map drive from domain user

[tasse]

Hello everyone,

i need a script that shoud be executed by a local user account. This script should map a domain user folder from the fileserver. 

Unfortunately the script runs without erros but nothing happens either. The idea is that the script asks for user and password. And then connect the user folder \\fileserver\user with the password. While there could be different user trying this script I decided for the variable $login.

DriveMapDel("x:")

 

$login=InputBox ("Benutzername", "Bitte Benutzername eingeben")

$passwd=InputBox("Passwort", "Bitte Passwort eingeben", "","*")

DriveMapAdd("x:", "\\fileserver\$login",0,"domain\$login" & $login,$passwd)

 

Hope someone can give my some tips why its not working. By the way its my first contact with autoit and I just need it for this purpose only.

 

best regards

[Jos]

Maybe you mean: ?

DriveMapAdd("x:", "\\fileserver\" & $login,0,"domain\" & $login,$passwd)

Jos

[GokAy]

Hey, is the domain name going to be fixed and is the domain name "domain"? Currently, as far as I can tell you are trying to authenticate with a user that would reside within a domain named "domain". Maybe just add it as a variable, and use that instead?

$sDomain = "MyDomainNameHere"

DriveMapAdd("x:", "\\fileserver\" & $login, 0, $sDomain & "\" & $login, $passwd)

Edit: Just wondering  If these users have domain user accounts, why are they working local? Business requirement of sorts? Or, if you are supplying the local user credentials, how will the server grant access? 

Edited November 24, 2020 by GokAy

[JockoDundee]

5 hours ago, tasse said:

By the way its my first contact with autoit and I just need it for this purpose only.

That’s what everybody thinks at first.

Pretty soon though they’re mainlining the stuff

[tasse]

12 hours ago, GokAy said:

Edit: Just wondering  If these users have domain user accounts, why are they working local? Business requirement of sorts? Or, if you are supplying the local user credentials, how will the server grant access? 

The reason is that these devices can be borred by students who are poor and cannot afford own devices. While they are stay at home due to covid19 they can work locally.

[GokAy]

Hmm, that raises other questions, and concerns. I believe you should first get the command to run properly before adapting a script for it. You didn't mention if you tried what I wrote.

1. Do these users have domain user credentials and not allowed to logon? Because you wouldn't need to provide credentials if logged on to the domain.

2. Did you try the "net use" command manually, first, while connected to the network locally, then while connected with the VPN? I guess you will be connecting with a VPN?

3. If you are in a domain forest, you may need to use "dotted domain name" instead.

4. If you are using fileserver name, can it be resolved while connected from outside. Tried with IP address instead?

I am a bit rusty with these, but if you provide accurate info, someone should help you get the command to run successfully in the first place.

Personally, I would try these in order, first locally, then from outside:

net use x:\ "\\<serverIP>\<sharename>"
net use x:\ "\\<servername>\<sharename>"

then add the credentials part.

Depending on whether you find it safe, you could add the "/PERSISTENT:YES" part to it as well which will add the credentials to the OS, and you won't be asked every log on. Check out "Control Panel\All Control Panel Items\Credential Manager" - Windows Credentials part.

Edited November 25, 2020 by GokAy

[rudi]

Hello,

I'd like to to mention to have a look at the possibilities of mapping user specific folders by making use of GPO.

 

and 2nd what you describe sounds like you use "one-share-per-user": IMHO the better approach would be to have *ONE* share for all users, then one Sub-Folder per user, where they store their personal data.

 

Have a look at "ABE" (access based enumeration, Microsoft documentation) to read up howto take care, that to all the users will see their personal sub-folder *ONLY*. (all others are not displayed in Windows Explorer)

For one customer I use a "three-level-structure":

