Problem with logon script

[asd]

Hey

i use logon.bat -> net use g: \\pc\share password /user:administrator
to make mapnetwork driver @ one computer. it works fine but that user can
see administrators password, how can i hide it? or maybe it can be done in
otherways?

plmk, tnx

 

[Cary Shultz [A.D. MVP]]

ASD,

What is it that you are really trying to accomplish? What operating system
is/are your client workstations? I am assuming a WIN2000 AD environment.

If you simply want to map a network drive for all of your users and you
really want to stay with the old school way ( maybe because you have WIN98
clients ) then you could use something like this as logon.bat:

net use K: /delete
net use K: \\server01\share01

net use L: /delete
net use L: \\server01\share02

net use N: /delete
net use N: \\server02\share03

net use O: /delete
net use O: \\server02\share04

Typically you do not need to use the user name and password switch when
mapping network drives because the users typically have share/ntfs
permissions to the share being mapped. So, in my example your user
community would have both share and ntfs permissions ( at least read
permissions ) to 'share01' and 'share02' and 'share03' and 'share04'.

Is this not the case with your environment?

HTH,

Cary

 

[Marin Marinov]

<snip>
Are the machines members of a domain or workgroup?
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[asd]

<snip>
Are the machines members of a domain or workgroup?

Yes they are in Domain.

mm maybe i can explain better:
I have 'bout 40 computer in a domain (domain server: win2k server)
I have a computerclass where are 14 computer (1 teachers).
I want to give access to a teacher to connect to these other computers as
administrator, but this teacher cant access other computers in a domain,
only these i have gave access. I have told that making that kind of bat
file, helps that out, but this teacher user can see in that bat file, and
see a password... maybe there are any other way to do that?

plmk, tknx

 

[Andrew Mitchell]

Yes they are in Domain.

mm maybe i can explain better:
I have 'bout 40 computer in a domain (domain server: win2k server)
I have a computerclass where are 14 computer (1 teachers).
I want to give access to a teacher to connect to these other computers as
administrator, but this teacher cant access other computers in a domain,
only these i have gave access. I have told that making that kind of bat
file, helps that out, but this teacher user can see in that bat file, and
see a password... maybe there are any other way to do that?

Why not just make the teachers account a member of the local admins group on
the PC's in question?

 

[Marin Marinov]

<snip>
Absolutely there is
If you want the teacher to be a local administrator:
1) Create an OU and place all the 14 computer accounts in it
2) Create a global group called Teachers
3) Create and link a GPO to the OU from 1)
4) Utilize Restricted Groups to add Teachers to local Administrators:

Restricted Groups policy
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs
/en-us/sag_scerestrictgroups.mspx

However, if you just need access to a share the user doesn't have to be
an administrator. You can change the share and NTFS permissions so that
Teachers have access. However,it's a best practice to create an
additional Domain Local group, give permissions to it, and put the
Global as a member.

In both cases you don't need to specify the user credentials in the
logon script. The ones of the currently logged user will automatically
be used so provided the permissions allow the teacher access, you can
use just 'net use g: \\server\share' in the script.

Feel free to repost if you have further concerns.
HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[asd]

Why not just make the teachers account a member of the local admins group
on the PC's in question?

can it be done from server?
kntx

 

[Cary Shultz [A.D. MVP]]

Jim,

You should be able to disconnect any existing drive mapping.

Cary

Can I use
net use M: /delete to disconnect a drive mapping that use to exist and is

still mapped on a Windows 2000/xp box?