custon ADM templates

[MarkLappin]

Howdy All,

I'm trying to develop an ADM template for use in my organization for some software that we have to track time & billing (which is very archaic and I'm trying to get them to switch out of).

Anyway, the software stores stuff that by today's standards should really go into HEKY CUrrent User\Software but instead it puts its stuff into HKEY_Machine; the software has to be able to modify the key entries (or at least think that it can) in order to run. Initially this made me have to give everybody admin rights on their machine (when I first started). I have since started changing rights only on the affected key for the software app so that I can give users just "user" rights on the machine.

The software has 9 or 10 configuration settings in it which all involve file paths for data locations which when the software was written were all assumed to be local drives, I now have them on my network and a network share that has folders for all the various data pieces which I map a drive to the root of that share. Still though, this is a lot to configure on every machine so i'm trying to put this stuff into an ADM template.

I don't really have a test lab so I'm working with group policy on my loacl machine to get this stuff figured out; so far I'm being mildly successful with the development of my custom ADM template for group policy (I think, tought to tell with just one computer!).

One of the settings is however a "work station ID" which MUST be a two digit HEX number. The intent of the software is to have this be per machine but since I now keep all the billing and time files on a network I use workstation more by logon ID and thus I have a number assigned to each employee. What I would like to do is add this number to some place in their AD user profile (I have it in the IP Phone location of their profile actually) and in my group policy have some way to look something up from the profile and set it when the user logs on. Is there any way to do this?

I have the ADM template under computer configuration on my box; but I can't test the work station ID thing; can a policy setting which needs to affect MACHINE go into user configuration? or can I leave it in computer configurattion on a OU with the users not their computers and have it be applied.

Advice and help appreciated

 

[markdmac]

Sounds to me like your best solution is to use VBScript for this. you could grab the user name, bind to their user object in AD, query for the values you want and then make the needed registry changes.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[jblewis]

Well, to answer one of your questions: Applying a GPO that only impact the "Computer" side of things to an OU that contains users will have no impact on the users or the computers they are working on. Using "GPRESULT" from the command line will show you the the GPO in question was not applied because it was 'empty'.

JB

 

[MarkLappin]

markdmac sounds like a good plan. I've not done that type of vbscript before, do you have (or can you point me in the direction of) example scripts to query AD and also one that makes registry changes?

Mark

 

[markdmac]

No problem. Have to get off to work now. Give me a day and I will write you an example.

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark

 

[markdmac]

This is untested but I believe should do the trick for you.

You will need to modify the LDAP statements for your domain in 2 places and you will need to change the path and key name for the registry setting. The rest I believe should be OK to stay as is. Let me know how you make out.

'==========================================================================
'
' NAME: RetrieveADinfoSetregistry.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: [URL unfurl="true"]http://www.thespidersparlor.com[/URL]
' DATE  : 8/6/2004
'
' COMMENT: <comment>
'
'==========================================================================

On Error Resume Next
Set WSHShell = CreateObject("WScript.Shell")
Set WSHNetwork = CreateObject("WScript.Network")

UserString = WSHNetwork.UserName

UserFullName = GetUser2(UserString)

Set objUser = GetObject("LDAP://cn=" & UserFullname & ",cn=Users,dc=CompanyName,dc=com")
objUser.GetInfo

strIpPhone = objUser.Get("ipPhone")
path = "HKCU\Software\CompanyName\"
WSHShell.RegWrite path & "CustomKey",strIpPhone,"REG_SZ"

Public Function GetUser2(ByVal sAMAccountName)

    Dim ADCon,ADCmd,ADRec,str 

    Set ADCon = CreateObject("ADODB.Connection")
    Set ADCmd = CreateObject("ADODB.Command")

    ADCon.Provider = "ADsDSOObject"
    ADCon.Open "Active Directory Provider", UID, PWD

    Set ADCmd.ActiveConnection = ADCon
    ADCmd.Properties("Cache results") = False
    ADCmd.Properties("TimeOut") = 120

    str = "select sAMAccountName, ADsPath " & _
          "from 'LDAP://cn=Users,dc=CompanyName,dc=com" & _
          "where objectCategory='person' and sAMAccountName='" & sAMAccountName & "'"

    ADCmd.CommandText = str

    Set ADRec = ADCmd.Execute()

    If ADRec.EOF Then
        Set objUser = Nothing
		Exit Function
    End If

    ' Then bind to the IADs object.

    Set GetUser2 = getObject(ADRec.Fields("adspath"))

End Function

I hope you find this post helpful. Please let me know if it was.

Regards,

Mark