We've partnered with TechNet to bring you answers to technical questions from deep within Microsoft--direct from "Mole."

Answers from Deep Inside

We've partnered with TechNet to bring you answers to technical questions from deep within Microsoft--direct from "Mole."

The Mole

Did Mole just hear you mutter, “Who is this Mole, anyway?” In case you haven’t heard, Mole is the Phantom of the Burrow, the furry friend of network administrators everywhere, the creature who lives in subterranean Redmond beneath the Microsoft campus, and lives to dig up ingenious answers to questions about the intricacies of Microsoft products, particularly as they behave in conjunction with other Microsoft products. Mole is, in short, the IT Pro’s IT Pro. Note that he doesn’t claim near-omniscience because of his own high intelligence, so much as because he’s a kind of genius at knowing whom to ask. Mole is fond of Mountain Dew (free to Microsoft employees), Raisinettes (from the vending machine on the second floor), and Mother Mole’s worm and onion pie. Go ahead, ask him anything.

Mole’s Logon Scripts, Version 14.5

Mole,
Where can I find complete information on Windows NT Logon script commands? What I see in all the manuals and books I can find is very limited. I need a method to map drives based on group membership or to be able to test for other conditions. This was very easy to do in Novell login scripts. Thanks for your help.
—Michael D. Herman
Corporate Support Specialist

Michael,
Mole is an interop mammal all the way. And for the benefit of you IT guys and gals who learned your chops in a Novell world, there’s an article on TechNet that should make you feel right at home in Windows NT. It’s called “Logon Scripting—A Powerful, Underutilized Tool,” and it gives you a list of variables to use in your Logon scripts, plus directions on where to put the scripts, how to set up User Environment Profiles, and how to use Logon scripts to troubleshoot problems with Windows drive mapping. [See Additional Information for complete addresses of resources mentioned.—Ed.]

Of course, Mole feels compelled to point out that in Windows NT, a Logon script isn’t really a script at all. It’s a hook in the User Environment Profile and wears the nametag .bat or .exe. The User Environment Variables you specify (you can view and modify these via the Control Panel) take precedence over the system environment variables. Read about this feature in the Knowledge Base article, “NT Environment Variables.” And rejoice. Here’s something that has the same name and happens in the same place in both NT 4.0 and Windows 2000.

And, Michael, Logon scripts are just one approach to mapping drives based on group membership.

The IFMember utility supplied in the Windows NT 4.0 Workstation Resource Kit, used in logon scripts and other batch files, IFMember accepts a list of groups as parameters on the command line, checks to see to how many of these groups the current user belongs to, then exits with the number of matches as its exit value. This can be used by the IF ERRORLEVEL command in the logon script.

Keep in mind that IFMember uses its own process token to discover group membership, rather than querying the relevant Domain Controller each time it runs, a definite thumbs-up performance-wise. The downside is that it will only be aware of groups on the local computer, the computer’s domain, and trusted domains.

Finally, here’s a syntax statement:

ifmember [groupname1] [groupname2] ... [groupnameN]

You can learn more about the Windows NT 4.0 Workstation Resource Kit on TechNet. Once you have that CD in your paws and installed on your machine, you can download a new version of the IFMember utility that addresses users belonging to more than 15 groups from the Microsoft FTP Server.

KiXtart is another solution. (Mole would like to take a moment to assure you that while he frequently recommends the KiXtart utility to IT pros, he has never accepted so much as a single can of Mountain Dew from its manufacturer. No IT payola here.) There’s a KiXtart command called INGROUP that should make you very, very happy. (You can plug whatever command you want into the IF statement—for example, “net use m: \\myserver\sharename”.)

Here’s the skinny on the INGROUP:

ACTION: Checks whether the current user is a member of a group.

SYNTAX: INGROUP (“group name”)

PARAMETER: Group name
Identifies the group in which to check the user’s membership.

REMARKS: INGROUP can be used to check for group membership of groups that exist on the domain or server where the user is logged on, or to check for group membership of groups on a specific domain or server.

When checking for a local group, INGROUP identifies that the user is indirectly a member of the group by virtue of being a member of a global group that, in turn, is a member of the local group.

If you want to check for membership in a group on a specific domain or server, use the following format:

"OtherDomain\group"

or: 

"\\SomeServer\group"

For example:

IF INGROUP("Domain Users")
          DISPLAY "z:\users.txt"
ENDIF
IF INGROUP("Developers") = 2
          ? "Member of local group Developers"
ENDIF
IF INGROUP("\\" + @WKSTA + "\Developers") = 2
          ? "Member of local group Developers 
             on local system"
ENDIF

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.