none
Powershell login script to map a drive if a user is a member of a AD Group RRS feed

  • Question

  • Hey guys,

    I am looking for a little Powershell scripting help.  I am trying to query a users Active Directory membership during login to determine if they are a member of a security group then either map a drive or continue on through the script.

    Thanks alot,

    Mark

    Thursday, August 5, 2010 7:58 PM

Answers

  • Here's another option, it requires PowerShell 2.0. What version of PowerShell is running on  your domain machines?

    # extract group names from the user memberof property
    $memberOf = ([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof -replace '^CN=([^,]+).+$','$1'
    
    if($memberOf -contains $group)
    {
      "current user is member of $group"  
    }
    else
    {
      "current user is not a member of $group"
    }
    


    Shay Levy [MVP]
    http://blogs.microsoft.co.il/blogs/ScriptFanatic
    PowerShell Toolbar
    • Marked as answer by IamMred Tuesday, August 17, 2010 11:00 PM
    Sunday, August 8, 2010 8:31 AM
    Moderator
  • Requires .NET 3.5 on the client side.



    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain

    $GroupName = "Group1"

    $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::Current
    $group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,$GroupName)

    if($user.IsMemberOf($group))
    {
        "current user is member of $GroupName"
    }
    else
    {
        "current user is not a member of $GroupName "
    }


    Shay Levy [MVP]
    http://blogs.microsoft.co.il/blogs/ScriptFanatic
    PowerShell Toolbar
    • Marked as answer by IamMred Tuesday, August 17, 2010 11:00 PM
    Friday, August 6, 2010 4:12 PM
    Moderator
  • Well, there's this:

    $u = [environment]::username

    if(net group <groupname> /domain | select-string "\s$u\s")


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    • Marked as answer by IamMred Tuesday, August 17, 2010 11:00 PM
    Friday, August 6, 2010 5:40 PM
    Moderator

All replies

  • Requires .NET 3.5 on the client side.



    Add-Type -AssemblyName System.DirectoryServices.AccountManagement
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain

    $GroupName = "Group1"

    $user = [System.DirectoryServices.AccountManagement.UserPrincipal]::Current
    $group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($ct,$GroupName)

    if($user.IsMemberOf($group))
    {
        "current user is member of $GroupName"
    }
    else
    {
        "current user is not a member of $GroupName "
    }


    Shay Levy [MVP]
    http://blogs.microsoft.co.il/blogs/ScriptFanatic
    PowerShell Toolbar
    • Marked as answer by IamMred Tuesday, August 17, 2010 11:00 PM
    Friday, August 6, 2010 4:12 PM
    Moderator
  • Well, there's this:

    $u = [environment]::username

    if(net group <groupname> /domain | select-string "\s$u\s")


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    • Marked as answer by IamMred Tuesday, August 17, 2010 11:00 PM
    Friday, August 6, 2010 5:40 PM
    Moderator
  • Well, there's this:

    $u = [environment]::username

    if(net group <groupname> /domain | select-string "\s$u\s")


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "


    Keep in mind that the Net Group command only works on Domain Controllers...


    PS C:\> net group
    This command can be used only on a Windows Domain Controller.

    More help is available by typing NET HELPMSG 3515.

    Friday, August 6, 2010 7:20 PM
    Moderator
  • Well, there's this:

    $u = [environment]::username

    if(net group <groupname> /domain | select-string "\s$u\s")


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "


    Keep in mind that the Net Group command only works on Domain Controllers...


    PS C:\> net group
    This command can be used only on a Windows Domain Controller.

    More help is available by typing NET HELPMSG 3515.


    That's why you have to use that /domain switch.

     


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "
    Friday, August 6, 2010 7:32 PM
    Moderator
  • Well, there's this:

    $u = [environment]::username

    if(net group <groupname> /domain | select-string "\s$u\s")


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "


    Keep in mind that the Net Group command only works on Domain Controllers...


    PS C:\> net group
    This command can be used only on a Windows Domain Controller.

    More help is available by typing NET HELPMSG 3515.


    That's why you have to use that /domain switch.

