Group-Aware Logon Scripts

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

By Mark Minasi

Article from Windows NT Magazine

Write a few logon batch scripts, and you'll soon be disappointed with their shortcomings. The basic problem with batch scripts is that they're only batch files. As a result, they're no more capable than batch files.

For example, suppose you're writing a batch file and you want one kind of action to occur when an administrator runs the file and another kind of action to occur when a user runs the file. More specifically, say you have a share with some administrative tools in it called \sxl0\atools; you want to map that share to drive W when an administrator logs on but not map the drive when a nonadministrative user logs on. How do you make this distinction? How do you tell a batch file that someone's in a particular group? The command interpreter, cmd.exe, doesn't provide one simple tool, but the Microsoft Windows NT 4.0 Resource Kit includes a couple of useful tools. This month, I describe these resource kit tools that let you write more powerful batch files.

For those of you who are old-time NT, Windows, or DOS batch experts, the resource kit provides Ifmember. Many resource kit utilities run on a server, so you don't need to distribute them to workstations. But Ifmember.exe is a client-side tool and needs to be present on or available to each user's workstation to work. You can put ifmember.exe on every user's hard disk, but that's too much work. An easier way is to put ifmember.exe into the same directory as the logon batch files. (The Netlogon directory is the default directory when the logon batch file is running. Ergo, putting a program into Netlogon installs the program instantly, hands-off.)

If member is a simple program; it looks like

IFMEMBER groupl group2 group3... 

where the groups are the names of user groups. If the group's name includes a space between letters, such as Domain Admins, enclose the name in quotation marks. If the person running Ifmember is a member of one of the groups named, then Ifmember ends with return code 1. You can then use Errorlevel to test for this occurrence, as in the following example:

@echo off 
ifmember "domain admins" 
if not errorlevel 1 goto user 
echo you're an admin! 
goto quit 
echo just a regular user 

This batch file checks your groups to see if you're a member of the Domain Admins group. (Note that Ifmember isn't case-sensitive.) The next line, if not errorlevel 1 goto user, checks to see if your return code is equal to 1. If the code isn't 1, the batch file skips ahead to the line user:. Then, the file displays the message just a regular user and ends. However, if the return code is equal to 1, the batch file runs the next line, displays you're an admin!, and jumps to the end of the batch file. You can implement the previous drive map example as follows:

@echo off 
ifmember administrators "domain admins" 
if not errorlevel 1 goto quit 
net use w: \\sxOl\atools 

However, Ifmember works on only NT workstations. For Windows 9x machines, KiXtart is your only option. Although the official name is KiXtart 95, you can use KiXtart to build very flexible batch files on NT and Win9x workstations. KiXtart is a complete programming environment, with a comprehensive programming language using If...Then...Else constructs and Goto and Select statements, and includes nearly all the program control you find in Basic programming. KiXtart also has a rich set of built-in functions, including a function named Ingroup that lets you write program lines such as

IF INGROUP("Domain Admins") RUN "net use w: \\sxOl\atools" 

Logon batch scripts might still cause you some frustration, but Ifmember and KiXtart will help you write significantly more flexible logon batch scripts.


Mark Minasi is a contributing editor for Windows NT Magazine, an MCSE, and the author of the upcoming Mastering Windows 2000 Server (Sybex). He writes and speaks around the world about NT networking. You can reach him at

The above article is courtesy of Windows NT Magazine. Click here to subscribe

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.

International Rights = English Only