Impersonate Active Directory user in login hook

Have you simply tried an AppleScript App set to auto-run?

Your script really needs one line.

mount volume "afp://host.domain.com/ShareName"

Save it as an .app out of AppleScript Editor and then add it to the users startup items.

Do you have an OS X Server setup to allow management of settings? Both MCX and Profile Manager can handle mounts.

Reid

Apple Consultants Network

Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

Ok, try

mount volume "smb://host.domain.com/ShareName"

It is just a protocol change. Save it as an .app out of AppleScript Editor and then add it to the users startup items. Works the same.

If the machines are all bound to the domain then you don't need to embed user credentials as Kerberos should take over. If you want to get crafty, make an AppleScript app the will add itself to the users startup items on first launch. Now all you need to do is push the app to everyone's Application folder. Send out a message that says click on this to setup server mounts. Then it will mount the share and add the app to startup items.

Is it possible to

use a variable in that mount statement

Of course. AppleScript requires the use of & to concatenate. So if you are looking for to get the user name of the active user, use:

set userName to short user name of (system info)

Then if the name is part of the mount path, use:

mount volume "smb://host.domain.com/" & userName

Is it possible to

make it run automatically when the user logs in - the users are students and will not necessarily do what you tell them to

Use profile manager for that. The Login Items payload allows you to define applications that will run at login. If you distribute the app to a globally available location (Applications) than all users can reference the same path. Provided the script contains nothing unique to any one user, then it can be reused by all.

Is it possible to

have it display some kind of progress bar on the screen while the mount operation is taking place so the user knows not to start doing other stuff until it's ready

AppleScript can be used to create simple UI elements. For example:

display dialog "Mounting Server"

will present a window with your message and a Cancel and OK buttons. If two buttons are too many, use:

display dialoguserNamebuttons {"ok"} default button {"ok"}

You can also use display notification if you are using notification center. And you can wrap this stuff in conditionals to check for environment conditions.

Is it possible to

deploy this app centrally from Profile Manager

So no. Profile Manager is not a software distribution solution. Use Apple Remote Desktop, JAMF, or other tools to mass distribute your software.

Please note, this is just one of many ways to solve this issue.

Reid

Apple Consultants Network

Author "Mavericks Server – Foundation Services" :: Exclusively available in Apple's iBooks Store

Author "Mavericks Server – Control and Collaboration" :: Exclusively available in Apple's iBooks Store

I was able to accomplish what your trying to do using 2 scripts and profile manager. I have a fixed applescript application that runs when any user logs in(runs as user). I was able to set it to run at login using profile manager. That gathers user information from AD to mostly determine user paths and domain within the forest. With that information it reaches out to the proper logon server and does a few things. It looks for a logon script (which you can edit at any time) to copy back to the machine and run. If the script already exists on the machine it just runs the script. It also checks the modified date and will copy a new script if it's updated at all. Currently the script that is pulled back to the machine maps drives based on a users AD Groups.

Sure! I Owe a lot credit to macmule.com, as that's where I pulled the most important part of this script. The rest I wrote on my own. Here's the first portion that runs on client machines at startup. It's importnat to note that in profile manager this is setup to run under Login Items > Items, using the path to the applescript application. NetworkDrives.app is the name of the application that it checks for on the logon server. Of course you can substitute names for whatever you choose.

try

-- Get the logged in users username

set loggedInUser to do shell script "whoami"

set accountType to do shell script "dscl . -read /Users/" & loggedInUser & " | grep UniqueID | cut -c 11-"

-- Get the Users account UniqueID

set accountType to do shell script "dscl . -read /Users/" & loggedInUser & " | grep UniqueID | cut -c 11-"

-- Get the nodeName from the Users account

set nodeName to do shell script "dscl . -read /Users/" & loggedInUser & " | awk '/^OriginalNodeName:/,/^Password:/' | head -2 | tail -1 | cut -c 2-"

--Get Users Primary Domain

set Domain to do shell script "dscl " & quoted form of nodeName & " -read /Users/" & loggedInUser & " | awk /PrimaryNTDomain:/"

-- Mount logon drive based on users Primary Domain

if Domain = "PrimaryNTDOMAIN: Domain1" then

mount volume "smb://Domain1FQDN/netlogon"

end if

if Domain = "PrimaryNTDOMAIN: Domain2" then

mount volume "smb://Domain2FQDN/netlogon"

end if

if Domain = "PrimaryNTDOMAIN: Domain3" then

mount volume "smb://Domain3FQDN/netlogon"

end if

--the delay allows time after mapping to run other commands before unmounting the logon drive

delay 4

--Checks if the logon script exists on the local machine and if not copies it from the logon server

tell application "Finder"

if not (exists ("Macintosh HD:Users:" & loggedInUser & ":NetworkDrives.app")) then duplicate file "netlogon:NetworkDrives.app" to folder ("Macintosh HD:Users:" & loggedInUser & ":")

end tell

--Compares the date of the script located on the logon server vs. locally stored copy. If server side is newer copys the new file

tell application "Finder" to set Path1 to file ("Macintosh HD:Users:" & loggedInUser & ":NetworkDrives.app")

set modDate1 to modification date of Path1

tell application "Finder" to set Path2 to file "netlogon:NetworkDrives.app"

set modDate2 to modification date of Path2

if modDate1 < modDate2 then

set source to "netlogon:NetworkDrives.app"

set destination to "Macintosh HD:Users:" & loggedInUser & ":"

tell application "Finder"

duplicate file source to folder destination with replacing

end tell

end if

--unmounts logon drive. The user may see this for a few split seconds.

tell application "Finder"

eject "netlogon"

end tell

--tells actual logon script to run

tell application "NetworkDrives.app"

activate

end tell

end try

The second portion is the actual logon script that runs and maps drive based on AD user groups.Again I owe credit to macmule for this one. This as I found out works better than trying to use the macs built in function to map a users actual share drive on a network. Check out the link below. It doesn't display correctly in Chrome. Use Safari to check it out. Just click on the Raw to see the whole script. I hope this helps.

https://macmule.com/2011/09/08/how-to-map-drives-printers-based-on-ad-group-memb ership-on-osx/