Microsoft Scripting Woes

Microsoft Windows Server 2003 and Windows XP scripts (I’m talking about command-line stuff that most people don’t even know exists) can be really handy or really annoying, but usually they seem to be both.

I am a technology director for a private school with around 700 students and 80 staff members. Every year half the students get their login credentials deleted and recreated. Teachers move from one classroom to another, needing access to different network printers. On top of that we have a few Windows 98 machines around that can be troublesome when dealing with mapped drives and whatnot, but are usually solid.

The issues I run into every year are these:

First, printer issues:

Adding printers to a machine that more than one person will login to…

To deal with this you used to (win9x) be able to just add a printer. Now if you don’t want to go through Group Policy and change things there you have to run a little script that globally adds the printer to the machine:

rundll32 printui.dll,PrintUIEntry /ga /c\\computerName /n\\serverName\printerShareName
sc \\computerName stop spooler
sc \\computerName start spooler

This works great but it’s a HUGE pain to do accross twenty or thirty machines when there should just be a GUI that can help you through it.

Next is user additions:

I have to add around 350 student users to our system and give them proper access to their home directories on the network etc. This ends up looking like this text for every user:
dsadd user “CN=UserName, OU=students, OU=users, dc=ourdomain, dc=local” -samid UserName -display “FirstName LastName” -upn [email protected] -pwd Password -fn FirstName -ln LastName -mustchpwd yes -loscr student.bat -memberof “cn=students, ou=groups, dc=ourdomain, dc=local” -hmdrv u: -hmdir “\ServerName\students\UserName”

Which is fine, I run it in a batch file mail-merged from a spreadsheet and they all get added in a couple minutes, but there is no error log and it does not create the user’s home folder with the proper permissions.

So, they’re generally good, but lack a couple things, now I have a problem because I don’t have directories for my new users that we created with that last script though, so I have to do this:

I create a really bad macro that manually opens the properties of every new student in Active Directory (the authentication management GUI). The macro goes to the homedirectory section and changes where it’s pointing then changes it back and saves. This creates the directory.

Unfortunately this leaves all student users with full access to their directory which means they can delete their own entire directory. I now have to edit the access control list for each directory to set admins with full access and each user with Read/Write/Change access only.

cacls fodlername /t /p builtin\Administrators:F
cacls foldername /e /t /g ourdomain\username:C

Also good, but there is no switch to run it quiet so you have to choose (Y/N) every time you set administrator with full priviliges. Poor planning on their part, a long time hitting Y then ENTER on my part.

That’s it; I’m reminded of these issues every year as school begins, Justin advised me to release my tension in blog form, so there it is.