Page Last Updated: 21/02/2010
Using Windows Domain Group Membership to Control Drive Letters and Printers

If you have a network share or a printer that you want to restrict access to, you will typically set permissions on it so that only those authorised to do so can access the resource.

The most efficient method of permission setting is to use a group. You then put the users in to a group and set permissions on the resource to the group. When you need to remove a user from having access (they have left for example) you just remove them from the central group and all their permissions have gone.

You can use these same group settings to control who gets a drive mapped and who is automatically set up with a printer. By combining the group membership not only to access but also to the login script you only have one thing to change to grant access to a resource.
If you add a user to a group all you need to do is get the user to log out and then log back in again and they will have access to the new resource.
If you remove a user's access then next time they login, the resource will be gone (if you are using non-persistent settings).

This function is provided by a Resource kit tool called "ifmember". This can also be downloaded from the Microsoft web site.

What "ifmember" does is check whether a user is a member of a certain group, then depending on the response (error level) the script can carry out further commands, usually using the "if" command.

For example, take a look at this short script to test whether a user is in a Windows group called "accounts".

:accounts ifmember accounts if not errorlevel 1 goto next echo Connecting to Accounts... net use N: \\server1\accounts$ :next

This script asks if the member is in accounts ("ifmember accounts")
Then, if the response is not Yes ("error level 1") the script is sent to the section marked labelled next. (see Section Labels above)
If the response is Yes ("error level 0") the commands below are processed in order until the next "goto" is found.

Note: The $ after the share name indicates that the share is hidden. If you share a resource with a $ at the end then it doesn't appear in any lists that a user can find in "Network Neighbourhood". It doesn't stop anyone from connecting to it if they know the exact name, but it stops casual browsers. It can also help if you have a large number of shares on one machine, but only a few are available to a significant numbers of people as it will limit the length of the list that is seen.

You can use the same techniques for printers:

:accounts :accounts-printer ifmember "printer - finance" if not errorlevel 1 goto next-printer echo Connecting to Finance Printer... con2prt /cd \\server1\printer-finance$ :next-printer

This way you can have long scripts that map drives and printers depending on the group membership which can mean many users have different combinations of printers and drive letters, but they have access to all of them.

If you are connecting some users to multiple printers (for example the usual printer is a heavy duty laser but a couple have access to a lighter but closer DeskJet) then you should play around with the order the printers are connected in to ensure that the one you want to be the default is the last printer. By doing this you can ensure people who only connect to one printer get the correct one as their default.

Alternative Method

You may be wondering why the examples haven't been shown using something like the following:

:accounts-printer ifmember "printer - finance" goto accounts-printer2 goto next-printer :accounts-printer2 echo Connecting to Finance Printer... con2prt /cd \\server1\printer-finance$ :next-printer

While this would work is requires more section labels and increases administration of the script.
Using the method in most of the examples on this page means that each printer, drive mapping etc is contained under a single section label. It makes the script look neater, easier to follow and to manage. Cutting and pasting is very straight forward.

About this site

This information originally started life as a page on amset.info, our community assistance site. However that site is targeted at Microsoft Exchange server, as Sembee Ltd. is a Microsoft Exchange consultancy. Therefore it was moved to its own domain in early 2010. Traffic from amset.info is directed here.

Other sites that are owned and operated by Sembee Ltd include kbsearch.info, certificatesforexchange.com, dosprompt.info, office-recovery.info, wuauclt.info, blog.sembee.co.uk, exbpa.com and amset.info.