script on terminal server - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Basic Scripting » script on terminal server

Page 1 of 1

1

Topic Options

#189309 - 2008-08-27 09:53 PM script on terminal server
Tony Tony Getting the hang of it Registered: 2001-11-04 Posts: 55 Loc: LA	Hi, I am looking to implement a script on our terminal server so when users log into that server, the users get the shares & printers according the their security group from our domain controllers Since I only want the script to run only on that server (TS1). Where do I put the kix32.exe files? I like to implement something like the following: IF InGroup("GroupName1") USE Z: /Delete /Persistent USE Z: "\\DC01\ShareName" AddPrinterConnection("\\cps1\hp4000") <> 0 ENDIF IF InGroup("GroupName2") USE x: /Delete /Persistent USE X: "\\DC01\ShareName" AddPrinterConnection("\\cps1\hp4100") <> 0 ENDIF Some users will belong to more than one group. TIA, tnt
Top

#189310 - 2008-08-27 10:56 PM Re: script on terminal server [Re: Tony]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	You can put the files on the Sysvol/Netlogon share on your domain controller(s). If you do something like shown below it will only run on server TS1. Your drive mapping on group membership looks ok. You should leave out the <> 0 on the AddPrinterConnection lines or make an If statement out of it when the function returns something else then 0. Code: If @WKSTA = "TS1" ;Do your TS stuff here. Else ;Do stuff for other machines here. EndIf _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#189312 - 2008-08-27 11:51 PM Re: script on terminal server [Re: Mart]
Tony Tony Getting the hang of it Registered: 2001-11-04 Posts: 55 Loc: LA	Like always, thanks. I will report back. Tnt
Top

#189329 - 2008-08-28 05:41 PM Re: script on terminal server [Re: Tony]
Tony Tony Getting the hang of it Registered: 2001-11-04 Posts: 55 Loc: LA	Mart, I tested last night by puting the script on the logon (GPO) of a particular OU and it works. A concern for something like this would slow down our network or it doesn't matter? Our current layout we have a script on the All Users startup of that server and the script looks like this: IF /I %USERNAME% EQU Johnd goto TCtest :TCtest con2prt /f con2prt /cd \\ps1\hp4000 net use Z: \\server\share$ /persistent:NO GOTO FINAL Its the stone age way LOL and our script is a mess!!! Time for a change. Thanks, Tnt Edited by Tony (2008-08-28 05:46 PM)
Top

#189340 - 2008-08-29 08:54 AM Re: script on terminal server [Re: Tony]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Originally Posted By: Tony .... A concern for something like this would slow down our network or it doesn't matter? .... Everything you do before or at logon will slow things down but this is just minor and does not even remotely come close to the time you and your users will save doing all kind of things manually or users calling the support people. Running the logon script in not synchronized mode will save some time but could lead to users starting stuff that depends on something done by the logon script and the script might not be done. That’s why I always run the script synchronised. [edit] Added some stuff. [/edit] Edited by Mart (2008-08-29 08:58 AM) _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#189341 - 2008-08-29 01:26 PM Re: script on terminal server [Re: Mart]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Just for reference.. The login script published on my site is fairly large and complex, and is in use at some fairly large enterprise environments. In the environment I currently support, it's used to make 21 drive mapping decisions (one of which has 340 possible permutations), displays a brief message with a 2-second delay, and runs 3 scripts to set the background (BGInfo), update an intranet icon, and gather some user/application data. On a virtual system in the HQ building (where the DCs are) the script runs in under 1.5 seconds - so fast that we had to add a delay process so the information would remain on the screen for 6 seconds. On a physical network workstation, the same script runs in about 7 seconds. On an older PC, in a branch office connected by a 256Kbps Frame Relay link, running the script (and loading Kix32) from the DC in the HQ building, it takes about 11-12 seconds to run. As Mart says - the time it takes to run these processes is small compared to having to do it manually, or not have access to the resources and information we gather. Also (in my opinion) Running Scripts Synchronously is the only way to properly process a login. Yes, it will be 5-10 seconds before the user sees their desktop, but you prevent the user from launching things that could conflict with your login process, or access resources that are not yet available. I also prefer to run the script visible when it runs synchronously. Most people ignore the messages, but - if something fails, at least you'll have an idea why the desktop hasn't appeared. Most users - when asked - say that they don't pay much attention to the info, but have a feeling of reassurance when they see "that black box pop up" during their login. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#189562 - 2008-09-10 01:34 AM Re: script on terminal server [Re: Glenn Barnas]
Tony Tony Getting the hang of it Registered: 2001-11-04 Posts: 55 Loc: LA	Sorry to bring the thread from the dead. Can you explain Synchronously vs non synchronously ? Also, for the script I have tested, but like a confirmation. If a person belongs to two security groups and with each group having the same printer assigned, he/she will be getting that one instance of the printer. After that, the script will go on the next printer instance that is assigned based on the script? TIA, Tnt ----------------------------------------------------- IF InGroup("GroupName1") USE Z: /Delete /Persistent USE Z: "\\DC01\ShareName" AddPrinterConnection("\\cps1\hp4000") <> 0 ENDIF IF InGroup("GroupName2") USE x: /Delete /Persistent USE X: "\\DC01\ShareName" AddPrinterConnection("\\cps1\hp4100") <> 0 AddPrinterConnection("\\cps1\hp5000") <> 0 ENDIF Edited by Tony (2008-09-10 01:36 AM)
Top

