How Can I Map Drives Based on Membership in a Group?

How Can I Map Drives Based on Membership in a Group?

  • Comments 6
  • Likes
Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I map drives in a logon script based on a security group each user belong to?

-- RO

SpacerHey, Scripting Guy! AnswerScript Center

Hey, RO. Considering the fact that this question has been asked by approximately 3,755,392 of our readers - oops, there’s another one; make that 3,755,393 of our readers - we decided it might be a good idea for us to answer it. So here goes.

There are two issues here. First, you need to determine which groups a user belongs to; second you need to map a drive based on the user’s membership in a particular group. Because there are two issues to deal with, let’s take our usual tack and show you how to do step 1, show you how to do step 2, and then bring them both together for a grand finale that actually performs the task in question.

For starters, you need to determine which groups the user belongs to; before you can actually do that however, you need to determine who the user is in the first place. Because you’re running this as a logon script, that’s actually pretty easy: you can use the ADSystemInfo object to determine the distinguished name of the user who just logged on:

Set objSysInfo = CreateObject("ADSystemInfo")
Wscript.Echo strUser.UserName

Why do we want the distinguished name as opposed to, say, the user’s logon name? Well, the distinguished name (which looks like CN=Ken Myer, OU=Finance, DC=fabrikam, DC=com) gives us a nearly-complete path to the user’s Active Directory user account; in fact, all we have to do is tack LDAP:// to the front and we’re on our way. A logon name like kmyer isn’t nearly as useful; if that’s all we have, we’d have to do an Active Directory search to determine the ADsPath for this account. Starting off with the distinguished name lets us bypass all those steps.

As soon as we tack on LDAP:// and construct an ADsPath we then bind to the user account in Active Directory and report back the groups the user belongs to; this can be done simply by enumerating the values in the MemberOf attribute. Thus:

On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = CreateObject("Wscript.Network")

strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)

For Each strGroup in objUser.MemberOf
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    Wscript.Echo objGroup.CN
Next

Note that what we do here is construct an ADsPath for the group using this line of code:

strGroupPath = "LDAP://" & strGroup

We then bind to the group itself and echo the value of the CN. Why? Well, the MemberOf attributes returns the distinguished name of each group the user belongs to; thus you get names like CN=Finance Users, OU=Finance, DC=fabrikam, DC=com. That’s OK, but we’d rather just have a group name (i.e., a CN) like Finance Users. So we go ahead and bind to the group and grab the CN.

As for step 2, mapping a network drive, that’s pretty easy; this code maps drive X to the share \\atl-fs-01\finance:

Set objNetwork = CreateObject("Wscript.Network")
objNetwork.MapNetworkDrive "X:", "\\atl-fs-01\finance"

All we have to do is create an instance of the WSH Network object, then call the MapNetworkDrive method, passing the method two parameters: the drive letter, and the file share we want to map to.

So here - at last! - is a script that determines the groups a user belongs to, and then maps drive X to the appropriate network share based on group membership. To do this, we return a list of all the groups, and then use a Select Case statement to see if the user belongs to one of our target groups. For example, this code check to see if the user belongs to the Finance Users group; if he or she does, then the script maps drive X to the share \\atl-fs-01\finance:

Case "Finance Users"
        objNetwork.MapNetworkDrive "X:", "\\atl-fs-01\finance"

Here’s the finished script:

On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo")
Set objNetwork = CreateObject("Wscript.Network")

strUserPath = "LDAP://" & objSysInfo.UserName
Set objUser = GetObject(strUserPath)

For Each strGroup in objUser.MemberOf
    strGroupPath = "LDAP://" & strGroup
    Set objGroup = GetObject(strGroupPath)
    strGroupName = objGroup.CN

    Select Case strGroupName
        Case "Finance Users"
            objNetwork.MapNetworkDrive "X:", "\\atl-fs-01\finance"
        
        Case "Human Resource Users" 
            objNetwork.MapNetworkDrive "X:", "\\atl-fs-01\hr"

        Case "Manufacturing Users"
            objNetwork.MapNetworkDrive "X:", "\\atl-fs-01\manufacturing"

        Case "Shipping and Receiving Users"
            objNetwork.MapNetworkDrive "X:", "\\atl-fs-01\shipping"
    End Select
Next

A couple of caveats regarding this script. First, the script assumes users belong to only one of the groups in question. Suppose a user belongs to both Manufacturing Users and Shipping and Receiving Users. In that case, drive X will be mapped to \\atl-fs-01\manufacturing, but an error will occur when the script tries to map drive X to \\atl-fs-01\shipping; that error occurs because the drive is already in use. If your users might belong to multiple groups, you’ll have to account for that, perhaps by allowing for multiple drive mappings (for example, map drive X and then, if drive X is taken, map the drive for the next group to drive Y). We’ll save that lesson for another day.

In addition, this script assumes that users are listed by name in the security groups. However, what if user Ken Myer happens to be a member of the Accounting Group, and the group (not the individual user) is a member of Finance Users? In that case, the drive will not be mapped properly, because this script cannot account for nested groups (groups inside of groups). That’s a more complicated script, and something will show you how to do in the near future.


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hey Guy,

    Something I found:

    By default, a new created domain user only belongs to "domain users" group(aslo as Primary group)

    Later, if the user was added into another group(only one), when we run the script, we will fail to map the drive.

    This is because if user belongs to only one group(except Primary group), the value of "objUser.MemberOf" will be think as string(not collection), so, scripts within "For Each strGroup in objUser.MemberOf" won't run.

    Is it true?

    Refer: <http://www.rlmueller.net/MemberOf.htm>

  • technet.microsoft.com/.../cc758918%28WS.10%29.aspx

  • Is there a way to add a group to multiple network drives? For example, I entered -

    Case "test"

        objNetwork.MapNetworkDrive "S:", "\\server\xxx"

    Case "test"

        objNetwork.MapNetworkDrive "F:", "\\server\yyy"

    Only the mapping to the S: drive worked. I created a test 2 group for the second mapping and it worked. Is there any way around this?

  • Hi ScriptingGuy,

    I am trying to map drives based on nested groups, and as you say this doesn't work.

    Did you every get round to blogging this? if so what's the link - i can't find anything anywhere!!!

    Thanks.

  • Thanks for this.

    Do you know how to do this using Powersell instead?

    Sorry, I'm having great difficulties finding the solution and saw your post and wondered if you have converted this to Powershell instead?

    Many thanks,

    Binh

  • What about persistent drive letters?