x404.co.uk
http://x404.co.uk/forum/

PS domain infos on the move
http://x404.co.uk/forum/viewtopic.php?f=4&t=26131
Page 1 of 1

Author:  big_D [ Tue Mar 21, 2017 3:10 pm ]
Post subject:  PS domain infos on the move

I have written a script for mapping network drives based on which groups a user is a member of.

The script works well, when I am in the office. But if I boot the PC when it isn't on the network and log in, then attach to the network (either in the office or over VPN), the script fails.

Is the information in Security.Principal.NTAccount only filled in, when the user logs on when attached to the network?

The problem I am trying to solve is the following:
  1. in the office, the PCs automatically connect the correct network drives based on group policy.
  2. If the user is on the move and signs in over VPN, they don't have any of their mapped drives.
  3. each user has a different set of network drives (only P: is common to all users, their personal directory).
  4. the script works through all of the groups that the user is a member of and attaches the relevant drive for each group.

Code:
$id =  [Security.Principal.WindowsIdentity]::GetCurrent()
$groups = $id.Groups |foreach-object{ $_.Translate([Security.Principal.NTAccount]) }
if($groups -contains "domain\rg_admin")
{
   echo "Drive A:\ mapped to Admin"
   net use A: \\w2k12-fs-01\Admin /persistent:no
}

if ($groups -contains "domain\rg_Bookkeeping")
{
   echo "Drive B:\ mapped to Bookkeeping"
   net use B: \\w2k12-fs-01\Buchhaltung /persistent:no
}
...


As stated above, this works fine, if the user logs in when on the network (when they don't actually need the script - you have to first remove all mapped drives to test the script!), but if they log on offline, then attach to the network, the script fails.

Edit: It works if I disconnect the PC in the office and reboot. If I am at home and connect over VPN it doesn't work - error translates to roughly "clients credentials couldn't be confirmed by the domain".

Author:  jonbwfc [ Tue Mar 21, 2017 6:58 pm ]
Post subject:  Re: PS domain infos on the move

OK, just a theory...

'Security.Principal.NTAccount' is actually a.. manifestation of an authenticated credential token, most likely a Kerberos ticket. When you log in and you're on the network, you get that ticket from the network's DC (assuming it has one) and therefore that ticket is also considered valid on any other resource which auths against the same DC/AD/Forest/whatever. When you login and your PC can't see the DC at the time, it generates it's own auth token/ticket, which nothing else on the network knows anything about.

So basically when you log in on the network the auth token is issued by the DC, so you get to use SSO with any resources that are also secured against credentials from that DC. When you log on and you're off the network you're only getting local login, so no SSO.

I assume in this case you can't make a VPN connection until you're logged into the PC in question, by which point it's too late as you already have 'local' credentials? Can your script force an auth against the DC (or at least a check if such authentication has happened) before attempting to map any drives?

Hmm. I'd possibly expect the 'net use' command would do that, but maybe it's not doing.

Author:  ShockWaffle [ Tue Mar 21, 2017 11:42 pm ]
Post subject:  Re: PS domain infos on the move

If you map with persistent: yes they would get a little pop up if they start Windows outside the office saying their drives couldn't connect, but the drives should remain present and if they just click the little X when the VPN is up it will connect.

Or you could overengineer it with a couple of code blocks.

Start with a begin {} block. In here you can bung a test-connection to something inside your domain, if that returns nothing tell it to start-sleep 300 and then run again, maybe give up after $x attempts. That way you can give the user a few minutes to fire up their VPN. When the test-connection returns $true have it move to what you have there in a process{} block and everything should be set up to run happily by now.

Author:  big_D [ Wed Mar 22, 2017 5:26 am ]
Post subject:  Re: PS domain infos on the move

Reading Jon's reply, I came to ShockWaffle's conclusion.

I'll try forcing a connection to the home directory, this should work and should force an authentication with the domain. after that the rest should hopefully work...

Thanks for the feedback. I'll let you know if I get any further.

Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/