Page 1 of 1 1
Topic Options
#187880 - 2008-05-27 01:41 PM MemberOf usage caching group status?
TSDerby Offline
Just in Town

Registered: 2008-05-27
Posts: 4
Hi,

I've written a very basic script to map network drives based upon the AD group membership.

Here is the crux of the script:

use q: /delete

If MemberOf("HR Users");
use q: "\\Server\HR"
EndIf;

For a test, I placed myself in this group "HR Users" and ran the script. It mapped fine. I then removed myself from the group and ran the script again to remove the drive. It still mapped the drive however, so I thought maybe it was a delay with Active Directory. Anyway, I checked this through the 'gpresult' utility and it came back showing that I was not in this group anymore, so I ran the script again and it still thinks that I'm in the HR group. We have 3 DC's and they are all sync'd fine and not showing me as a memeber of this group. It's been several days now and it's still mapping this drive.

As a test, I added a colleague last week to the group and it mapped fine. I then removed them from the group and it is still mapping the drive.

Any thoughts? Is there a better, quicker way to reference which group they are in?

Thanks,

Rob

Top
#187881 - 2008-05-27 01:48 PM Re: MemberOf usage caching group status? [Re: TSDerby]
Gargoyle Offline
MM club member
*****

Registered: 2004-03-09
Posts: 1597
Loc: Valley of the Sun (Arizona, US...
From the manual
 Quote:

Group-membership information.
Introduction.
KiXtart provides functions to test or enumerate the group-membership of the current user (specifically: InGroup() and EnumGroup()). These functions operate on an in-memory list of groups the user is a member of. This list is filled once during every KiXtart session (in other words: once every time you run KIX32.EXE).



Previous versions of KiXtart always queried the logonserver for the group-membership information. This provided information on both local and global groups in the logondomain. KiXtart retrieves group-membership information using the security token of the current user. The benefit of the new method is that KiXtart can now support universal groups as well as nested global groups.





Note


Because a security token is created during the logon of a user and does not change while that user is logged on, changes to the userís group-membership are not visible to KiXtart until the next time the user logs on.



Group-membership information cache.
As both methods of retrieving the group-membership are relatively costly in terms of network traffic and process time the latest update of KiXtart caches the group-membership information in the registry. This means that once the cache is filled, subsequent runs of KIX32.EXE will require much less time to retrieve the group-membership information.



The group-membership cache is stored in the registry hive of the current user and contains security-identifier-to-groupname mappings. Changes to a user's group-membership are automatically handled by KiXtart during the next logon.





Note


If an existing group is renamed, that change will not be visible to KiXtart until the next time the token-cache is refreshed.



The cache is automatically refreshed every 30 days.



A refresh of the cache can also be forced using the new '/f' commandline option:



KIX32 /f



Optionally, you can include a date, indicating how old the cache must be for it to be refreshed:



KIX32 /f:2001/12/31





Note


The group-membership cache feature of KiXtart is only available on Windows NT or higher.

_________________________
Today is the tomorrow you worried about yesterday.

Top
#187882 - 2008-05-27 02:37 PM Re: MemberOf usage caching group status? [Re: Gargoyle]
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4642
Loc: The Netherlands
We have one master script that is fired up on each logon. After some maintenance tasks it fires up a logon script depending on the system (server/wksta) or the user. one of the maintenance tasks is the clear the token cache every x days, 7 in our case or at first run on a clean install.
The script below shows you how to do this.

 Code:
$lastFlush = ReadValue("HKU\" + @SID + "\Software\KiXtart\FlushTokenCache", "DateLastFlush")
If TimeDiff($lastflush, 'Today', 'D') > 7 Or $lastflush = ""
	;Delete tokencache registry key if last flush is more then 7 days ago or last flush is empty (first run)
	$rc = DelKey ("HKU\" + @SID + "\Software\KiXtart\TokenCache")
	;Write current date to the registry.
	$rc = WriteValue("HKU\" + @SID + "\Software\KiXtart\FlushTokenCache", "DateLastFlush", @DATE, "REG_SZ")
EndIf


