Query Group Membership

[adamsre]

Hey All,

I'm new to using AutoIT and I thought I'd share this with the group. I am currently trying to administer a GPO based on BOTH a Machine account's OU and a domain user's group membership. For instance, if the machine resides in LabA and the user is a member of the Student.FIH.HS group, then apply the following registry changes - likewise if the user is a member of the Domain Admins (or similar admin group) the apply X changes... Thus far normal Group Policy Objects don't quite work they way I need them to because the users environment changes from Lab to Lab (different desktop / drive mappings / shortcuts / printer mappings, etc...) so I can't necessarily make a GPO based on the Student's OU and have it merge with that of a Computer's OU. I have also tried using the old "Loopback Policy Processing" defined in the Machine policy that states that you CAN define user & computer-based policies that will either merge with or replace a user's policy. Sounds all fine and dandy until an admin or a higer privileged user attempts to log on and get the lock down version of the student logon. Loop-Back processing, which is designed for kiosks and lab environments overrides ALL (including Domain Admin) user policy settings and replaces it with that of the machine's(Even if you deny the Domain Admin privilege to apply the policy). My next step was to write a VBS script that checks for group membership and applys registry entries based on membership. This works just fine until you logon as a student and find that you don't have the priv to write to the registry (duh...). So, you run the script using runas (commandline) or RunAsSet, and it does it's thing - but unfortunately, it does it's thing to the profile of the account that was used for the RunAsSet command - not the student (This was because of the HKEY_Current_User key is created as a mirror set of the HKEY_USERS that uses the user's SID to identify the key). Next step was to extract the user's SID from their logon, write it to a text file (the only way I could figure out to use GETSID's output to a useable format) read it from the script and assign it as a variable. Use the variable in the RegWrite command, and voila, the registry changes are applied as expected. NOW... I would like to be able to enumerate a user's group membership (as I had been able to do in VBS) and apply or remove my "Policy" based on such. ANY help or suggestions for doing this in a more efficient manner would be greatly appreciated.

Thanks!

Attached is what I have done thus far...

RunWait ("\\fihdom\network\sid\sid.bat", "", @SW_HIDE)

RunAsSet("Service Account", "Domain", "Password")

RunWait("\\fihdom\network\registry.exe")

This is the batch file that's called

\\fihdom\network\sid\getsid.exe %USERNAME% > "\\fihdom\Network\Sid\%COMPUTERNAME%.txt"

This file calls the batch file which launches getsid and creates the text file.

The next line launches the launches the registry script with an elevated priv.

Here's the final file.

$x=""

$Computer=EnvGet("ComputerName")

$filename=$Computer &".txt"

$serverpath="\\fihdom\network\sid\"

$completefilename=$serverpath&$filename

$sid=""

$file=""

$file=FileOpen ($completefilename, 0)

$sid=FileReadLine($file)

FileClose($file)

$x=FileDelete($completefilename)

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoRun", "REG_DWORD", "1")

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoSimpleStartMenu", "REG_DWORD", "1")

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoFind", "REG_DWORD", "1")

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoSMHelp", "REG_DWORD", "1")

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "ForceStartMenuLogoff", "REG_DWORD", "1")

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoRecentDocsMenu", "REG_DWORD", "1")

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoSetFolders", "REG_DWORD", "1")

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoNetworkConnections", "REG_DWORD", "1")

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoStartMenuNetworkPlaces", "REG_DWORD", "1")

RegWrite("HKEY_USERS\" & $sid & "\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer", "NoSetTaskbar", "REG_DWORD", "1")

EnvUpdate()

[scriptkitty]

Ok, I got dazzled with the lingo there a bit, but how about this approach.

AutoIt can read many many variables, so things like:

@UserName, @LogonDNSDomain , @LogonDomain , @LogonServer ,etc.

and others like:

@ComputerName, @HomeDrive, @HomePath, @HomeShare, etc.

You can also have set securities set by checking access to drives or directories via your security profiles.

ex:

if FileExists ( "\\fihdom\network\sid\sid.bat" ) then

if a student has a default home directory, and say a network drive, then you can check for default files that have to exist there, Likewise, you can check to see if an Admin(usually has more access) can see the file and if they can, then don't do part of the script. You could also test a mapping in the script, and since you would be denied as that user, you would know your access rights.

RunAsSet () can be used once you know you have the right access, or you can do it other ways.

Hope it helps some. I tend to be quite anal about how I set up rights and drives, so it is quite fast for me to determine access solely via the fileexists() function.

