nested group not getting mapped drive "nobody" <nobody[ at ]nobody.com> 7/10/2007 4:50:43 PM I have a script that basically maps drives and printers based on domain local groups. Its using the winnt provider which I think should support nested groups. SO I created one group with some users in it. The script maps drivers and printers based on this group. Then I greated another group and put it into the first group. Now the users in the second group are not getting mapped drives. Any idea?

Re: nested group not getting mapped drive "Richard Mueller [MVP]" <rlmueller-nospam[ at ]ameritech.nospam.net> 7/10/2007 5:00:37 PM "nobody" <nobody[ at ]nobody.com> wrote in message news:%23UJg1JxwHHA.3588[ at ]TK2MSFTNGP06.phx.gbl... [Quoted Text] >I have a script that basically maps drives and printers based on domain >local groups. Its using the winnt provider which I think should support >nested groups. > > SO I created one group with some users in it. The script maps drivers and > printers based on this group. Then I greated another group and put it into > the first group. Now the users in the second group are not getting mapped > drives. > > Any idea? > The WinNT provider is blind to the hierarchy of AD, including nested domain Global and Universal security groups. It does recognize nested local groups. You cannot use the WinNT provider to reveal membership in nested domain groups. You must use the LDAP provider. I have an example VBScript logon script that maps drives and printers according to group membership linked here: http://www.rlmueller.net/Logon3.htm -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net --

Re: nested group not getting mapped drive "nobody" <nobody[ at ]nobody.com> 7/10/2007 5:37:36 PM Hi there I am reading this on your site but says winnt can reveal nested groups? http://www.rlmueller.net/Nested%20Groups.htm I am using Ismember function and Winnt "Richard Mueller [MVP]" <rlmueller-nospam[ at ]ameritech.nospam.net> wrote in message news:u5TnYPxwHHA.1852[ at ]TK2MSFTNGP04.phx.gbl... [Quoted Text] > > "nobody" <nobody[ at ]nobody.com> wrote in message > news:%23UJg1JxwHHA.3588[ at ]TK2MSFTNGP06.phx.gbl... >>I have a script that basically maps drives and printers based on domain >>local groups. Its using the winnt provider which I think should support >>nested groups. >> >> SO I created one group with some users in it. The script maps drivers and >> printers based on this group. Then I greated another group and put it >> into the first group. Now the users in the second group are not getting >> mapped drives. >> >> Any idea? >> > > The WinNT provider is blind to the hierarchy of AD, including nested > domain Global and Universal security groups. It does recognize nested > local groups. You cannot use the WinNT provider to reveal membership in > nested domain groups. You must use the LDAP provider. I have an example > VBScript logon script that maps drives and printers according to group > membership linked here: > > http://www.rlmueller.net/Logon3.htm > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > -- > >

Re: nested group not getting mapped drive "Richard Mueller [MVP]" <rlmueller-nospam[ at ]ameritech.nospam.net> 7/10/2007 6:19:37 PM Quote from the link: ========== Unfortunately, the WinNT provider cannot reveal "Nested Group" membership of Global and Universal Security Groups. An IsMember function must use the LDAP provider to recognize "Nested Groups". The WinNT provider will reveal nested local groups and nested domain distribution groups. ============= The reason is that NT domains did not support nested groups, except local. -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net -- "nobody" <nobody[ at ]nobody.com> wrote in message news:%23VuoCkxwHHA.1208[ at ]TK2MSFTNGP05.phx.gbl... [Quoted Text] > Hi there > > I am reading this on your site but says winnt can reveal nested groups? > > http://www.rlmueller.net/Nested%20Groups.htm > > > I am using Ismember function and Winnt > > "Richard Mueller [MVP]" <rlmueller-nospam[ at ]ameritech.nospam.net> wrote in > message news:u5TnYPxwHHA.1852[ at ]TK2MSFTNGP04.phx.gbl... >> >> "nobody" <nobody[ at ]nobody.com> wrote in message >> news:%23UJg1JxwHHA.3588[ at ]TK2MSFTNGP06.phx.gbl... >>>I have a script that basically maps drives and printers based on domain >>>local groups. Its using the winnt provider which I think should support >>>nested groups. >>> >>> SO I created one group with some users in it. The script maps drivers >>> and printers based on this group. Then I greated another group and put >>> it into the first group. Now the users in the second group are not >>> getting mapped drives. >>> >>> Any idea? >>> >> >> The WinNT provider is blind to the hierarchy of AD, including nested >> domain Global and Universal security groups. It does recognize nested >> local groups. You cannot use the WinNT provider to reveal membership in >> nested domain groups. You must use the LDAP provider. I have an example >> VBScript logon script that maps drives and printers according to group >> membership linked here: >> >> http://www.rlmueller.net/Logon3.htm >> >> -- >> Richard Mueller >> Microsoft MVP Scripting and ADSI >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> > >

Re: nested group not getting mapped drive "nobody" <nobody[ at ]nobody.com> 7/10/2007 6:26:43 PM maybe a stupid question but to change my current script from winnt to ldap its not as simple as replacing winnt:// with ldap:// right? "nobody" <nobody[ at ]nobody.com> wrote in message news:%23VuoCkxwHHA.1208[ at ]TK2MSFTNGP05.phx.gbl... [Quoted Text] > Hi there > > I am reading this on your site but says winnt can reveal nested groups? > > http://www.rlmueller.net/Nested%20Groups.htm > > > I am using Ismember function and Winnt > > "Richard Mueller [MVP]" <rlmueller-nospam[ at ]ameritech.nospam.net> wrote in > message news:u5TnYPxwHHA.1852[ at ]TK2MSFTNGP04.phx.gbl... >> >> "nobody" <nobody[ at ]nobody.com> wrote in message >> news:%23UJg1JxwHHA.3588[ at ]TK2MSFTNGP06.phx.gbl... >>>I have a script that basically maps drives and printers based on domain >>>local groups. Its using the winnt provider which I think should support >>>nested groups. >>> >>> SO I created one group with some users in it. The script maps drivers >>> and printers based on this group. Then I greated another group and put >>> it into the first group. Now the users in the second group are not >>> getting mapped drives. >>> >>> Any idea? >>> >> >> The WinNT provider is blind to the hierarchy of AD, including nested >> domain Global and Universal security groups. It does recognize nested >> local groups. You cannot use the WinNT provider to reveal membership in >> nested domain groups. You must use the LDAP provider. I have an example >> VBScript logon script that maps drives and printers according to group >> membership linked here: >> >> http://www.rlmueller.net/Logon3.htm >> >> -- >> Richard Mueller >> Microsoft MVP Scripting and ADSI >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> > >

Re: nested group not getting mapped drive "Richard Mueller [MVP]" <rlmueller-nospam[ at ]ameritech.nospam.net> 7/10/2007 7:11:57 PM No, it's not that simple. The binding strings required by LDAP can be difficult to get used at first. Fortunately, if this is a logon script, and all clients have at least Windows 2000, you can use the ADSystemInfo object to retrieve the Distinguished Name of the current user. The example I linked uses this. I try to explains some of the differences between the two providers, and when each should be used in this link: http://www.rlmueller.net/WinNT_LDAP.htm There is a link to example binding strings. Unfortunately, revealing nested group membership is not straightforward, even with LDAP. The logon script I linked previously uses a recursive subroutine and saves the memberships in a dictionary object for efficiency. -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net -- "nobody" <nobody[ at ]nobody.com> wrote in message news:eViDf$xwHHA.276[ at ]TK2MSFTNGP06.phx.gbl... [Quoted Text] > maybe a stupid question but to change my current script from winnt to ldap > its not as simple as replacing winnt:// with ldap:// right? > > > "nobody" <nobody[ at ]nobody.com> wrote in message > news:%23VuoCkxwHHA.1208[ at ]TK2MSFTNGP05.phx.gbl... >> Hi there >> >> I am reading this on your site but says winnt can reveal nested groups? >> >> http://www.rlmueller.net/Nested%20Groups.htm >> >> >> I am using Ismember function and Winnt >> >> "Richard Mueller [MVP]" <rlmueller-nospam[ at ]ameritech.nospam.net> wrote in >> message news:u5TnYPxwHHA.1852[ at ]TK2MSFTNGP04.phx.gbl... >>> >>> "nobody" <nobody[ at ]nobody.com> wrote in message >>> news:%23UJg1JxwHHA.3588[ at ]TK2MSFTNGP06.phx.gbl... >>>>I have a script that basically maps drives and printers based on domain >>>>local groups. Its using the winnt provider which I think should support >>>>nested groups. >>>> >>>> SO I created one group with some users in it. The script maps drivers >>>> and printers based on this group. Then I greated another group and put >>>> it into the first group. Now the users in the second group are not >>>> getting mapped drives. >>>> >>>> Any idea? >>>> >>> >>> The WinNT provider is blind to the hierarchy of AD, including nested >>> domain Global and Universal security groups. It does recognize nested >>> local groups. You cannot use the WinNT provider to reveal membership in >>> nested domain groups. You must use the LDAP provider. I have an example >>> VBScript logon script that maps drives and printers according to group >>> membership linked here: >>> >>> http://www.rlmueller.net/Logon3.htm >>> >>> -- >>> Richard Mueller >>> Microsoft MVP Scripting and ADSI >>> Hilltop Lab - http://www.rlmueller.net >>> -- >>> >>> >> >> > >