Ingroup seems not able to map drives - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » Ingroup seems not able to map drives

Page 1 of 1

1

Topic Options

#164713 - 2006-07-20 06:15 PM Ingroup seems not able to map drives
Roberto_Koempel Roberto_Koempel Fresh Scripter Registered: 2005-07-05 Posts: 34 Loc: Germany	Dear Kixprofessionals, Ingroup seems to be an issue although it is no new feature. I read through many postings regarding this function but my burning questions were not answered so I try here. I have the following problem: We once had a nice NT4-domain (DomainA) with codepieces like: Code: If INGROUP("Usergroup") Use H: "\\$logonserver\branch$$" which ran very satisfying. Now we are migrating to AD (DomainB) and on all new machines, which have machineaccounts only in the domain which was invented for migration-purposes, the users cannot map drives if the function Ingroup is used. All mappings using the "use"-Function run and map just fine. Old machines run and map just fine. I already tried to specify the domain from which the group should be taken: Code: If INGROUP("domain\Usergroup") Use H: "\\$logonserver\branch$$" but it does not help. My Questions: 1) On which domain (DomainA or DomainB) does KIX check for groupmembership? 2) Where does Kix find out, in which domain it should check for groupmembership? _________________________ Serenity: You can't stop the Signal!
Top

#164714 - 2006-07-20 06:37 PM Re: Ingroup seems not able to map drives
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	To answer that question we would need to know what version of KixTart 3.x or 4.x you are using. Please review this thread: http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Board=UBB2&Number=62086 If you are using the 4.x KiXtart, then INGROUP processes the group memberships are attached to the user's security token by the AD global catalog server. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#164715 - 2006-07-21 08:07 AM Re: Ingroup seems not able to map drives
Roberto_Koempel Roberto_Koempel Fresh Scripter Registered: 2005-07-05 Posts: 34 Loc: Germany	Dear Howard, we are using Kix Version 4.50! I already reviewed the mentioned thread before I wrote the question about ingroup but either I'm not able to make out what I can do for my scripts or the thread does not reflect my problem (which I would prefer of course). In this regard I have to say that a few weeks ago I stated a question, that If I were to migrate from an NT4-Environment to Active Directory, what do I have to change in my Kix-Scripts. As far as I remember all answers were like: nothing, if the scripts ran OK, before. Now we are migrating and first thing we find is that Ingroup does not seem to work as we were used to. Only things that I might add here are: All old machines which have a machine-account in the old NT4-domain execute Ingroup perfectly. On all new machines which have a machine-account in our migration-domain and NOT in the old NT4-domain Ingroup does not seem to find the right network - connection. Currently I was able to help the users by establishing manual mappings but this is only possible in the test-departments. I think to implement it on all 4000 accounts in question I'd be mapping manually for years to come. And thats not a task my sups will pay my salary for if you catch my drift. Hope this helps. Thanks in advance _________________________ Serenity: You can't stop the Signal!
Top

#164716 - 2006-07-21 08:52 PM Re: Ingroup seems not able to map drives
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Have you verified that you have global Catalog server enabled, that they are working properly and that the clients can access them properly. Are the Global Catalalog services properly registrered in DNS? Ingroup (v4.02) works fine for me with my AD. On an AD client, delete the following registry key: HKEY_CURRENT_USER\Software\KiXtart\TokenCache Run the logon script is the key and its data recreated? If yes, did the sids match the objects in the AD? Are you using Sid history (Yuk!)? Edited by Howard Bullock (2006-07-21 08:53 PM) _________________________ Home page: http://www.kixhelp.com/hb/
Top

#164717 - 2006-07-24 12:31 PM Re: Ingroup seems not able to map drives
Roberto_Koempel Roberto_Koempel Fresh Scripter Registered: 2005-07-05 Posts: 34 Loc: Germany	Dear Howard, thanks for all your good questions. I'll relay them now to the ppls who do the migration-job atm and find out if one of them is the missing link. This is one of my major problems: We are not doing the process nor did we setup any servers; this is obviously done by ppl who have nothing to do with kix sorrily. Again thanks for your kind answer. I'll come back when I have learned more of the situation _________________________ Serenity: You can't stop the Signal!
Top

#164718 - 2006-07-25 11:47 AM Re: Ingroup seems not able to map drives
Roberto_Koempel Roberto_Koempel Fresh Scripter Registered: 2005-07-05 Posts: 34 Loc: Germany	Dear Howard, all of your questions can be answered with yes. As this happens only to new clients (old clients run just fine) the token cache is/should be clean. Afaik we do not use SID-History. Does this help you? _________________________ Serenity: You can't stop the Signal!
Top

