|
|
|
date: Wed, 9 Jul 2008 06:29:00 -0700,
group: microsoft.public.scripting.wsh
back
Re: Authenticate Computer and Users to particular User Group
"Rita in Florida" wrote in message
news:D593D3C5-4FB9-435E-9DE0-9567509274BE@microsoft.com...
> Hello everyone,
> I am a newbee to Powershell Scripting and have been tasked to write a
> login
> script to accomplish the following for the school I work at. (Boss passed
> it
> down to me)
> I am a network person. OS= Server 2003 soon to be Server 2008, PC's are
> XP and Vista.
> Deadline testing date: August 1, 2008 Implementating: August 14th. on
> 800
> computer.
>
> Objective: Login authentication must be verified using this scenario:
>
> If computer is member of "XX computer" or "YY computer" group
> and user name = "me" or "user'
> Deny access and sent message back to user with login screen
> Message: 'Please login using your login name and password'
>
> If computer is member of "AA or BB computer" group
> and user name is = "me" or "user"
> process normal login
> _____________________________________
> Reason: Computers are grouped in OU's with Unique identifies as the first
> two characters. AA = Lower School 1st to 4, BB = Intermediate 5th and
> 6th,
> XX =Middle 7th and 8th*, YY = High School.
>
> I have ordered MS PowerShell and PowerShell for beginners but would
> appreciate it if someone could help me out with a starter script.
>
> --
> All suggestions are appreciated. Thanking you in advance for our
> assistance.
> Rita
I know little of powershell, so you might wonder why I am here. The reason
is that this newsgroup is for Windows Script Host, not Powershell.
That said, it is my impression that powershell may not be the best choice
for a logon script. WSH, on the other hand, should be available for your XP
and Vista clients right out of the box without further installation - not
the case for powershell on XP. I also understand that Powershell itself is
not ADSI-aware. There is a fair amount of logon scripting experience
available for WSH in groups such as this. Granted, since I do not follow the
powershell groups, I might be missing something there.
/Al
date: Wed, 9 Jul 2008 18:57:31 -0600
author: Al Dunbar aam
Re: Authenticate Computer and Users to particular User Group
--
All suggestions are appreciated. Thanking you in advance for our assistance.
Rita
"Al Dunbar" wrote:
>
> "Rita in Florida" wrote in message
> news:D593D3C5-4FB9-435E-9DE0-9567509274BE@microsoft.com...
> > Hello everyone,
> > I am a newbee to Powershell Scripting and have been tasked to write a
> > login
> > script to accomplish the following for the school I work at. (Boss passed
> > it
> > down to me)
> > I am a network person. OS= Server 2003 soon to be Server 2008, PC's are
> > XP and Vista.
> > Deadline testing date: August 1, 2008 Implementating: August 14th. on
> > 800
> > computer.
> >
> > Objective: Login authentication must be verified using this scenario:
> >
> > If computer is member of "XX computer" or "YY computer" group
> > and user name = "me" or "user'
> > Deny access and sent message back to user with login screen
> > Message: 'Please login using your login name and password'
> >
> > If computer is member of "AA or BB computer" group
> > and user name is = "me" or "user"
> > process normal login
> > _____________________________________
> > Reason: Computers are grouped in OU's with Unique identifies as the first
> > two characters. AA = Lower School 1st to 4, BB = Intermediate 5th and
> > 6th,
> > XX =Middle 7th and 8th*, YY = High School.
> >
> > I have ordered MS PowerShell and PowerShell for beginners but would
> > appreciate it if someone could help me out with a starter script.
> >
> > --
> > All suggestions are appreciated. Thanking you in advance for our
> > assistance.
> > Rita
>
> I know little of powershell, so you might wonder why I am here. The reason
> is that this newsgroup is for Windows Script Host, not Powershell.
>
> That said, it is my impression that powershell may not be the best choice
> for a logon script. WSH, on the other hand, should be available for your XP
> and Vista clients right out of the box without further installation - not
> the case for powershell on XP. I also understand that Powershell itself is
> not ADSI-aware. There is a fair amount of logon scripting experience
> available for WSH in groups such as this. Granted, since I do not follow the
> powershell groups, I might be missing something there.
>
>
> /Al
>
> Thanks for the info. I looked through my Configuring Windows Server 2008 Active Directory training manual and found that Power Shell is so new that it ...suggest 'Use VBscrip' since it can run on all current version of Windows using WSH. So I will investigte WSH and VB Back to to drawing board ...so to speak. Thanks again. Rita
>
date: Thu, 10 Jul 2008 05:10:01 -0700
author: Rita in Florida
Re: Authenticate Computer and Users to particular User Group
Rita wrote:
> I am a newbee to Powershell Scripting and have been tasked to write a
> login
> script to accomplish the following for the school I work at. (Boss passed
> it
> down to me)
> I am a network person. OS= Server 2003 soon to be Server 2008, PC's are
> XP and Vista.
