Map network drive script

CoXeY · 8 May 2007 at 16:55

Hello,

I plan to map network drives in our organisation using logon (and logoff) scripts.

This is fine but I am yet to come up with a solution for applying the associated credentials. Some of the shares are located outside of our active directory and require the user to "connect using a different username". To maintain current functionality I need a way to specify these alternate credentials without compromising security (i.e. including the username and password in the script).

How do you guys overcome this? Any ideas how I can too?

mike1210 · 8 May 2007 at 17:13

net use x: \\server\path /user:domain\username password

csmager · 8 May 2007 at 17:46

mike1210 said:
net use x: \\server\path /user:domain\username password

Which, I think you'll find, includes the the username and password in the script.

Although it's one of the only ways I know how (it's either that or VB Script). Both require you to put the credentials in plaintext though.

mike1210 · 8 May 2007 at 17:49

it does yes, best practise dicates you make a user account with as limited rights as possible to prevent a possible compromise or limit access to the batch file by security group or user account

optimus · 8 May 2007 at 19:57

If you want scripts like this, then look up script center on Microsofts website, there loads of examples you just cut and paste.

CoXeY · 9 May 2007 at 14:13

Thanks for the feedback so far.

I am aware that I can lock down access to the script using NTFS permissions but surely to include username and password credentials in a script is not best practice!!

Looking into this a little further i have found the "manage passwords" feature in XP which might give me a glimmer of hope!

I can write the script without including the account credentials and then set these using the "manage passwords" feature.

My only question now is can I use group policy to set the values in the "manage passwords" feature?

Cheers
Dan.

mr.bond · 10 May 2007 at 21:37

If you are wanting to access resources 'outside your active directory' I assume you mean in a different forest?

If so, why not create a trust between forests and grant whatever rights you need to the resources in the other forest, with your domain account?

CoXeY · 11 May 2007 at 09:22

Thanks bond but its actually resources located in a DMZ workgroup environment so a trust is not applicable in this case.

I had a chat with one of our developers yesterday and he mentioned that it may be possible to encode/encrypt the credentials in the script so i'm waiting to here back on that before i got any further.

Dan.

M0KUJ1N · 11 May 2007 at 10:05

We had similar concerns when creating an "end user" logon script. In the end one of my colleagues wrote it in c++ using the Windows libraries. His script actually prompted for a password to be entered but it could conceivably be embedded in the source code and then compiled.

BoomAM · 11 May 2007 at 16:02

Ive got a logon script here that allows specific drives/folders on the server to be mapped based on user groups if you want it?
Im at home now, but if you wait till Monday, i'll post the Kixstart script for it up for you. Very easy to edit.

.