Custom User Groups assigned to Variables
Hi, I've got a basic question but I haven't been able to find any answers so far. I've a little experience with Server Administration but my aim here is to get information to pass on to our IT dept. Forgive me if my terminology is not quite correct though you should be able to understand what I am trying to achieve. I'm a CAD Manager and we are about to move our users into a custom security group based on their professional discipline so that they can only access files and folders in a project relevant to their group e.g Architects will be made members of a group called Architects, Structural Engineers will be made members of a group called Structural Engineers etc.. What I want to know is, is there a way that I can have these groups assigned to a environment variable ?(if thats what it should be called). The reason I ask is that when one of my users starts our CAD package from a shortcut, it has a command switch which specifies a configuration file to use when the program is started. Within this configuration file I want to be able to check which security group the user is a member of. This will be achieved by a series of simple IF statements and the result will then decide which additional series of configuration files to process there after. Currently they only way the end result is achieved is to have a different shortcut on each users desktop which is time consuming to set up and maintain should changes be required. Thanks for your help
October 21st, 2010 6:28am

bump...
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2010 1:35am

anyone?
October 22nd, 2010 7:41am

If you retrieve the value of an environment variable and attempt to assign the user to a group based on that, there are several problems. First, this seems like it would be done by the user, with their credentials, so the user needs permission to modify the group. Second, even if the user adds themselves to the proper group (perhaps in a logon script), the user will not get the permissions until they log off and log on again. How is the environment variable assigned a value? Best would be to run a script (perhaps periodically) that scans all users in AD and based on the value of an attribute of the user object makes sure they are members of the correct group. Hopefully the group membership would not need to change often, or at all. Is there an attribute of the user object that can be used for this? Could the OU the user resides in be used? Richard MuellerMVP ADSI
Free Windows Admin Tool Kit Click here and download it now
October 22nd, 2010 12:39pm

If you retrieve the value of an environment variable and attempt to assign the user to a group based on that, there are several problems. First, this seems like it would be done by the user, with their credentials, so the user needs permission to modify the group. Second, even if the user adds themselves to the proper group (perhaps in a logon script), the user will not get the permissions until they log off and log on again. How is the environment variable assigned a value? Best would be to run a script (perhaps periodically) that scans all users in AD and based on the value of an attribute of the user object makes sure they are members of the correct group. Hopefully the group membership would not need to change often, or at all. Is there an attribute of the user object that can be used for this? Could the OU the user resides in be used? Richard Mueller MVP ADSI Hi Richard, thanks for taking the time to reply. Firstly, the users themselves wouldn't be doing anything, our IT dept will add the users to the new groups (a unique OU for each discipline seems to make sense). Following that, as you have suggested setting the variables will most likely be a via logon script. Alternatively whenever a new person joins the dept, I need to run a batch file which copies a number of seed files and renames them to that person's login name - perhaps at that time I could also run a script that sets the environment variable? Either way this should be a run once scenario. Once the variable is set my CAD package can access it and allow me to set the discipline specific settings. Where I am stuck is how do you write a script that will scan to check what OU the user resides in (does it help if we state what OU values are for the script to enumerate through?), create and assign the value to the environment variable?
October 25th, 2010 8:32am

If I understand, the script will run as a logon script, so we are talking about the current user. The code could be similar to below: ' Bind to current user object. Set objSysInfo = CreateObject("ADSystemInfo") strUserDN = objSysInfo.UserName Set objUser = GetObject("LDAP://" & strUserDN) ' Find ADsPath of parent OU/container. strParent = objUser.Parent ' Bind to the parent object. Set objOU = GetObject(strParent) ' Retrieve Distinguished Name (DN) and Relative Distinguished Name (RDN). ' DN uniquely identifies the OU/container. ' RDN will be similar to "ou=sales" or "cn=users", and may ' not uniquely identify the OU/container. strDN = objOU.distinguishedName strRDN = objOU.Name ' Do something based on DN of parent OU/Container. ' Make comparisons all lower case. Select Case LCase(strDN) Case "ou=sales,ou=west,dc=mydomain,dc=com" ' Do something. Case "ou=sales,ou=east,dc=mydomain,dc=com" ' Do something. End Select ' Or, do something based on RDN of parent OU/Container. ' Make comparisons all lower case. Select Case LCase(strRDN) Case "ou=sales" ' Do something. Case "cn=users" ' Do something. End Select Does this help? Richard MuellerMVP ADSI
Free Windows Admin Tool Kit Click here and download it now
October 25th, 2010 12:10pm