#189563 - 2008-09-10 02:03 AM Re: script on terminal server [Re: Tony]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Sure.. When a login script is configured to run synchronously, it will prevent the user's desktop from appearing until the script completes. This has the appearance of "taking longer to log in", but assures that all network resources are available before the user can begin working. In an asynchronous environment, the login script runs at the same time that the desktop appears. If the login script takes a long time to run (common in slow WAN links, scripts with lots of GUI output, or simply those with ineffecient logic), the user can actually launch an application before network resources are available. If you perform any type of client machine or environment customization, this could also be aborted or affected by the user launching applications before the environment is properly prepared. My login script makes 21 resource decisions and complete processing of 15 active resources (disk, printer, message, and script) including 3 external commands in about 6-7 seconds on the LAN, and 12-15 seconds on a 256K frame-relay connection. If I had 50 "resource decisions", it would mean that there are 50 resources available to be mapped. Each needs to be evaluated, but only some that meet user, group, site, or OU criteria are actually mapped. There are lots of permutations, resulting in a lot of processing in a small amount of time. It gives the perception of a fast login, even in synchronous mode. In your example, you are not only mixing resources, but resource types. If a user is a member of both groups, your logic will process both. This might map/unmap/remap unless you are careful. I treat each resource separately. eg - I have a printer "X", it's at this UNC location, and the people in these groups or OUs should connect to it. I assume that everyone can use the resource, then try to find ways to block it.. Are you in the group? If not, I'm done - NEXT! If you are, ok, lets check other qualifiers. Are you in the OU? If not, I'm done - NEXT! If you are, then exit, since there are no more qualification tests. I do that for each resource. I might start out with 50 resources, but after deciding that a user doesn't deserve to access certain ones, I end up with a list of 10-15 resources that I can just process - quickly. Most of the decision process happens behind the scenes. A message pops up and we process the resource qualifiers. By the time the user has read the first of 3 lines of greeting, we're mapping the resources. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#189589 - 2008-09-10 07:04 PM Re: script on terminal server [Re: Glenn Barnas]
Tony Tony Getting the hang of it Registered: 2001-11-04 Posts: 55 Loc: LA	Glenn, Thanks for your response. I have gained knowledge about synchronously/asynchronous. We are rethinking about assigning different mapped drives for different groups. We are looking to just assign everbody a "Z" drive and within the "Z" drive it has shortcut (or unc) to all the different shares of all the departments. Users will see all the shares but only be able to access shares that they have permission to. Lets get back to your explanation of the printer "X". Here is my interpretation with sudeo below. Is this what you meant? Printer1 if in group1, get printer, next if in group2, get printer, next printer2 if in group1, get printer, next if in group2, get printer, next TIA, tnt
Top