;=-=-=-=-= DO NOT MODIFY ANYTHING BELOW THIS LINE =-=-=-=-=
;=-=-=-=-= THIS IS A UDF AND IT COMES READY MADE =-=-=-=-=
;
;FUNCTION       TimeDiff() 
; 
;AUTHOR         Glenn Barnas 
; 
;VERSION        2.2 / 2007/10/14 
;		 Modified to increase accuracy, permit fracional second calculations 
;		 2.1 / 2007/03/17 
;               added "now" and "today" options for both start and end times 
;               2.0 / 2006/11/20 
;               Changes for code efficiency; added defaults for midnight  
; 
;ACTION         Calculates the time difference between two given date/time strings 
; 
;SYNTAX         TimeDiff(Start [, End] [, Format] [, MSec]) 
; 
;PARAMETERS     Start  - REQUIRED, String value representing the start timestamp 
;                 Format yyyy/mm/dd hh:mm:ss 
; 
;               End    - OPTIONAL, Defaults to "now" 
;		   String value representing the ending time 
;                 Format yyyy/mm/dd hh:mm:ss 
;		   Can be the special value "now" for the current date/time, or "today" 
;                 for midnight of the current day. 
; 
;                 When the time value is not specified, it defaults to 00:00:00.000 (midnight) 
; 
;		 Format - OPTIONAL, one of: 
;		  "m" - return minutes 
;		  "h" - return hours 
;		  "d" - return days 
;		  "y" - return years 
;		 When a format value is specified, it returns the fractional part (ie 0.5 days for 12 hours). 
; 
;		 MSec	- OPTIONAL, True if the fractional seconds should be returned. Default 
;		  is false, returning whole seconds, to maintain compatibility with earlier versions. 
;		  MSec only affects the return of fractional seconds, not fractional parts of other time formats. 
; 
;REMARKS        Returns a value representing the difference in time between two date/time 
;		 strings. Assumes that "Start" is in the past, but will properly return a 
;		 negative value if it is in the future. 
; 
;RETURNS        Double - difference between Start and End timestamps in seconds 
; 
;DEPENDENCIES   None 
; 
;TESTED WITH    Kix 4.2+, NT4, W2K, WXP, W2K3 
; 
;EXAMPLES       If TimeDiff(GetFileTime('SomeFile.txt'),  'now', 'h') > 48 
;		   "File is more than 2 days old!" ? 
;		 EndIf 
; 
Function TimeDiff($_Start, OPTIONAL $_End, OPTIONAL $_Fmt, OPTIONAL $_MSec)
 
  Dim $_, $_SDate, $a_Start, $_EDate, $a_End, $_Duration
 
  ; Check for special START parameters 
  Select
   Case $_Start = 'now'
    $_Start = @DATE + ' ' + @TIME + '.' + @MSECS
   Case $_START = 'today'
    $_Start = @DATE + ' 00:00:00.000'
  EndSelect
 
  ; Check for special END parameters 
  Select
   Case $_End = 'now' Or $_End = '' 
    $_End = @DATE + ' ' + @TIME + '.' + @MSECS
   Case $_End = 'today'
    $_End = @DATE + ' 00:00:00.000'
  EndSelect
 
  ; Validate parameters 
  ; Parameters passed are "yyyy/mm/dd hh:mm:ss[.sss]" - make sure the default time is added 
  $a_Start = Split(Join(Split(Join(Split($_Start + ' 00:00:00.000', '/'), ' '), ':'), ' '), ' ', 6)
  If UBound($a_Start) <> 5 Exit 87 EndIf		; bad start time parameter 
  For $_ = 0 to 5
    $a_Start[$_] = CDbl($a_Start[$_])		; convert to numeric values 
  Next
 
  $a_End = Split(Join(Split(Join(Split($_End + ' 00:00:00.000', '/'), ' '), ':'), ' '), ' ', 6)
  If UBound($a_End) <> 5 Exit 87 EndIf		; bad start time parameter 
  For $_ = 0 to 5
    $a_End[$_] = CDbl($a_End[$_])		; convert to numeric values 
  Next
 
  ; Convert dates to Days, then convert to seconds and add the time value 
  If $a_Start[1] < 3
    $a_Start[1] = $a_Start[1] + 12
    $a_Start[0] = $a_Start[0] - 1
  EndIf
  $_SDate = $a_Start[2] + ( 153 * $a_Start[1] - 457 ) / 5 + 365 * $a_Start[0] + $a_Start[0] / 4 - $a_Start[0] / 100 + $a_Start[0] / 400 - 306
  $_SDate = CDbl($_SDate) * 86400.0
  $_SDate = $_SDate + $a_Start[3] * 3600 + $a_Start[4] * 60 + $a_Start[5]
 
  If $a_End[1] < 3
    $a_End[1] = $a_End[1] + 12
    $a_End[0] = $a_End[0] - 1
  EndIf
  $_EDate = $a_End[2] + ( 153 * $a_End[1] - 457 ) / 5 + 365 * $a_End[0] + $a_End[0] / 4 - $a_End[0] / 100 + $a_End[0] / 400 - 306
  $_EDate = CDbl($_EDate) * 86400.0
  $_EDate = $_EDate + $a_End[3] * 3600 + $a_End[4] * 60 + $a_End[5]
 