#164719 - 2006-07-25 05:32 PM Re: Ingroup seems not able to map drives
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	I suspect that something in your infrastructure is broken, but do not know exactly where to tell you to look other than the areas I mentioned above. You state that only new clients are affected. Are you meaning only newly built computers in the AD domain? Or do older computers that have been migrated/moved to the AD domain also fail? Have you reviewed the Token cache on an old and new computer? Is the new computers token cache populated? Download KiXtart version 3.63 and run a test script that uses INGROUP. Does this version behave differently than your current version? _________________________ Home page: http://www.kixhelp.com/hb/
Top

#164720 - 2006-07-25 06:02 PM Re: Ingroup seems not able to map drives
Roberto_Koempel Roberto_Koempel Fresh Scripter Registered: 2005-07-05 Posts: 34 Loc: Germany	Dear Howard, we had a NT4-domain with a lot of W9x-Clients. As our customer decided to move to AD he also decided to flush out all Win9x-Systems. Therefore we have and had to install over 700 new PC-Systems. All of them new systems have a machine-account in the new domain (the migration-domain) whereas all old systems still have a machine account in the old NT4-Domain. I suspect that ingroup does try to look for groups in the new domain - the one where the machine has a account and not neccessarily the user - and because in the migration-domain there are not the same groups as were in the old NT4-domain ingroup fails to connect to the shares. I hope my analysis is not completely off target. Still I have no clues where to look or what to do to connect the users with their shares. _________________________ Serenity: You can't stop the Signal!
Top

#164721 - 2006-07-25 10:15 PM Re: Ingroup seems not able to map drives
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	As documented in the links I have previously supplied, KiXtart 4.x checks the groups that are attached to the user's security token that is generated during the logon process. You have not yet painted a complete infrastructure picture. I now know that you have an old NT4 domain with some computers. And you have a new W2K domain with new computer as members. You have not described how the user account are managed, migrated, or where they exist. Do the user's of the new computers in the new domain logon using accounts in the OLD NT4 domain or in the W2K domain? From where does your logon execute for the computer in the new domain? _________________________ Home page: http://www.kixhelp.com/hb/
Top

#164722 - 2006-07-25 10:17 PM Re: Ingroup seems not able to map drives
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	If your users are logging on to the new domain. You will need to rewrite your script for the new domain and the current groups that have been defined in the new domain. _________________________ Home page: http://www.kixhelp.com/hb/
Top

#164723 - 2006-08-01 02:03 PM Re: Ingroup seems not able to map drives
Roberto_Koempel Roberto_Koempel Fresh Scripter Registered: 2005-07-05 Posts: 34 Loc: Germany	Dear Howard, sorry for not being able to supply quick answers. I have to translate everything and communicate it to the persons who are involved with the migration-process (read: not me!). If/when they have answers for me I have to translate this back to english. Furthermore I was sick from Thursday last week up until yesterday and had to do a lot of email-stuff. I believe that your last post did send us onto the right track. I'll come back after I learned more. Again, I'm very sorry, that this is such a long story!
Top

#164724 - 2006-08-15 02:42 PM Re: Ingroup seems not able to map drives
Roberto_Koempel Roberto_Koempel Fresh Scripter Registered: 2005-07-05 Posts: 34 Loc: Germany	Dear Howard, though it took a long time to get all infos together I now have the right question (I think): If I have a new domain A where all computers get their machine-account, SID and everything else and the users which log onto these computers are part of domain B - which Domain-Controller does KIX log onto, to get group-memberships? I know that on all old machines, which have machine accounts in domain B, there are no problems whatsoever, but it seems that even though I told KIX to get the memberships from Domain B, it in fact does not do this on the machines which have machine-accounts in Domain A. Your answer only refers to the users and where they are logging onto. I have to stress it once again, that all users are logging on to the old domain. Thanks again for your help... _________________________ Serenity: You can't stop the Signal!
Top

#164725 - 2006-08-15 09:51 PM Re: Ingroup seems not able to map drives
Howard Bullock Howard Bullock KiX Supporter Registered: 2000-09-15 Posts: 5809 Loc: Harrisburg, PA USA	Domain A (NT4)? All User accounts are in Domain A Domain B (Windows 2000)? Computer Account live in Domain B Domain B trusts Domain A (required) A one way trust is all that is required. User on computer in Domain B logs on using DomainA\user1. Is this correct? If the above is how your domain is constructed, then the links above that discuss how the global groups from Domain A are attached to the user's security token at Logon. so... if INGROUP(DomainA\Global1) should work Are your groups in Domain A local or global groups? Let me know if the above description is accurate and if the example does or does not work. Please post the contents of HKEY_CURRENT_USER\Software\KiXtart\TokenCache from a computer in Domain B. _________________________ Home page: http://www.kixhelp.com/hb/
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

0 registered and 1376 anonymous users online.

Newest Members

batdk82, StuTheCoder, M_Moore, BeeEm, min_seow
17885 Registered Users

Generated in 0.103 seconds in which 0.064 seconds were spent on a total of 12 queries. Zlib compression enabled.

click tracking