Does your company use network mapped drives? Do you have so many that things are getting out of hand or do you want to map your drives with more precision? I used to work for a company that almost used every letter in the alphabet. They had mapped drives E – Z and wanted more, things were truly out of hand. One of the other problems was the distributed environment, they sometimes wanted drives from other sites and locations over a WAN connection.
Security was a problem too; everyone could read, write and delete to network shares and everyone mapped every drive possible. A former Network Administrator set it up that way and I was left holding the bag (but that’s OK because I like a challenge!). It’s something I didn’t change because a massive change like that needed planning. People find data on the network and get used to their locations, had I made a sudden change it would be pulling the rug on productivity for sure. It wasn’t a priority at the time as I had bigger fish to fry and management had other plans for the data (SharePoint). The company later closed their doors (it was an Automotive company) but the memory still haunts me of all those networked drives!
There are two ways you can accomplish drive mapping with some precision. One way is by using Group Policy, creating your group, adding your users o that group, creating your logon policy, filtering the policy by the group you created thus all members of that group will execute that script via the logon policy. Anyone not in that group wont’ execute the script. This is my personally preferred method BUT there’s another way for people who already have users using a login script. I’ve used both methods in the past and both work equally well. Most companies still use a logon script located in “\\yourdomain\netlogon” folder. It’s usually a batch file and if it is you’re in luck! You can get to it by clicking “Start > Run > Type in: \\yourdomain\netlogon” > OK”.
What you can do is this…
1 – Download “IFMEMBER.EXE” from M$ —> Here and extract the file (Install it)
2 – Create security groups for your respective shares, add permissions to those shares if they don’t already exist
3 – Copy the “IFMEMBER.EXE” from “C:\Program Files\Resource Kit” to your network “\\yourdomain\netlogon”
4 – Add similar lines of code to your batch file logon script…
__________________________________________________
:: This is a comment – Beginning IFMEMBER process
REM This is another comment – which looks cleaner REM or ::?
ifmember “yourdomain\yoursecuritygroup1”
if not errorlevel 1 goto 1
net use “\\yourserver\yourfolder1”
:1
ifmember “yourdomain\yoursecuritygroup2”
if not errorlevel 1 goto 2
net use “\\yourserver\yourfolder2”
:2
end
__________________________________________________
* I had a mistake in my code, bolded above – needs to always be “errorlevel 1 goto #“, notice it’s always “errorlevel 1”
What this simply does is query if the user running the logon batch file is a member of the listed group, if they’re NOT a member it will error, i.e. “if not” then it will skip the next command “net use” and go to the error number you specify, we specified :2, and so on. This could clean up many network mapping scenarios for network administrators that aren’t too familiar with this utility.
Tip: For IFMEMBER options just type in IFMEMBER from a command prompt.
__________________________________________________
usage: ifmember [/verbose] [/list] groupname …
/verbose will print out all matches.
/list will print out all groups user is a member of.
Return Code shows number of groups this user is a member of.
Example: ifmember /v /l “MyDomain\Domain Users” Users Everyone
__________________________________________________
Lastly, another way to use the tool is to just run it against a group to see who are members of a group.
Try this one: “ifmember /list administrators”
You might turn up some surprises!
Verified, works with Windows 7 (x86/x64) and Windows 8 (x86/x64) clients against Windows 2003, 2008 and 2008 R2 DCs. Have not tested against 2012 DCs but so far, most every Win32 utility does so I’d be surprised if this doesn’t.
ifmember works on my Windows 7 machines.
Hi
My script says “the user is not in any group”. How can this be possible when i clearly see that the user in member of a group.
thanks
Update – I emailed HONDA and IFMEMBER does in fact work. I’m not sure what versions of Windows they tried but I tested it on Windows Server 2008 (32 bit) and Windows 7 (64 bit). If you’re running into trouble run your script manually once you logon, (\\server\networkshare\ifmember.bat) edit your script to “pause” with the “pause” command for troubleshooting.
Example:
ifmember “yourdomain\yoursecuritygroup1″
pause
if not errorlevel 1 goto 1
pause
net use “\\yourserver\yourfolder1″
pause
:1
ifmember “yourdomain\yoursecuritygroup2″
pause
if not errorlevel 2 goto 2
pause
net use “\\yourserver\yourfolder2″
pause
:2
pause
end
This will help you to debug any errors that are output to your command window in case there’s a problem with your syntax.
You’d certainly want to then use a user Group Policy – place your batch file in the user logon portion of your Group Policy, make a group “g drive” perhaps or whatever you want to call it, slap your users in that group and do a security filter on that Group Policy. You delete “Authenticated Users” and add your “g drive” group so only members of that group get that policy applied thus running your logon script for the group. I haven’t written anything on that process but you can find a pretty good article here: http://www.windowsnetworking.com/articles_tutorials/Group-Policy-Security-Filtering.html. Let us know if you get it working! I’d be happy to personally help if you have more questions on setting it up! :-)
Rafael
IFMEMBER does not funcion on windows 7 clients…