#189591 - 2008-09-10 08:40 PM Re: script on terminal server [Re: Tony]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4401 Loc: New Jersey	Your concept of the common Z: drive opens a number of concerns: - if you aren't careful applying NTFS security, you can expose data to unauthorized users - You can run out of space due to the needs of one dept, but affect all depts are two that immediately come to mind. Here's what we do at a large environment... There are 3 file servers. Each has an M: drive of 2G (the smallest we can allocate with the SAN, but smaller is better). This drive has no data, but holds several mounted volumes. The volumes can be local disk or SAN, and each holds a specific type of data. For example, we might create mount points for Finance, Marketing, and User Departments 1-99 on one server. So - Each of these mounted volumes holds a similar type of data. This way, if NTFS permissions are poorly set, it's less likely to be an issue than if Finance and Users shared a common root. There might be 4 shares in the Finance folder, a dozen in Marketing, and up to 99 in the UserDept1-99 folder. Most of these shares can be defined and secured quickly with Kix and the Net command. Each share is related to an AD OU, in this environment, which makes things easy. Using my login script, I can use an OU Path Rewrite function, that determines the user's OU, and then uses that to lookup the UNC path to their share. So, when Maria from Dept 47 logs in, the resource for the Z: drive says Code: Target=Z Path=&OU:DeptShare& This tells the logic that we want to map something to Z, and we should look at the "DeptShare" section for an entry that says Dept 47=\\fileserver2\Dept47 That connects that resource to the z: drive for that user. With this, I know that every user will have a Z: drive, it will be unique for each department, and they can't access any other departmental share. Further, Finance, Marketing, and User departments are physically isolated on the servers. This method takes more planning, but the rewards are better security, ability to expand the storage, distribute the storage across multiple servers, and easy customization of a shared drive map. As for your new printer logic, you're on-track. Keeping each resource separate is better. I'd reverse the logic, though.. Code: ; repeat this logic for each printer resource... $Resource = '\\server\printer' $Map=1 ; allow mapping of this resource If Not Ingroup(groupX) $Map = 0 EndIf If Not Ingroup(groupY) $Map = 0 EndIf If $Map AddPrinterConnection($Resource) EndIf Thus, you assume that you DO want to map the resouce, and find ways not to - not in group, not in OU, not at correct AD site, etc.. This way, you only have one resource to define, and one line to map it on. I'm STILL NOT a fan of placing data in the script, but it will get you started. Of course, you could just download the login script... $;\)$ Glenn PS - maybe next time you could ask a complex question that has a simple answer? $;\)$ $\:D$ _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#189605 - 2008-09-11 09:22 AM Re: script on terminal server [Re: Tony]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Quote: .... We are looking to just assign everbody a "Z" drive and within the "Z" drive it has shortcut (or unc) to all the different shares of all the departments. .... We have a DFS setup that has links to all department shares in the different countries. They do not replicate. The DFS is accessible as \\domain\departments and in there you have Corporate, The Netherlands, France, Spain, Italy and Germany. Countries and the departments below the countries are secured with tight user group based NTFS permissions. This all works great. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#189803 - 2008-09-22 11:16 PM Re: script on terminal server [Re: Glenn Barnas]
Tony Tony Getting the hang of it Registered: 2001-11-04 Posts: 55 Loc: LA	Glenn, Thank you for your thoughtful response. I was away for a while now (a vacation). Mart, We had thought about DFS too. Tony Edited by Tony (2008-09-22 11:18 PM)
Top

#189805 - 2008-09-23 01:52 AM Re: script on terminal server [Re: Glenn Barnas]
Tony Tony Getting the hang of it Registered: 2001-11-04 Posts: 55 Loc: LA	Mart/Glenn, If I use a script like below and apply the group policy to an OU (under the user configuration --> scripts--> logon), would I be using asynchronous? Sorry for the noob question. Tnt IF InGroup("GroupName1") USE Z: /Delete /Persistent USE Z: "\\DC01\ShareName" AddPrinterConnection("\\cps1\hp4000") Endif Edited by Tony (2008-09-23 01:57 AM)
Top

#189807 - 2008-09-23 09:16 AM Re: script on terminal server [Re: Tony]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Originally Posted By: Tony .... If I use a script like below and apply the group policy to an OU (under the user configuration --> scripts--> logon), would I be using asynchronous? .... Could be and could not be. These settings do not control this. You can set it with GPO in: Code: Computer configuration-->Administrative templates-->System-->Scripts-->Run logonscript synchronously and/or Code: Computer configuration-->Administrative templates-->System-->Logon-->Always wait for the network at computer startup and logon _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#189839 - 2008-09-24 02:34 AM Re: script on terminal server [Re: Mart]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	hmm... not sure the latter applies. iirc, that was the long logonscript run time cause few years back. XP booted really quick but then during logon, everything took way long, because network needed to be started to get logonscript running $\:\)$ long story short, Mart's first suggestion most likely is the correct one for your needs. _________________________ ! download KiXnet
Top

#189868 - 2008-09-25 12:33 AM Re: script on terminal server [Re: Mart]
Tony Tony Getting the hang of it Registered: 2001-11-04 Posts: 55 Loc: LA	Thank Mart. Edited by Tony (2008-09-25 12:48 AM)
Top

Page 1 of 1

1

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Arend_, Mart

Hop to:

Shout Box

Who's Online

0 registered and 778 anonymous users online.

Newest Members

batdk82, StuTheCoder, M_Moore, BeeEm, min_seow
17885 Registered Users

Generated in 0.075 seconds in which 0.029 seconds were spent on a total of 13 queries. Zlib compression enabled.

click tracking