Hi, I'm wondering if it it is possible to build a logon script, for Windows XP & Vista, that will detect where the user is connected to a particular network (Defined by IP schema). If they are connected to a specific network, then it will display a message such as, "Please note your will not be able to access the XYZ Network Drive, or your company email"
-
We use something like this to determine users location based on their IP address.
For example it gives us the ability to map different network drives based on users location.Basically, someone in Brisbane gets an IP address 172.21.x.x but in Sydney it's 172.22.x.x.
this is in the logon script:
cscript \\server\NETLOGON\network.vbs if %ErrorLevel% == 21 goto brisbane if %ErrorLevel% == 22 goto sydney if %ErrorLevel% == 23 goto melbourne if %ErrorLevel% == 168 goto other :brisbane net use o:\\\server_brisbane\shares goto exit :sydney net use o:\\\server_sydney\shares goto exit :melbourne net use f:\\\server_melbourne\finance copy "H:\Terminal Server.lnk" "%USERPROFILE%\Desktop" goto exit other: echo "not a supported network..." exit:network.vbs :
'this script gets the ipaddress and returns the second octect 'to determine which subnet the computer is on '21 = brisbane '22 = sydney '23 = melbourne dim ipaddr, ipsubnet, iparray strComputer = "." Set objWMIService = GetObject( _ "winmgmts:\\" & strComputer & "\root\cimv2") Set IPConfigSet = objWMIService.ExecQuery _ ("Select IPAddress from Win32_NetworkAdapterConfiguration WHERE IPEnabled = True") For Each IPConfig in IPConfigSet If Not IsNull(IPConfig.IPAddress) Then For i=LBound(IPConfig.IPAddress) to UBound(IPConfig.IPAddress) ipaddr=IPConfig.IPAddress(i) If (InStr(ipaddr, "172")<>0) then iparray=Split(ipaddr, ".") ipsubnet=iparray(1) 'wscript.echo ipsubnet end if Next End If Next wscript.quit ipsubnetNow you need to place some kind of a pop-up message in the right place.
MarkM : Why not just apply individual logon scripts to the computer OUs for each remote site?MikeT505 : Ideally, I would only like to do this on 2 or 3 specific computersRoy : Sorry, I didn't mention the fact that some of those people travel between locations on a weekly basis.Zypher : @Roy: You might be better off setting a per site GPO then.From Roy -
Why do this with batch file gyrations when you can just link GPOs to site objects? The "bonus" being that if you add addt'l subnets or move subnets around you'll never have to edit your script.
If you're looking at this being a user logon script that you want to apply only when users logon to specific computers then you'll need to look at using loopback group policy processing as well.
joeqwerty : I think that's the gist of what MarkM was suggesting. The only drawback is if a roaming user is physically in a site that's not their home site, and the logon script maps resources in the users home site that aren't available from the remote site (I know it sounds kooky, but stranger configurations have happened).Evan Anderson : @joeqwerty: I guess I must not be following, then. I'd write a script that does everything that's supposed to be done when the subject user is in a given site and specify it as a logon script in a GPO linked to the correct site (using filtering mechanisms, as necessary, to insure that it only runs for the right users / computers). There would be no "maps resources in the users home site that aren't avalable" scenarios...MikeT505 : Thanks Guys I see what you mean. The other issue, one of these sites doesn't have any form of server, its a very small office. Some a batch file that runs at login would probably be better. We need the script to only map a network drive at this site and display a message to user expalining they can't access their company email.Evan Anderson : You don't need a server at that office to execute scripts linked from GPOs. If the computers are processing Group Policy (i.e. they can "talk to" a domain controller) while on that site's network then you can definitely deploy a logon script named in a GPO linked to the site to do what you're looking for.joeqwerty : @Evan: I was probably overcomplicating my thinking based on what's been posted. I was thinking that the remote site might only have a connection to the home site for AD traffic and not file or email resources. So the home site user sitting at the remote site wouldn't have access to mapped drives, mailbox, etc. that exist in the home site.MikeT505 : @Evan - The site doesn't have a domain controller eitherEvan Anderson : @MikeT505: If the computers in that office have connectivity to a domain controller anywhere then they can process group policy and execute scripts named in GPOs lined to site objects.From Evan Anderson
0 comments:
Post a Comment