied unless the user is a member of the Finance Users group. Remember that even Item Level Targeting is constrained by the OU where your configurations are located.

Active Directory + Scripting = Complex


Complex, eh? Absolutely, and they get even more challenging as your environment ages and inserts more and more scripts to keep things running. If your requirements for mapped drives are anything beyond the simple, consider taking a look at alternative solutions. You might find that the constraints placed upon you by Active Directory might not solve the business problems you actually have.

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Computer Tricks and Tips