Reply to topic  [ 4 posts ] 
PS domain infos on the move 
Author Message
What's a life?
User avatar

Joined: Thu Apr 23, 2009 8:25 pm
Posts: 10691
Location: Bramsche
Reply with quote
I have written a script for mapping network drives based on which groups a user is a member of.

The script works well, when I am in the office. But if I boot the PC when it isn't on the network and log in, then attach to the network (either in the office or over VPN), the script fails.

Is the information in Security.Principal.NTAccount only filled in, when the user logs on when attached to the network?

The problem I am trying to solve is the following:
  1. in the office, the PCs automatically connect the correct network drives based on group policy.
  2. If the user is on the move and signs in over VPN, they don't have any of their mapped drives.
  3. each user has a different set of network drives (only P: is common to all users, their personal directory).
  4. the script works through all of the groups that the user is a member of and attaches the relevant drive for each group.

Code:
$id =  [Security.Principal.WindowsIdentity]::GetCurrent()
$groups = $id.Groups |foreach-object{ $_.Translate([Security.Principal.NTAccount]) }
if($groups -contains "domain\rg_admin")
{
   echo "Drive A:\ mapped to Admin"
   net use A: \\w2k12-fs-01\Admin /persistent:no
}

if ($groups -contains "domain\rg_Bookkeeping")
{
   echo "Drive B:\ mapped to Bookkeeping"
   net use B: \\w2k12-fs-01\Buchhaltung /persistent:no
}
...


As stated above, this works fine, if the user logs in when on the network (when they don't actually need the script - you have to first remove all mapped drives to test the script!), but if they log on offline, then attach to the network, the script fails.

Edit: It works if I disconnect the PC in the office and reboot. If I am at home and connect over VPN it doesn't work - error translates to roughly "clients credentials couldn't be confirmed by the domain".

_________________
"Do you know what this is? Hmm? No, I can see you do not. You have that vacant look in your eyes, which says hold my head to your ear, you will hear the sea!" - Londo Molari

Executive Producer No Agenda Show 246


Tue Mar 21, 2017 3:10 pm
Profile ICQ
What's a life?
User avatar

Joined: Thu Apr 23, 2009 7:26 pm
Posts: 17040
Reply with quote
OK, just a theory...

'Security.Principal.NTAccount' is actually a.. manifestation of an authenticated credential token, most likely a Kerberos ticket. When you log in and you're on the network, you get that ticket from the network's DC (assuming it has one) and therefore that ticket is also considered valid on any other resource which auths against the same DC/AD/Forest/whatever. When you login and your PC can't see the DC at the time, it generates it's own auth token/ticket, which nothing else on the network knows anything about.

So basically when you log in on the network the auth token is issued by the DC, so you get to use SSO with any resources that are also secured against credentials from that DC. When you log on and you're off the network you're only getting local login, so no SSO.

I assume in this case you can't make a VPN connection until you're logged into the PC in question, by which point it's too late as you already have 'local' credentials? Can your script force an auth against the DC (or at least a check if such authentication has happened) before attempting to map any drives?

Hmm. I'd possibly expect the 'net use' command would do that, but maybe it's not doing.


Tue Mar 21, 2017 6:58 pm
Profile
Doesn't have much of a life

Joined: Sat Apr 25, 2009 6:50 am
Posts: 1911
Reply with quote
If you map with persistent: yes they would get a little pop up if they start Windows outside the office saying their drives couldn't connect, but the drives should remain present and if they just click the little X when the VPN is up it will connect.

Or you could overengineer it with a couple of code blocks.

Start with a begin {} block. In here you can bung a test-connection to something inside your domain, if that returns nothing tell it to start-sleep 300 and then run again, maybe give up after $x attempts. That way you can give the user a few minutes to fire up their VPN. When the test-connection returns $true have it move to what you have there in a process{} block and everything should be set up to run happily by now.


Tue Mar 21, 2017 11:42 pm
Profile
What's a life?
User avatar

Joined: Thu Apr 23, 2009 8:25 pm
Posts: 10691
Location: Bramsche
Reply with quote
Reading Jon's reply, I came to ShockWaffle's conclusion.

I'll try forcing a connection to the home directory, this should work and should force an authentication with the domain. after that the rest should hopefully work...

Thanks for the feedback. I'll let you know if I get any further.

_________________
"Do you know what this is? Hmm? No, I can see you do not. You have that vacant look in your eyes, which says hold my head to your ear, you will hear the sea!" - Londo Molari

Executive Producer No Agenda Show 246


Wed Mar 22, 2017 5:26 am
Profile ICQ
Display posts from previous:  Sort by  
Reply to topic   [ 4 posts ] 

Who is online

Users browsing this forum: No registered users and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group
Designed by ST Software.