> Deadline testing date: August 1, 2008 Implementating: August 14th. on
> 800
> computer.
>
> Objective: Login authentication must be verified using this scenario:
>
> If computer is member of "XX computer" or "YY computer" group
> and user name = "me" or "user'
> Deny access and sent message back to user with login screen
> Message: 'Please login using your login name and password'
>
> If computer is member of "AA or BB computer" group
> and user name is = "me" or "user"
> process normal login
> _____________________________________
> Reason: Computers are grouped in OU's with Unique identifies as the first
> two characters. AA = Lower School 1st to 4, BB = Intermediate 5th and
> 6th,
> XX =Middle 7th and 8th*, YY = High School.
>
> I have ordered MS PowerShell and PowerShell for beginners but would
> appreciate it if someone could help me out with a starter script.
>
> --
> All suggestions are appreciated. Thanking you in advance for our
> assistance.
I've been trying learn PowerShell. I believe it can check group membership,
but most methods require third party components (cmdlets). I also found a
method that seems to work without cmdlets, especially if group nesting can
be ignored. However, PowerShell has some drawbacks for logon scripts:
1. All clients require the .NET framework. This comes with Vista, but must
be installed on XP and W2k3.
2. It requires installation of PowerShell on all but W2k8.
3. Many things require third party cmdlets.
OU's are good for grouping objects in logical containers. Group Policies can
be applied to the entire domain and/or to OU's. If you use Group Policy to
configure logon scripts, you can have one logon script for everyone in the
domain, or separate logon scripts for users in each OU.
Permissions are assigned to groups, not OU's. A user or computer can reside
in only one OU, but they can be members of any number of groups. It is
better to use group membership to determine what to do in a script.
If you want to use which OU the object resides in to make decisions, the
most reliable method is to retrieve the Distinguished Name (DN) of the OU. A
less reliable method is parse the Distinguished Name (DN) of the
user/computer.
You could make all computers in ou "AA" members of a group. You could also
make all computers in ou "BB" members of the same group. Similarily,
computers in OU's "XX" and "YY" could be members of another group.
By "user name" I assume you mean the "pre-Windows 2000 logon name", which is
the value of the sAMAccountName attribute. If the groups are called "AA or
BB" and "XX or YY", a VBScript logon script could be similar to (not
tested):
===========
Option Explicit
Dim objSysInfo, objUser, objComputer, objGroup1, objGroup2
Dim strUserDN, strComputerDN, strNTName
Dim strComputer, objWMIService, colOperatingSystems, objOperatingSystem
Const LOGOFF = 0
' Retrieve DN of user and local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.UserName
strComputerDN = objSysInfo.ComputerName
' Bind to user and computer objects.
Set objUser = GetObject("LDAP://" & strUserDN)
Set objComputer = GetObject("LDAP://" & strComputerDN)
' Retrieve name of user (pre-Windows 2000).
' Use the LCase function to make the name all lower case.
strNTName = LCase(objUser.sAMAccountName)
' Bind to computer groups, using DN's of groups.
Set objGroup1 = GetObject("LDAP://cn=AA or BB,ou=School,dc=MyDomain,dc=com")
Set objGroup2 = GetObject("LDAP://cn=XX or YY,ou=School,dc=MyDomain,dc=com")
If (objGroup2.IsMember(objUser.AdsPath) = True) Then
' User is a member of "cn=XX or YY".
If (strNTName = "me") Or (strNTName = "user") Then
' Deny access.
Call MsgBox("Please logon with your own name and password")
' Force user to log off immediately.
strComputer = "."
Set objWMIService = GetObject("winmgmts: {(Shutdown}" _
& "{impersonationLevel=impersonate,authenticationLevel=Pkt}!\\"
_
& strComputer & "\root\cimv2")
Set colOperatingSystems = objWMIService.ExecQuery _
("SELECT * FROM Win32_OperatingSystem")
For Each objOperatingSystem in colOperatingSystems
objOperatingSystem.Win32Shutdown(LOGOFF)
Next
Wscript.Quit
End If
End If
If (objGroup1.IsMember(objUser.AdsPath) = True) Then
' User is a member of "cn=AA or BB".
If (strNTName = "me") Or (strNTName = "user") Then
' Do something else.
End If
End If
==========
I don't know if the code to force logoff will work, as it might require
privileges normal users won't have. Otherwise, there are third party tools
that can force logoff, but I generally avoid these in logon scripts.