  ; Get the duration between the timestamps 
  $_Duration = CDbl($_EDate - $_SDate)
 
  ; Trim fractional seconds if the MSec flag wasn't set 
  ; Value returned is whole seconds 
  If Not $_MSec
    $_Duration = CInt($_Duration)
  EndIf
 
  ; Return data as a Double - seconds (default), hours, minutes, days, or years 
  Select
    Case $_Fmt = 'm'	; minutes 
      $TimeDiff = $_Duration / 60.0
    Case $_Fmt = 'h'	; hours 
      $TimeDiff = $_Duration / 3600.0
    Case $_Fmt = 'd'	; days 
      $TimeDiff = $_Duration / 86400.0
    Case $_Fmt = 'y'	; years 
      $TimeDiff = $_Duration / 31536000.0
    Case 1
      $TimeDiff = $_Duration
  EndSelect
 
  Exit 0
 
EndFunction
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#187884 - 2008-05-27 03:40 PM Re: MemberOf usage caching group status? [Re: Gargoyle]
TSDerby Offline
Just in Town

Registered: 2008-05-27
Posts: 4
Thanks for this, however even after running "kix32.exe /f", it still maps this drive. Where is this cache in the registry?

Is there a better way to do this rather than MemberOf?

Top
#187885 - 2008-05-27 03:41 PM Re: MemberOf usage caching group status? [Re: TSDerby]
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4642
Loc: The Netherlands
 Quote:

HKU\[SID_GOES_HERE]\Software\KiXtart\TokenCache
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#187886 - 2008-05-27 03:56 PM Re: MemberOf usage caching group status? [Re: Mart]
TSDerby Offline
Just in Town

Registered: 2008-05-27
Posts: 4
I have a 'TokenCache' folder entry but there is no key set, just 'Default' REG_SZ and no value set. Should there be a value in there?
Top
#187891 - 2008-05-27 04:28 PM Re: MemberOf usage caching group status? [Re: TSDerby]
Mart Moderator Offline
KiX Supporter
*****

Registered: 2002-03-27
Posts: 4642
Loc: The Netherlands
If nothing is set then no token cache exists. Deleting the entire key will force a refresh at the next run of a script the does something with group membership.
There is the build in function InGroup() that worked just fine for me for several years now.
_________________________
Mart

- Chuck Norris once sold ebay to ebay on ebay.

Top
#187896 - 2008-05-27 05:05 PM Re: MemberOf usage caching group status? [Re: TSDerby]
Richard H. Administrator Offline
Administrator
*****

Registered: 2000-01-24
Posts: 4945
Loc: Leatherhead, Surrey, UK
Don't forget the most important bit from the manual (my emphasis):
 Quote:
Because a security token is created during the logon of a user and does not change while that user is logged on, changes to the userís group-membership are not visible to KiXtart until the next time the user logs on.

So if you are changing group membership you need to log off to be sure that you are not getting a stale view.

Top
#187898 - 2008-05-27 05:35 PM Re: MemberOf usage caching group status? [Re: Richard H.]
TSDerby Offline
Just in Town

Registered: 2008-05-27
Posts: 4
Thanks to all of you for your help. I've put the "/f" switch in batch file that runs the script and this didn't work. However, i changed the script to use the 'InGroup' function rather than 'MemberOf' and this started to use the registry entry described above.

So with the InGroup function and using the "/f" switch, this now works like a treat.

Thanks for your help.

Rob

Top
#187899 - 2008-05-27 11:28 PM Re: MemberOf usage caching group status? [Re: TSDerby]
Les Offline
KiX Master
*****

Registered: 2001-06-11
Posts: 12734
Loc: fortfrances.on.ca
What is MemberOf(), where did you get it, and how did you implement it?
_________________________
Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.

Top
Page 1 of 1 1


Moderator:  Jochen, Allen, Radimus, Glenn Barnas, ShaneEP, Arend_, Mart 
Hop to:
Shout Box

Who's Online
1 registered (Allen) and 156 anonymous users online.
Newest Members
diefnet, Arogya, gkustra, emnipetro, Hirze
17644 Registered Users

Generated in 0.032 seconds in which 0.01 seconds were spent on a total of 13 queries. Zlib compression enabled.

Search the board with:
superb Board Search
or try with google:
Google
Web kixtart.org