|
|
|||||||
Hi, I've written a very basic script to map network drives based upon the AD group membership. Here is the crux of the script: use q: /delete If MemberOf("HR Users"); use q: "\\Server\HR" EndIf; For a test, I placed myself in this group "HR Users" and ran the script. It mapped fine. I then removed myself from the group and ran the script again to remove the drive. It still mapped the drive however, so I thought maybe it was a delay with Active Directory. Anyway, I checked this through the 'gpresult' utility and it came back showing that I was not in this group anymore, so I ran the script again and it still thinks that I'm in the HR group. We have 3 DC's and they are all sync'd fine and not showing me as a memeber of this group. It's been several days now and it's still mapping this drive. As a test, I added a colleague last week to the group and it mapped fine. I then removed them from the group and it is still mapping the drive. Any thoughts? Is there a better, quicker way to reference which group they are in? Thanks, Rob |
||||||||
|
|
|||||||
From the manual Quote: Group-membership information. Introduction. KiXtart provides functions to test or enumerate the group-membership of the current user (specifically: InGroup() and EnumGroup()). These functions operate on an in-memory list of groups the user is a member of. This list is filled once during every KiXtart session (in other words: once every time you run KIX32.EXE). Previous versions of KiXtart always queried the logonserver for the group-membership information. This provided information on both local and global groups in the logondomain. KiXtart retrieves group-membership information using the security token of the current user. The benefit of the new method is that KiXtart can now support universal groups as well as nested global groups. Note Because a security token is created during the logon of a user and does not change while that user is logged on, changes to the user’s group-membership are not visible to KiXtart until the next time the user logs on. Group-membership information cache. As both methods of retrieving the group-membership are relatively costly in terms of network traffic and process time the latest update of KiXtart caches the group-membership information in the registry. This means that once the cache is filled, subsequent runs of KIX32.EXE will require much less time to retrieve the group-membership information. The group-membership cache is stored in the registry hive of the current user and contains security-identifier-to-groupname mappings. Changes to a user's group-membership are automatically handled by KiXtart during the next logon. Note If an existing group is renamed, that change will not be visible to KiXtart until the next time the token-cache is refreshed. The cache is automatically refreshed every 30 days. A refresh of the cache can also be forced using the new '/f' commandline option: KIX32 Optionally, you can include a date, indicating how old the cache must be for it to be refreshed: KIX32 Note The group-membership cache feature of KiXtart is only available on Windows NT or higher. |
||||||||
|
|
|||||||
We have one master script that is fired up on each logon. After some maintenance tasks it fires up a logon script depending on the system (server/wksta) or the user. one of the maintenance tasks is the clear the token cache every x days, 7 in our case or at first run on a clean install. The script below shows you how to do this. Code: $lastFlush = ReadValue("HKU\" + @SID + "\Software\KiXtart\FlushTokenCache", "DateLastFlush") If TimeDiff($lastflush, 'Today', 'D') > 7 Or $lastflush = "" ;Delete tokencache registry key if last flush is more then 7 days ago or last flush is empty (first run) $rc = DelKey ("HKU\" + @SID + "\Software\KiXtart\TokenCache") ;Write current date to the registry. $rc = WriteValue("HKU\" + @SID + "\Software\KiXtart\FlushTokenCache", "DateLastFlush", @DATE, "REG_SZ") EndIf ;=-=-=-=-= DO NOT MODIFY ANYTHING BELOW THIS LINE =-=-=-=-= ;=-=-=-=-= THIS IS A UDF AND IT COMES READY MADE =-=-=-=-= ; ;FUNCTION TimeDiff() ; ;AUTHOR Glenn Barnas ; ;VERSION 2.2 / 2007/10/14 ; Modified to increase accuracy, permit fracional second calculations ; 2.1 / 2007/03/17 ; added "now" and "today" options for both start and end times ; 2.0 / 2006/11/20 ; Changes for code efficiency; added defaults for midnight ; ;ACTION Calculates the time difference between two given date/time strings ; ;SYNTAX TimeDiff(Start [, End] [, Format] [, MSec]) ; ;PARAMETERS Start - REQUIRED, String value representing the start timestamp ; Format yyyy/mm/dd hh:mm:ss ; ; End - OPTIONAL, Defaults to "now" ; String value representing the ending time ; Format yyyy/mm/dd hh:mm:ss ; Can be the special value "now" for the current date/time, or "today" ; for midnight of the current day. ; ; When the time value is not specified, it defaults to 00:00:00.000 (midnight) ; ; Format - OPTIONAL, one of: ; "m" - return minutes ; "h" - return hours ; "d" - return days ; "y" - return years ; When a format value is specified, it returns the fractional part (ie 0.5 days for 12 hours). ; ; MSec - OPTIONAL, True if the fractional seconds should be returned. Default ; is false, returning whole seconds, to maintain compatibility with earlier versions. ; MSec only affects the return of fractional seconds, not fractional parts of other time formats. ; ;REMARKS Returns a value representing the difference in time between two date/time ; strings. Assumes that "Start" is in the past, but will properly return a ; negative value if it is in the future. ; ;RETURNS Double - difference between Start and End timestamps in seconds ; ;DEPENDENCIES None ; ;TESTED WITH Kix 4.2+, NT4, W2K, WXP, W2K3 ; ;EXAMPLES If TimeDiff(GetFileTime('SomeFile.txt'), 'now', 'h') > 48 ; "File is more than 2 days old!" ? ; EndIf ; Function TimeDiff($_Start, OPTIONAL $_End, OPTIONAL $_Fmt, OPTIONAL $_MSec) Dim $_, $_SDate, $a_Start, $_EDate, $a_End, $_Duration ; Check for special START parameters Select Case $_Start = 'now' $_Start = @DATE + ' ' + @TIME + '.' + @MSECS Case $_START = 'today' $_Start = @DATE + ' 00:00:00.000' EndSelect ; Check for special END parameters Select Case $_End = 'now' Or $_End = '' $_End = @DATE + ' ' + @TIME + '.' + @MSECS Case $_End = 'today' $_End = @DATE + ' 00:00:00.000' EndSelect ; Validate parameters ; Parameters passed are "yyyy/mm/dd hh:mm:ss[.sss]" - make sure the default time is added $a_Start = Split(Join(Split(Join(Split($_Start + ' 00:00:00.000', '/'), ' '), ':'), ' '), ' ', 6) If UBound($a_Start) <> 5 Exit 87 EndIf ; bad start time parameter For $_ = 0 to 5 $a_Start[$_] = CDbl($a_Start[$_]) ; convert to numeric values Next $a_End = Split(Join(Split(Join(Split($_End + ' 00:00:00.000', '/'), ' '), ':'), ' '), ' ', 6) If UBound($a_End) <> 5 Exit 87 EndIf ; bad start time parameter For $_ = 0 to 5 $a_End[$_] = CDbl($a_End[$_]) ; convert to numeric values Next ; Convert dates to Days, then convert to seconds and add the time value If $a_Start[1] < 3 $a_Start[1] = $a_Start[1] + 12 $a_Start[0] = $a_Start[0] - 1 EndIf $_SDate = $a_Start[2] + ( 153 * $a_Start[1] - 457 ) / 5 + 365 * $a_Start[0] + $a_Start[0] / 4 - $a_Start[0] / 100 + $a_Start[0] / 400 - 306 $_SDate = CDbl($_SDate) * 86400.0 $_SDate = $_SDate + $a_Start[3] * 3600 + $a_Start[4] * 60 + $a_Start[5] If $a_End[1] < 3 $a_End[1] = $a_End[1] + 12 $a_End[0] = $a_End[0] - 1 EndIf $_EDate = $a_End[2] + ( 153 * $a_End[1] - 457 ) / 5 + 365 * $a_End[0] + $a_End[0] / 4 - $a_End[0] / 100 + $a_End[0] / 400 - 306 $_EDate = CDbl($_EDate) * 86400.0 $_EDate = $_EDate + $a_End[3] * 3600 + $a_End[4] * 60 + $a_End[5] ; Get the duration between the timestamps $_Duration = CDbl($_EDate - $_SDate) ; Trim fractional seconds if the MSec flag wasn't set ; Value returned is whole seconds If Not $_MSec $_Duration = CInt($_Duration) EndIf ; Return data as a Double - seconds (default), hours, minutes, days, or years Select Case $_Fmt = 'm' ; minutes $TimeDiff = $_Duration / 60.0 Case $_Fmt = 'h' ; hours $TimeDiff = $_Duration / 3600.0 Case $_Fmt = 'd' ; days $TimeDiff = $_Duration / 86400.0 Case $_Fmt = 'y' ; years $TimeDiff = $_Duration / 31536000.0 Case 1 $TimeDiff = $_Duration EndSelect Exit 0 EndFunction |
||||||||
|
|
|||||||
Thanks for this, however even after running "kix32.exe /f", it still maps this drive. Where is this cache in the registry? Is there a better way to do this rather than MemberOf? |
||||||||
|
|
|||||||
Quote: HKU\[SID_GOES_HERE]\Software\KiXtart\TokenCache |
||||||||
|
|
|||||||
I have a 'TokenCache' folder entry but there is no key set, just 'Default' REG_SZ and no value set. Should there be a value in there? |
||||||||
|
|
|||||||
If nothing is set then no token cache exists. Deleting the entire key will force a refresh at the next run of a script the does something with group membership. There is the build in function InGroup() that worked just fine for me for several years now. |
||||||||
|
|
|||||||
Don't forget the most important bit from the manual (my emphasis): Quote: Because a security token is created during the logon of a user and does not change while that user is logged on, changes to the user’s group-membership are not visible to KiXtart until the next time the user logs on. So if you are changing group membership you need to log off to be sure that you are not getting a stale view. |
||||||||
|
|
|||||||
Thanks to all of you for your help. I've put the "/f" switch in batch file that runs the script and this didn't work. However, i changed the script to use the 'InGroup' function rather than 'MemberOf' and this started to use the registry entry described above. So with the InGroup function and using the "/f" switch, this now works like a treat. Thanks for your help. Rob |
||||||||
|
|
|||||||
What is MemberOf(), where did you get it, and how did you implement it? |