[adamsre]

Hey ScriptKitty,

Excellent suggestion - and it works I might add. I think I may have been making this thing far more difficult than it had to be. In the context I'm looking for now, this does work - I just created three folders - each with a test.txt in them. I assigned appropriate NTFS privs to each where the other groups were implicitly denied. If the user was able to verify the existence of test.txt, then I could infer that the user was a member of that specific group. Kind of an interesting way to go about it, but it works. I do have need to be able to enumerate to group membership of users to be able to export their memberships to a text / csv file. If you have any suggestions as to how to go about that - I would greatly appreciate it. Here's how I've accomlished it in VBS.

Dim WSHNetwork

Dim FSO

Dim strUserName ;Current user

Dim strUserDomain ; Current User's domain name

Dim ObjGroupDict ;Dictionary of groups to which the user belongs

Dim PathNoRun,PathNoFind,PathNoHelp,PathAddLogoff,PathNoRecentDocs,PathNoSettings,PathNoNetworkSettings,

PathNoNetworkPlaces,PathNoSetTaskbar

Set WSHNetwork = WScript.CreateObject("WScript.Network")

Set FSO = CreateObject("Scripting.FileSystemObject")

strUserName = ""

While strUserName = ""

WScript.Sleep 100 ; 1/10 th of a second

strUserName = WSHNetwork.UserName

Wend

strUserDomain = WSHNetwork.UserDomain

;Read the user's account "Member Of" tab info across the network

; once into a dictionary object.

Set ObjGroupDict = CreateMemberOfObject(strUserDomain, strUserName)

If MemberOf(ObjGroupDict, "Domain Admins") Then

wscript.echo "Is a member of Domain Admins." 'REM this line to Map Network Drives

WSHNetwork.MapNetworkDrive "O:", "\\codom\network"

Else

msgbox (4096, "Is NOT a member of Domain Admins")

End If

Function MemberOf(ObjDict, strKey)

; Given a Dictionary object containing groups to which the user

; is a member of and a group name, then returns True if the group

; is in the Dictionary else return False.

MemberOf = CBool(ObjGroupDict.Exists(strKey))

End Function

Function CreateMemberOfObject(strDomain, strUserName)

; Given a domain name and username, returns a Dictionary

; object of groups to which the user is a member of.

Dim objUser, objGroup

Set CreateMemberOfObject = CreateObject("Scripting.Dictionary")

CreateMemberOfObject.CompareMode = vbTextCompare

Set objUser = GetObject("WinNT://" & strDomain & "/" & strUserName & ",user")

For Each objGroup In objUser.Groups

CreateMemberOfObject.Add objGroup.Name, "-"

Next

Set objUser = Nothing

End Function

I can see where some of this can be converted over to run in AutoIT (the @UserName / @LogonDomain etc...) , but I'm having some difficulty in other areas. I would like to have this script run completely in AutoIT - as I really don't want to have to start dropping text files everywhere in order to store temporary data to pull into another app/script. Thanks again for the help!

[redndahead]

Ok I am a little dizzied by your post too.

But here is what I can add. Since you are well versed in VBScript you can use ADSI to get the group membership and output it to a text file.

Look here for a VBScript example on getting nested group memberships.

Output to a text file and parse for the membership you want. Then run your script based on that. You can FileInstall() the vbscript and run it on the local machine.

Hope this helps.

red

[Budman]

I use a utility from the Windows 2000 Resource Kit called Ifmember.exe. If you don't have the 2000 Resource Kit you could checkout the batch files at the following link:

http://www.jsifaq.com/subj/tip4900/rh4905.htm

I have not tried the batch files myself but I have used information from this site before. Hope this helps.

[nobby]

Hey,

You could try to pipe the result of NET USER username /DOMAIN into a text file, then parse the text file for group memberships.

Not quite sure if AutoIt allows to check for the existance of a string within a text file...

I use this to exctract the full name, along with FileReadLine and StringTrimLeft.

Cheers

[scriptkitty]

yea,

StringInStr

--------------------------------------------------------------------------------

Checks if a string contains a given substring.

This was a little script I made a long time ago for fun to see the computers in my domain.

dim $computers[200]
$count=0
$listofcomputers=""
RunWait("cmd /c net view >computers.txt","",@SW_HIDE)
$file = FileOpen("computers.txt", 0)
; Check if file opened for reading OK
If $file = -1 Then
     MsgBox(0, "Error", "Unable to open file.")
     Exit
EndIf
; Read in lines of text until the EOF is reached
While 1
     $line = FileReadLine($file)
     If @error = -1 Then
         ExitLoop
     EndIf
if StringLeft( $line,2 )="\\" then
$computers[$count]=StringStripWS(stringleft($line,20),2) 

$listofcomputers=$listofcomputers&StringStripWS(stringleft($line,20),2) &@lf
$count=$count + 1
;     MsgBox(0, "computer:", StringStripWS(stringleft($line,20),2) & "")
     endif
Wend
FileClose($file)
FileDelete ( "computers.txt" )  
     MsgBox(0, $count&" computers shown:",""& $listofcomputers)