How To: Map Drives & Printers Based On AD Group Membership On OSX

Standard 
UPDATE: Now works with Lion as it reads the correct node name as seen in Directory Utility.

Having recently started a new role, I needed a mechanism for my Mac users to map drives & printers at login.

Script Logic’s Desktop Authority is used by my new employs PC Admins to mount drives & printers on the PC Clients.

This is using AD Security Groups to map both drives & printers &  I decided to follow this methodology for the Mac clients.

This solution actually has 3 parts;

  1. AppleScript App
  2. LaunchAgent
  3. Postflight Script

And below, I’ll piece it all together.

AppleScript App

User Information

1st thing, we need to get the users name:

The the users UniqueID:

Next we need to get what dscl calls the nodename. This is what you see under your search paths in Directory Utility.

The following will give you a list of all the users AD Group Memberships, this is also a live query/lookup which means that if a user is connected externally over VPN they can also run this app to map their drives & printers:

The following will read the users SMBHome attribute & convert the \’s to //’s so the Mac can use the URL to map the drive later. This is the same as the users UNCPath. We’re using this script & not the AD-Plugin to mount this drive as it will allow the user to login even if there is an issue with their home/profile folder.

Now we’re almost ready to start mapping drives & printers, but before we start.. we should check to see if this users account is a network account & local account as if it’s local we will skip this app.

Now we’ve got all the user information we need it’s time to start mapping the drives & printers.. with the drives 1st:

Shares

The below will map the users home/profile folder, is nothing is set for the users home profile the app continues. This method instead of mounting the users profile allows for the user to login even if there is an issue with the user profiles share, unlike when using the AD Plugin.

Now we want to start mapping drives. Change the below values for your environment & repeat this pre for each share you wish to mount;

  • GROUPNAME : AD Security Group Name that is to map the drive.
  • PROTOCOL : Protocol by which to connect to the share (AFP or SMB).
  • SERVERNAME.FQDN : Fully Qualified Domain Name for the server serving the share you wish to connect to.
  • SHARENAME : The name of the share.

Printers

Now if we just go a head & install printers that already exist, you’ll get an error. So we need to grab a list of all installed printers & pass to a variable.


Now to map a printer. Change the below values for your environment & repeat this pre for each printer you wish to map. The error section will create a queue with a generic PPD incase the correct one cannot be found;

  • GROUPNAME : AD Security Group Name that is to map the drive.
  • PRINTERNAME : Name you wish the printer to be in the GUI.
  • PRINTERIP : IP of printer/queue. If using a printserver this would be in the format lpd://PRINTERSERVER.FQDN/PRINTQUEUE.
  • PPDLOCATION : Local path to printer PPD. NOTE: as we’re calling a shell script from within Applescript each \ becomes \\. For example: /Library/Printers/PPDs/Contents/Resources/HP\\ DesignJet\\ 500ps\\ plus\\ C7770G.ppd.gz
  • PRINTERLOCATION : Location/Description field as shown in GUI.

[github file = “/macmule/MapDrivesAndPrintersBasedOnADGroupMembershipOnOSX/blob/master/MapDrivesAndPrintersBasedOnADGroupMembershipOnOSX.applescript” start_line=”63″ end_line=”72″]

All together


Once you’ve added all the drives & printers you wish to map, save the AppleScript as an Application. Below is all the pre from above cobbled together with some comment lines too.

LaunchAgent

All the above will only work when run as the user you wish to mount the drives & printers as,  for this I created a LaunchAgent.

As this will allow the app to run at every login & as the  user logging in.

To create the LaunchAgent, copy the below. Replace APPLICATIONNAME with the name of your AppleScript application & save as com.APPLICATIONNAME.plist in /Library/LaunchAgents/ with 755 permissions.

You should be able to test this now, by logging out then in on a mac that has the app & this LaunchAgent, but you may run into an issue or 2. The below will help with that.

Postflight Script

You may come across a couple of issues at login:

  1. If you login & your account is not an admin, you’ll be prompted to authenticate as an admin to install printers.
  2. The 1st time you login with an AD Account on 10.6 , you may not be granted a kerberos ticket.

To resolve both, we’ll create a postflight script that will run as part of the install process after the application & launchagent have been installed

Details on how to resolve the admin authentication prompt is given here, & details on how to make sure a kerberos ticket is granted & 1st login is here.

So with the above,  your script should look something like:

Packaging

Now we’re got all the components, you’ll need to package them in whatever app you prefer.

But remember, test, test, test!!