Tuesday, June 8, 2010

Login Script Not Working - Curse of the Variant Return Type

We were setting up some new users the other day because we are adding seats to our call center business. The setup was slightly different than our other setups have been for the call center because these agents are working out of our Draper, Utah location. We previously did not have any agents at this location.

Everything was working really well, until we found out the login script was not mapping the drive that the call center agents needed to run the call center applicaiton. Of course, we could map the drive manually, but it was super frustrating because we have used variations of the same login script for a long time and have never had any issues. So, I started looking at the script and troubleshooting the issue.

The login script is a pretty simple vbscript that loops through the user's group membership and maps drives based on those groups. I started by adding some messages to the vbscript to make sure the script was running. One message box displayed the groups as it looped through and determined drive mappings. For these agents, it displayed one message box, but it was blank where it should have had a group name. The weird part is that the call center supervisor's script was displaying his group membership and mapping the drive correctly. So, I started looking at the differences between the supervisor's user object and the agents' user objects.

The main difference between the user objects was that the call center supervisor was a member of two groups other than 'Domain Users', and, in the spirit of least privilege, the call center agents were only a member of one group other than 'Domain Users'. So, for a quick test I added another group to an agent, and, crazy as it sounds, the script started mapping the drives. Great so the problem was "fixed" (read patched), but the "solution" (read workaround) drove me crazy so I did some research to find out why the number or groups mattered.

I looked up the memberOf attribute of the active directory user object that I was using to get the array of groups on google and this article explained it all.

Apparently, memberOf returns an array if you have more than one group (other than 'Domain Users' because 'Domain Users' is the primary group and is not returned by memberOf). However, if you have no groups (other than 'Domain Users'), it returns an empty object. Finally, if you only have one group, it returns a 'String' variable. Seriously, an array, a string, or an empty object.

Long story short, my 'For Each' loop would not work on a String variable, so that is why the script was not running correctly. So, I changed my code to account for the different return types, and the login script worked as designed regardless of how many groups the users were a member of.

I am sure that there are programmers out there that swear by variants, but as a return type, I am not so sure it is the best coding practice. I am sure there are people that disagree and look forward to their comments.