[drive:]\Userhome\Department\UserSamAccountName

The tool doing "The-work-itself" is written by Helge Klein: SetACL.EXE, you'll find that one here:

https://helgeklein.com/setacl/documentation/command-line-version-setacl-exe/

 

expandcollapse popup

#include <array.au3>
#include <file.au3>

$ADSID = "S-1-5-21-xxxxxxxxxx-yyyyyyyyyy-zzzzzzzzzz-" ;  modify this to match the SID of your Active Directory
; wellknown SIDs - same suffix for *ANY* AD.
$SIDDomainAdministrator = $ADSID & "500" ; User
$SIDDomainGuest = $ADSID & "501" ; User
$SIDDomainKRBTGT = $ADSID & "502" ; Key Distribution Center (KDC) service
$SIDDomainAdmins = $ADSID & "512" ; Group
$SIDDomainUsers = $ADSID & "513" ; Group
$SIDDomainGuests = $ADSID & "514" ; Group
$SIDDomainComputers = $ADSID & "515"
$SIDDomainControllers = $ADSID & "516"
$SIDDomainCertPublishers = $ADSID & "517"
$SIDSchemaAdmins = $ADSID & "518"
$SIDEnterpriseAdmins = $ADSID & "519"
$SIDGroupPolicyCreatorOwners = $ADSID & "520"


$root = "D:\userhome\" ; local path where the Userhome Directories are placed. Share Name = "UserHome"; trailing backslash!
$aEins = _FileListToArray($root, "*", 2)


; level 1 and above: set "Traversal"
; level 2 folder: set rights for the users

$ntfs = "read_execute" ; "traverse", Recht auf die übergeordneten Folder. "traverse benötigt "read_execute", dieses beinhaltet: FILE_TRAVERSE, FILE_LIST_DIRECTORY, FILE_READ_ATTRIBUTES, FILE_READ_EA, READ_CONTROL


For $i = 1 To $aEins[0]
    $DestDir = $root & $aEins[$i]
    $SACLparams = ' -on "' & $DestDir & '" -ot file -actn ace -ace "n:' & $SIDDomainUsers & ';p:' & $ntfs & ';s:y;i:np;m:grant;w:dacl"'
    $timer = TimerInit()
    $result = RunWait("d:\setacl.exe " & $SACLparams, @TempDir, @SW_HIDE)
    If $result = 0 Then
        ConsoleWrite("    OK: " & $DestDir & @LF)
    Else
        ConsoleWrite("ERROR!! " & $result & " - " & $DestDir & @LF)
    EndIf
    ConsoleWrite(@TAB & @TAB & "seconds: " & Round(TimerDiff($timer) / 1000,3) & @LF)
    ConsoleWrite("-------------------" & @LF)
Next



$DestDir = $root
$weiter = True
While $weiter
    $DestDir = StringLeft($DestDir, StringInStr($DestDir, "\", 0, -1) - 1)
    If Not StringInStr($DestDir, "\") Then ; Root Directory ist erreicht für dieses Laufwerk
        $weiter = False
        $DestDir &= "\\" ; trailing backslash im Pfad muss für setacl.exe ge-quoted werden, sonst wird das nachfolgende " aufgehoben!
        ConsoleWrite("Drive's Root directory reached: This might take *EXTREMLY* long time!" & @LF)
    EndIf

    $SACLparams = ' -on "' & $DestDir & '" -ot file -actn ace -ace "n:' & $SIDDomainUsers & ';p:' & $ntfs & ';s:y;i:np;m:grant;w:dacl"'
    ConsoleWrite("setacl.exe " & $SACLparams & @LF)
    ConsoleWrite("This is close to top level dir, will take a while, please be patient!" & @LF)
    $timer = TimerInit()
    $result = RunWait("d:\setacl.exe " & $SACLparams, @TempDir, @SW_HIDE)
    ConsoleWrite("Time for command in minutes = " & Floor(TimerDiff($timer) / 1000) / 60 & @LF)
    If $result = 0 Then
        ConsoleWrite("    OK: " & $DestDir & @LF)
    Else
        ConsoleWrite("ERROR!! " & $result & " - " & $DestDir & "(" & SetAclReturnCodeText($result) & ")" & @LF)
    EndIf
WEnd


ConsoleWrite("--------------------------------------------------------------------------------------------------" & @LF)


