Map Drives from AD - Unix genius challenge

jeremy_spolande
New Contributor

Hi,

Relatively new to this but making decent progress with help here.

This script to map drives and printers is Brilliant and quite popular: http://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-membership-on-osx/

But it requires you to manually list all of your groups that are used to map drives and all of the paths that they map to. Firstly we have hundreds so it would take forever and secondly we dont really want to have to change the script and send it out to all Macs every time a group is ammended.

In theory the script could be ammended to do all of this from AD.

In the same way it can look up a user and see what groups that user is in it should be able to look up groups starting in a particular naming convention, and also extract the path where embedded in either a "Comment" field or the name itself.

Will plough on and report back if it works but any suggestions welcome.

7 REPLIES 7

bentoms
Esteemed Contributor
Esteemed Contributor

Glad you like my script & site!

My version in production has around 150 shares & printers for 10 offices across 3 continents.

We're also on v2.8.7!!

We save the script as an app, change the icon & version number.

We can then used Smart Groups in Casper to deploy.

Initially painful, but has worked well since.

However, what you're suggesting is elegant. I'll have a little investigate & will report back!

jeremy_spolande
New Contributor

Great stuff thanks, its way better than anything else i can find.

JimAllsop
New Contributor

I was wondering the same thing. Our systems folks have redone our AD and set up, and all the network shares are based on your AD info. It seems right out of the box the windows users have all their drives mapped to the drives that they are supposed to? I don't know but it would be so nice if this could be done for the mac side too.

frozenarse
Contributor II

Are the 'hundreds' of paths actually unique shares or are they directories under a common share?

I'm just throwing this out there as an example of how we kind of deal with this... Please don't take this as a "You are doing it wrong!" or anything like that :)

Our file servers are windows and they are setup to use DFS. One main share would be called something like //DFSroot/Departments. That is the share you mount for everyone. Now within the 'Departments' directory you have subfolders like English, Math, Biology etc... You use the active directory groups to manage who has access to see those child folders. When a Biology user goes to their "Departments drive" they only see the Biology directory listed.

This works out slick for mount scripts on the Mac because we only have to worry about a few share paths and just let AD perms iron out the rest. The same method is what we use on the Windows side so it is nice and consistent.

Not sure if any of that is applicable or not to your environment. Just thought i'd give an example of how one person is dealing with it. Good luck!

wdpickle
Contributor

We also let AD do our maps (home directories and common drives) for us and the only difference we have to make sure on is that the read only for the parent folder doesn't flow down to the child folder or the users can see and browse all the files and folders on Macs

jeremy_spolande
New Contributor

All shares accessible via one dfs location. Ahhh. That would indeed be nice.

Abishek
New Contributor II

I hope this helps. We have slightly edited [~bentoms] script and it works in our environment

--- User Information

-- Get the logged in users username
set loggedInUser to do shell script "whoami"

-- Get the Users account UniqueID
set accountType to do shell script "dscl . -read /Users/" & loggedInUser & " | grep UniqueID | cut -c 11-"

-- Get the nodeName from the Users account
set nodeName to do shell script "dscl . -read /Users/" & loggedInUser & " | awk '/^OriginalNodeName:/,/^Password:/' | head -2 | tail -1 | cut -c 2-"

-- Get the Users group membership from AD
set ADGroupList to do shell script "dscl " & quoted form of nodeName & " -read /Users/" & loggedInUser & " | awk '/^dsAttrTypeNative:memberOf:/,/^dsAttrTypeNative:msDS-SupportedEncryptionTypes:/' | grep .DL | sed s/' CN='//g | sed s/'.DL.*$'//g"

-- Change the text item delimiter to 'return' to correctly delimit the list captured from the shell command above (otherwise Apple Script will delimit on individual characters)
set {oldTID, AppleScript's text item delimiters} to {AppleScript's text item delimiters, return}

-- Save each text item from ADGroupList into the array ADGroups
set ADGroups to every text item of ADGroupList

-- Get the Users AD Home Folder
set ADHome to do shell script "dscl " & quoted form of nodeName & " -read /Users/" & loggedInUser & "| grep SMBHome: | cut -c 10- | sed 's/\///g' "

-- Checks to see if account is an AD Account, if its not exit
if accountType is less than 1000 then tell me to quit
end if

--- Drives

-- Home Folder -- Maps the drive specified in the profile field for the AD User continue if user has no profile path set try

mount volume "smb:" & ADHome

on error

end try

-- Group Folders -- Maps the drives found in the memberOf field for the AD User

try

repeat with ADGroup in ADGroups mount volume "PROTOCOL://SERVERNAME.FQDN/" & ADGroup end repeat

on error

end try

-- Revert text item delimiters back to default
set AppleScript's text item delimiters to oldTID