I've never attached files here so I hope this works :) Some names/IPs have been changed to protect the innocent.
So let me explain this a bit. This is designed around the way our AD/Storage structure is laid out so YMMV depending on your layout. Basically we have a GPO that called the 'refer_global.bat' logon script and pass it two variables: %1 is the directory in Netlogon where the real logon script is and %2 is the name of the logon script itself. I did this so that I only had to create one script to copy logon scripts over rather than the 50+ I would have needed if I made a refer script for each logon script. The script then copies the script to the temp directory and executes it. Once 'HD_Example.bat' starts, it pings our NAS to see if it is in an authenticated role yet. We found 4 pings to be a good number to use and if they all fail then it loops back around and starts the ping again. Ideally we would have a sleep statement in there to pause for a bit but I haven't gotten to that yet. Once that ping goes through we needed to do some stuff to make sure that folder redirection didn't throw a hissy fit. We jump right to trying to run mobsync to bring the computer into an online state to correctly map drives (side note: there is some black magic that goes on with folder redirection we can't explain. This may sound odd but it's the only way we could get this to work after 2+ months of testing). So if this mobsync works then we can successfully run net view on the NAS and it works great and continues through the logon script mapping drives/printers. If the 'net view' fail we enter a loop that waits 30 seconds and tries to mobsync/net view again and continues until it is successful. It's a little complicated but it means that there is no timer that people need to meet to be able to map things correctly. I know some places wait 1 min or 5 min until things are mapped but that caused too much of an issue for us so we needed something more flexible. So there you go :) Let me know if you have any other questions on it. --Jeremy On Fri, Feb 13, 2009 at 09:16, David Maas <[email protected]> wrote: > Sounds like a good plan. I would be grateful if you could post some > samples. > > Thank you > > --David > > -----Original Message----- > From: Cisco Clean Access Users and Administrators > [mailto:[email protected]] On Behalf Of Jeremy Wood > Sent: Friday, February 13, 2009 9:08 AM > To: [email protected] > Subject: Re: Mapping of Drives > > Hey David, > > The recommended way to run logon scripts is to break them into 2 parts. > The first part runs while the computer is in the unauth role and > basically just copies down the real logon script and then executes it > from the computer. The second one once running pings a device that is > only available once the computer is authenticated and then once that > ping works it maps the drive. We do that here along with some other > funky stuff to get folder redirection to work 99% of the time. > If you're interested I can post samples of the scripts we use. > > --Jeremy > > On Fri, Feb 13, 2009 at 08:56, David Maas <[email protected]> wrote: >> Is there a way that anyone has found to ensure that users drives get >> mapped properly. Since the login script always runs prior to the CCA >> agent the users drives show up disconnected. Has anyone found a way to > >> alleviate this issue? >> >> David Maas >> Sr. Security Engineer >> Merkle, Inc. >> Enabling Knowledge to Improve Marketing Results >
CHECK: @echo off echo Please wait..... ping -n 4 <NAS_IP> if errorlevel 1 goto CHECK goto SYNC :SYNC_AGAIN sleep 30 :SYNC mobsync /logon sleep 2 net view \\nas\ if errorlevel 1 goto SYNC_AGAIN REM Map Drives Here net use m: /DELETE /y net use m: \\nas\Information_Technology /PERSISTENT:YES if errorlevel 1 goto :error net use n: /DELETE /y net use n: \\nas\Information_Technology\User_Support /PERSISTENT:YES if errorlevel 1 goto :error net use o: /DELETE /y net use o: \\nas\ITHome\%USERNAME% /PERSISTENT:YES if errorlevel 1 goto :error REM Map Printers Here REM We Pass In The Name Of The Printers We Want To Map REM Spaces Between Each One \\%USERDNSDOMAIN%\netlogon\Other\MapPrinters.vbs ITCIO_IM4511 ITUSER_DELL5200 REM Run Any Other VBS Files Here \\%USERDNSDOMAIN%\netlogon\Other\WrapUp.vbs goto :success :error date /T >> C:\login.txt time /T >> c:\login.txt echo Problem mapping drives >> c:\login.txt echo. >> c:\login.txt exit :success date /T >> C:\login.txt time /T >> c:\login.txt echo Drives mapped OK >> C:\login.txt echo. >> c:\login.txt exit
@echo off REM Directory (%1) and Script Name (%2) to copy over are passed to the script via GPO SETLOCAL Copy %LOGONSERVER%\netlogon\%1\%2 %TEMP%\%2 %TEMP%\%2