$ntfs = "change"
For $i = 1 To $aEins[0]
    $aSubDirs = _FileListToArray($root & $aEins[$i], "*", 2) ; nur ORDNER
    If IsArray($aSubDirs) Then
        For $k = 1 To $aSubDirs[0]
            $DestDir = $root & $aEins[$i] & "\" & $aSubDirs[$k]
            $SACLparams = ' -on "' & $DestDir & '" -ot file -actn ace -ace "n:AD\' & $aSubDirs[$k] & ';p:' & $ntfs & ';s:n;i:so,sc;m:grant;w:dacl"'
            $result = RunWait("D:\setacl.exe " & $SACLparams, @TempDir, @SW_HIDE)
            If $result = 0 Then
                ConsoleWrite("    OK: " & $DestDir & @LF)
            Else
                ConsoleWrite("ERROR!! " & $result & " - " & $DestDir & @LF)
            EndIf
        Next
    EndIf
Next


Func SetAclReturnCodeText($result)
    ; erwartet den ReturnCode von SETACL.EXE in der Variablen $result
    Local $aRetCodes[51][2] = [[50], _
            [0, "OK"], _
            [1, "Usage instructions were printed"], _
            [2, "General error"], _
            [3, "Parameter(s) incorrect"], _
            [4, "The object was not set"], _
            [5, "The call to GetNamedSecurityInfo () failed"], _
            [6, "The SID for a trustee could not be found"], _
            [7, "Directory permissions specified are invalid"], _
            [8, "Printer permissions specified are invalid"], _
            [9, "Registry permissions specified are invalid"], _
            [10, "Service permissions specified are invalid"], _
            [11, "Share permissions specified are invalid"], _
            [12, "A privilege could not be enabled"], _
            [13, "A privilege could not be disabled"], _
            [14, "No notification function was given"], _
            [15, "An error occured in the list function"], _
            [16, "FindFile reported an error"], _
            [17, "GetSecurityDescriptorControl () failed"], _
            [18, "An internal program error occured"], _
            [19, "SetEntriesInAcl () failed"], _
            [20, "A registry path is incorrect"], _
            [21, "Connect to a remote registry failed"], _
            [22, "Opening a registry key failed"], _
            [23, "Enumeration of registry keys failed"], _
            [24, "Preparation failed"], _
            [25, "The call to SetNamedSecurityInfo () failed"], _
            [26, "Incorrect list options specified"], _
            [27, "A SD could not be converted to/from string format"], _
            [28, "ACL listing failed"], _
            [29, "Looping through an ACL failed"], _
            [30, "Deleting an ACE failed"], _
            [31, "Copying an ACL failed"], _
            [32, "Adding an ACE failed"], _
            [33, "No backup/restore file was specified"], _
            [34, "The backup/restore file could not be opened"], _
            [35, "A read operation from the backup/restore file failed"], _
            [36, "A write operation from the backup/restore file failed"], _
            [37, "The operating system is not supported"], _
            [38, "The security descriptor is invalid"], _
            [39, "The call to SetSecurityDescriptorDacl () failed"], _
            [40, "The call to SetSecurityDescriptorSacl () failed"], _
            [41, "The call to SetSecurityDescriptorOwner () failed"], _
            [42, "The call to SetSecurityDescriptorGroup () failed"], _
            [43, "The domain specified is invalid"], _
            [44, "An error occured, but it was ignored"], _
            [45, "The creation of an SD failed"], _
            [46, "Memory allocation failed"], _
            [47, "No action specified – nothing to do"], _
            [48, "WMI permissions specified are invalid"], _
            [49, "Recursion is not possible"]]

    If $result = 0 Then Return "OK "
    For $i = 1 To $aRetCodes[0][0]
        If $aRetCodes[$i][0] = $result Then Return "Error " & $result & ": " & $aRetCodes[$i][1]
    Next
    Return "Error " & $result & ": <unknown error>"
EndFunc   ;==>ReturnCodeText

 

Edited December 15, 2020 by rudi

[rudi]

One more comment:

I assume, that the users are logged on the laptop using their personal user account?

If that's fact, then all you need is to test, if the server is available, then map the drive to the *ONE* top level share, I've mentioned above, you won't need to specify user and password, as the local windows logon session will try the "currently-logged-on-user-credentials" automatically first.