     


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Nice catch. Helps to know how to read and type...
    Friday, August 6, 2010 7:37 PM
    Moderator
  • Here's another option, it requires PowerShell 2.0. What version of PowerShell is running on  your domain machines?

    # extract group names from the user memberof property
    $memberOf = ([ADSISEARCHER]"samaccountname=$($env:USERNAME)").Findone().Properties.memberof -replace '^CN=([^,]+).+$','$1'
    
    if($memberOf -contains $group)
    {
      "current user is member of $group"  
    }
    else
    {
      "current user is not a member of $group"
    }
    


    Shay Levy [MVP]
    http://blogs.microsoft.co.il/blogs/ScriptFanatic
    PowerShell Toolbar
    • Marked as answer by IamMred Tuesday, August 17, 2010 11:00 PM
    Sunday, August 8, 2010 8:31 AM
    Moderator
  • You can try this:

     

    # ====================================================
    # Queries user account in AD for user group membership
    # ====================================================
    
    $strName = $env:username
    
    function get-GroupMembership($DNName,$cGroup){
    	
    	$strFilter = "(&(objectCategory=User)(samAccountName=$strName))"
    
    	$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
    	$objSearcher.Filter = $strFilter
    
    	$objPath = $objSearcher.FindOne()
    	$objUser = $objPath.GetDirectoryEntry()
    	$DN = $objUser.distinguishedName
    		
    	$strGrpFilter = "(&(objectCategory=group)(name=$cGroup))"
    	$objGrpSearcher = New-Object System.DirectoryServices.DirectorySearcher
    	$objGrpSearcher.Filter = $strGrpFilter
    	
    	$objGrpPath = $objGrpSearcher.FindOne()
    	
    	If (!($objGrpPath -eq $Null)){
    		
    		$objGrp = $objGrpPath.GetDirectoryEntry()
    		
    		$grpDN = $objGrp.distinguishedName
    		$ADVal = [ADSI]"LDAP://$DN"
    	
    		if ($ADVal.memberOf.Value -eq $grpDN){
    			$returnVal = 1
    			return $returnVal = 1
    		}else{
    			$returnVal = 0
    			return $returnVal = 0
    	
    		}
    	
    	}else{
    			$returnVal = 0
    			return $returnVal = 0
    	
    	}
    		
    }
    
    # ====================================================
    # Map network drives
    # ====================================================
    
    $result = get-groupMembership $strName "Domain Users"
    if ($result -eq '1') {
    	$(New-Object -ComObject WScript.Network).RemoveNetworkDrive("G:");
    	$(New-Object -ComObject WScript.Network).MapNetworkDrive("G:", "\\SERVER\general");
    }
    
    $result = get-groupMembership $strName "IS"
    if ($result -eq '1') {
    	$(New-Object -ComObject WScript.Network).RemoveNetworkDrive("I:");
    	$(New-Object -ComObject WScript.Network).MapNetworkDrive("I:", "\\SERVER\IS$");
    }
    

     

     

    I've documented this and further explained my Powershell login script here: http://thisishelpful.com/powershell-login-script-map-network-drives-printers-applicaton-settings.html

    Hope that helps.

     


    • Proposed as answer by toexelchen Monday, April 23, 2012 7:32 AM
    Sunday, May 29, 2011 8:38 PM
  • This is great information!  I was wondering how would I use this but also map a drive using  friendly names in for a mapped drive? For example I have several shares and I am using the %user but the UNC is so long that the user only sees the \\domain_name\long_file_path\username, and the Friendly name would be: T:\Transcriptions, X:\Xray and the user would have a directory within each?

     

    Thanks,

     

    Jeff

    Monday, January 23, 2012 6:05 PM
  • Thanks for a great script! Tweaked to my environment this did exactly what I was looking for!

    Monday, January 8, 2018 12:01 AM
  • Hi Superfishnz,

    Your script is wonderfull and it works so well.

    But have you got a same one which manage nested groups ?

    I know that isn't as easely as it sounds.

    Thank you very much.

    Friday, April 26, 2019 9:51 AM