If you really want to use the parent OU rather than group group membership
to make decisions, the code could be similar to:
========
Option Explicit
Dim objSysInfo, strUserDN, strComuterDN
Dim strNTName, objUser, objComputer
Dim objParent, strOU
' Retrieve DN of user and local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.UserName
strComputerDN = objSysInfo.ComputerName
' Bind to user and computer objects.
Set objUser = GetObject("LDAP://" & strUserDN)
Set objComputer = GetObject("LDAP://" & strComputerDN)
' Retrieve name of user (pre-Windows 2000).
' Use the LCase function to make the name all lower case.
strNTName = LCase(objUser.sAMAccountName)
' Retrieve DN of parent OU of computer.
Set objParent = GetObject(objComputer.Parent)
strOU = objParent.distinguishedName
If (strOU = "ou=AA = Lower School 1st to 4,ou=School,dc=MyDomain,dc=com")
Then
If (strNTName = "me") Or (strNTName = "user") Then
' Do something else.
End If
End If
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
date: Thu, 10 Jul 2008 12:41:26 -0500
author: Richard Mueller [MVP]
Re: Authenticate Computer and Users to particular User Group
"Richard Mueller [MVP]" wrote in
message news:OjWX7Qr4IHA.2072@TK2MSFTNGP04.phx.gbl...
> Rita wrote:
>
>> I am a newbee to Powershell Scripting and have been tasked to write a
>> login
>> script to accomplish the following for the school I work at. (Boss passed
>> it
>> down to me)
>> I am a network person. OS= Server 2003 soon to be Server 2008, PC's
>> are
>> XP and Vista.
>> Deadline testing date: August 1, 2008 Implementating: August 14th. on
>> 800
>> computer.
>>
>> Objective: Login authentication must be verified using this scenario:
>>
>> If computer is member of "XX computer" or "YY computer" group
>> and user name = "me" or "user'
>> Deny access and sent message back to user with login screen
>> Message: 'Please login using your login name and password'
>>
>> If computer is member of "AA or BB computer" group
>> and user name is = "me" or "user"
>> process normal login
>> _____________________________________
>> Reason: Computers are grouped in OU's with Unique identifies as the first
>> two characters. AA = Lower School 1st to 4, BB = Intermediate 5th and
>> 6th,
>> XX =Middle 7th and 8th*, YY = High School.
>>
>> I have ordered MS PowerShell and PowerShell for beginners but would
>> appreciate it if someone could help me out with a starter script.
>>
>> --
>> All suggestions are appreciated. Thanking you in advance for our
>> assistance.
>
> I've been trying learn PowerShell. I believe it can check group
> membership, but most methods require third party components (cmdlets). I
> also found a method that seems to work without cmdlets, especially if
> group nesting can be ignored. However, PowerShell has some drawbacks for
> logon scripts:
>
> 1. All clients require the .NET framework. This comes with Vista, but must
> be installed on XP and W2k3.
> 2. It requires installation of PowerShell on all but W2k8.
> 3. Many things require third party cmdlets.
>
> OU's are good for grouping objects in logical containers. Group Policies
> can be applied to the entire domain and/or to OU's. If you use Group
> Policy to configure logon scripts, you can have one logon script for
> everyone in the domain, or separate logon scripts for users in each OU.
>
> Permissions are assigned to groups, not OU's. A user or computer can
> reside in only one OU, but they can be members of any number of groups. It
> is better to use group membership to determine what to do in a script.
For me a far better use of groups is for permissions.
I developed our logon script in vbscript and picked the best performing
"INGROUP" function of the five or six I developed (thanks, in great part, to
Richard). In our infrastructure (>20000 users >20000 computers >80 sites
nation-wide) there are situations where the logon time is overlong, and I
have tracked the major bottleneck down to the INGROUP function.
No problem for a well-connected LAN, but sites with small WAN pipes and no
local DC (and remote access users coming in over VPN) make the situation
even worse.
Another issue I see with having some logon script code conditional on group
membership is that this can create, and even encourage, more complicated
code that becomes a support problem in itself, plus the possible creation of
groups just for the purpose of deciding what share to map where.
If I were to do a re-write, I'd look for alternatives to testing group
membership. In fact I have a rough draft ready to go that avoids it
altogether.
<snip>
> ==========
> I don't know if the code to force logoff will work, as it might require
> privileges normal users won't have. Otherwise, there are third party tools
> that can force logoff, but I generally avoid these in logon scripts.
Add to that the possibility that users could bypass the enforced
logoff/shutdown by terminating the script.
/Al
date: Thu, 10 Jul 2008 21:13:24 -0600
author: Al Dunbar aam
|
|
