If you have a network share or a printer that you want to restrict access to, you will typically set permissions on it so that only those authorised to do so can access the resource.
The most efficient method of permission setting is to use a group. You then put the users in to a group and set permissions on the resource to the group. When you need to remove a user from having access (they have left for example) you just remove them from the central group and all their permissions have gone.
You can use these same group settings to control who gets a drive mapped and who is automatically set up with a printer. By combining the group membership not only to access but also to the login script you only have one thing to change to grant access to a resource.
If you add a user to a group all you need to do is get the user to log out and then log back in again and they will have access to the new resource.
If you remove a user's access then next time they login, the resource will be gone (if you are using non-persistent settings).
This function is provided by a Resource kit tool called "ifmember". This can also be downloaded from the Microsoft web site.
What "ifmember" does is check whether a user is a member of a certain group, then depending on the response (error level) the script can carry out further commands, usually using the "if" command.
For example, take a look at this short script to test whether a user is in a Windows group called "accounts".
This script asks if the member is in accounts ("ifmember accounts")
Then, if the response is not Yes ("error level 1") the script is sent to the section marked labelled next. (see Section Labels above)
If the response is Yes ("error level 0") the commands below are processed in order until the next "goto" is found.
Note: The $ after the share name indicates that the share is hidden. If you share a resource with a $ at the end then it doesn't appear in any lists that a user can find in "Network Neighbourhood". It doesn't stop anyone from connecting to it if they know the exact name, but it stops casual browsers. It can also help if you have a large number of shares on one machine, but only a few are available to a significant numbers of people as it will limit the length of the list that is seen.
You can use the same techniques for printers:
This way you can have long scripts that map drives and printers depending on the group membership which can mean many users have different combinations of printers and drive letters, but they have access to all of them.
If you are connecting some users to multiple printers (for example the usual printer is a heavy duty laser but a couple have access to a lighter but closer DeskJet) then you should play around with the order the printers are connected in to ensure that the one you want to be the default is the last printer. By doing this you can ensure people who only connect to one printer get the correct one as their default.
You may be wondering why the examples haven't been shown using something like the following:
While this would work is requires more section labels and increases administration of the script.
Using the method in most of the examples on this page means that each printer, drive mapping etc is contained under a single section label. It makes the script look neater, easier to follow and to manage. Cutting and pasting is very straight forward.
Copyright Sembee Ltd. 1998 - 2015.
Reproduction of any content on this web site is prohibited without express written consent. Use of this web site is subject to our terms and conditions.
All trademarks and registered trademarks are property of their respective owners. This site is not endorsed or recommended by any company or organisation mentioned within and is to provide guidance only and as such we cannot be held responsible for any consequences of following the advice given.
Sembee Ltd. is registered in England and Wales at 1 Carnegie Road, Newbury, Berkshire, RG14 5DJ.
Registered company number: 4704428. VAT Number GB 904 5603 43.