Bueller? :-) One simple option that comes to mind is using a single drive letter for all your department-level shares. Meaning, department A has the O: drive mapped to \\server\deptA$. Department B has it mapped to \\server\deptB$. And so on and so on. This can be accomplished easily - if you're on W2008 you can use group policy preferences and target via security group - or you could go all old-school and use ifmember from the Windows Resource Kit. Then, your CAD configuration files can always be found in O:\Configs (or whatever you like), regardless of the department. Lanwench ** Do not fold, spindle or mutilate. Fill in the box completely and erase any stray marks. Use only a #2 pencil.
October 26th, 2010 2:35pm

anyone? You could limit access to the configuration file itself so that the native NTFS ACEs and ACLs can take the precidence on what they have access to. You could centralize the location of your configuration file to a folder share OR implement a shared desktop folder via folder redirection. A different desktop directory for each security group in question. So that the users in that Security group will all see the same icons. This way, you only need to do your work one time... not X variable to number of employees and desktops... Plus REPEAT work if you have to replace someone... You should also discuss your concerns with your IT department about setting up an image that all desktops in the engineering department will use that is customized to meet your needs.. and ACLs preconfigured into that image so that they can access role based configuration files. This is called Role Based permissions when you delegate tasks based on their security groups. Please let me know if you need some more information to complete the suggested ideas.Steve Kline Microsoft Certified IT Professional: Server Administrator Microsoft Certified Product Specialist Microsoft Certified Network Product Specialist This posting is "as is" without warranties and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 2:47pm

Hi Guys, thanks for the responses. They appear like they'd require input from out IT dept but getting assistance from them requires a lot of jumping through hoops (long story etc..) I've now taken a slightly different approach with this as I'm now doing a bit of user administration myself without requiring assistance from our IT company. What I'm now doing is maintaining an excel spreadsheet with columns A & B being Usernames & Groups. I have had some help with a vbs script on another forum which expands the value of %username% and then uses that as a search string to parse the excel file to look for a match. What the script should do is find the cell in column A that matches the users logon name and select the cell to the right in column B and assign that value to the variable DRS_Group. It works (well sort of....) but there are a few issues: The script does create a new User Environment Variable but its not setting the correct variable value; it sets the value of &username% instead of the cell to the right in the same row. Additionaly the script does an extra step where pastes the value of %username% into a new spreadsheet. I don't see any reason for this and would like this step ommited. Even if it were pasting the correct value from the groups column, I just want it to use the value as the value for DRS_Group without opening excel as its already getting the value from an excel file. The start of the script appears to create an array to in case different file types were to store the user and group names. This was because I wasn't sure which file type was best but now that I have decided upon xls I think the script can be tweaked to lose the array, but I'm not sure how. Can anyone help me finish this? I'd appreciate any help you can offer.
November 1st, 2010 5:37am

bump
Free Windows Admin Tool Kit Click here and download it now
November 1st, 2010 11:36am

Hello I3looM, As this issue is related to Scripting, I would like to suggest that you initiate a new thread in our Scripting forum for better and accurate answer to the question. The community members and support professionals there are more familiar with Scripting and can help you in a more efficient way. For your convenience, I have listed the Forum link below: Scripting Forum http://social.technet.microsoft.com/Forums/en-us/ITCG/threads BrentPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
November 1st, 2010 9:42pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics