• Better Network Login / Logon Scripts

    Today I want to talk about something we may not think of very often, that being login / logon scripts. They aren't something we deal with often once they're done, but when they're broken they have the potential to impact your entire user base. In this article I'll talk about my own methodology for developing safer logon scripts. I'm not sure if there's a proper name for them, but I call them hierarchical logon scripts. The idea of developing a master script which in turn calls multiple child or subscripts.
    Why break down logon scripts into smaller, separate scripts? Well, even in programming circles, the days of developing a single, big monolithic program are (hopefully) gone and the accepted practice is smaller, modular pieces of code. Anyone has who's forgotten to close an if / endif statement at the beginning of a single large monolithic login script knows what I'm talking about. Every if / endif statement after the error is broken and nobody gets drive / printer mappings from that point on in the login script. So how does breaking down login scripts solve that problem? Well, it doesn't solve the problem of human error, but it can help minimize the impact.

    Let's say you have two schools (school_A and school_B) with students, teachers and administrators in each school.

    Here's what a single monolithic script would look like:

    ---------------------------- Start Script ---------------------------------

    If Ingroup "school_A_students"
    map drives
    map printers
    endif

    If Ingroup "school_A_teachers"
    map drives
    map printers
    endif

    If Ingroup "school_A_administrators"
    map drives
    map printers
    endif

    If Ingroup "school_B_students"
    map drives
    map printers
    endif

    If Ingroup "school_B_teachers"
    map drives
    map printers
    endif

    If Ingroup "school_B_administrators"
    map drives
    map printers
    endif

    ---------------------------- End Script ---------------------------------

    And here is what the hierarchical equivalent script would look like:

    ---------------------------- Start Script ---------------------------------

    If Ingroup "school_A_students"
    call school_A_students.script
    endif

    If Ingroup "school_A_teachers"
    call school_A_teachers.script
    endif

    If Ingroup "school_A_administrators"
    call school_A_administrators.script
    endif

    If Ingroup "school_B_students"
    call school_B_students.script
    endif

    If Ingroup "school_B_teachers"
    call school_B_teachers.script
    endif

    If Ingroup "school_B_administrators"
    call school_B_administrators.script
    endif
    ---------------------------- End Script ---------------------------------

    So as you can see, the big difference is none of the drive / printer mapping logic (or any other logic) specific to any of the groups occurs in the master script. The master script simply tests the group membership then passes all work associated with that group to its subscript. So what's the advantage of this? Well, the biggest advantage is you drastically reduce the amount of editing that will ever happen to your master script. Most of the editing from that point forward will occur in your subscripts which will also limit the damage if someone editing the scripts makes a mistake.

    Cheers,

    Ernest A.
  • IT_Recent_Forum_Posts

    Ernest Aleixandre

    Critical Windows Security Flaw Could give Domain Administrator Access

    A Critical security flaw in various versions of Windows Server and client editions could allow attackers with simple domain user credentials to elevate

    Ernest Aleixandre 11-21-2014, 04:22 PM Go to last post