Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

SNAC unable to determine a Network drive

Created: 13 Mar 2012 • Updated: 21 Mar 2012 | 8 comments
This issue has been solved. See solution.

Hey Guys,

So after exactly 2 months of a case being open (Case # 416-077-920) tech support have finnaly told me that SNAC is unable to define a variable that is in user context (mapped drive) 

So i'm just asking around to see if anyone else has a different way of achieving what I am trying to below: (In short, If you dont have any network drives mapped run the login script, but if you do dont run the login script)

This is my current HI policy that is now not going to work :(

 

If
       File Exists: \\admin\temp\snac.txt
Then
       If
                File Exists: G:\SNAC.txt
       Then
                #Laptop already has the network drives mapped
                Pass
        Else
                #Laptop dosnt have any network drives mapped so run login script
                Run a Program: %windir%\system32\cscript.exe \\netsvr07\sysvol\wanews.com.au\scripts\wanlogin.vbs
                Pass
        End If
Else
        If
                File Download Complete: http://sepsvr01/content/contentinfo.txt 'Target Folder' C:\Windows\Temp
        Then
                #Laptop is in remediation and cannot run the login script
                Pass
        End If
Fail
Discussion Filed Under:

Comments 8 CommentsJump to latest comment

SMLatCST's picture

I think SNAC client runs these checks using the local system account, which won't have this mapped drive you're looking for.

What is your end requirement?

Mark Goldspink's picture

The end requirement is running the said login script if the user does not have any mapped network drives.

Overall clients come in to work from home using their laptops, they then connect wirelessly and HI requirments are then run (one of which is this login script). Once all HI requirments have been passed the laptop is then allowed on to the network. 

The main goal here is to get SNAC to detect if the user has any mapped drives? If not run the login script located at a specific location.

Thomas K's picture

This has not been tested, but you might give it a try.

Check for registry values instead of the existence of a file.

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

SMLatCST's picture

How are the users going to map their network drives if they only gain network access after the HI check has run?  (Assuming you're using a SNAC enforcer ofc)

I'd personally incorporate the various checks (mapped drive detection and so on) into the login script itself instead of getting SNAC to do it.  I think you'll need something running as the user (rather than the local system account SNAC uses) to be able to tell what the user has mapped.

In an ideal world, SNAC would be performing checks on the security of the machine itself (AV def dates, patch level, etc) and deciding network access based on those results, rather than checking for the logged on user's status.

Mark Goldspink's picture

If the user logs on to their laptop while not being connected to a DC they wont be able to get the default domain login script to run, hence why we are getting SNAC to run it for us. The mapped drive detection is only used to help run the login script and make sure it dosnt get run over and over again every time HI is run. 

The users use their own cached login account on the laptop. So when they are at home/on the road without wireless connecting to work they can still log in to the same account and have access to the same desktop etc etc.

Now if they are connected to our wireless in the building SNAC will pick that up and 1. Change a registry key to turn on the proxy settings in IE 2. Check if the definitions are in date 3. Run the login script.

SMLatCST's picture

...you're trying to accomplish.  Also, if I understand correctly, you're not planning to do any enforcement either right?  SNAC is only there to do the HI checks and run scripts, no blocking of network access or anything?

Going back to the mapped drives thing, as you say Symantec have confirmed SNAC can't see what is defined in the user-context.  That means you'll need something outside of SNAC running the in the user-context to do the checking for you.

A simple one might be to create a scheuled task to run at user logon that calls a .bat file that writes a list of the mapped drives to a file like "net use c:\listdrives.txt".  Perhaps you can get SNAC to check this file for its contents...

Of course, you're still stuck with the actual running of the login script.  If SNAC can't run in user-context, will the users even be able to see any of these mapped drives created by SNAC?

Mark Goldspink's picture

There is enforcement happening as well, being taken in and out of remediation but it seems the script part of the HI happens once the user is out of remediation, well kinda......it works good ahaha.

Correct SNAC cant see what is defined in the user-context, only what is defined as system context. Now Tech did suggest to me to open an 'Idea' for the product which I did and someone did come back to be with a good method of how to do it but we are still trying to work out the kinks. Here is the post if you want to read along:

https://www-secure.symantec.com/connect/ideas/hi-policy-able-define-variable-user-context

For some reason the way we had it set up everything was running perfectly fine exactly how we wanted it except the login script kept running everytime HI ran because it didnt understand that certain part of the statement that tells it not to.

Mark Goldspink's picture

After talking with Elisha on this Idea's thread we ended up sorting it out.

https://www-secure.symantec.com/connect/ideas/hi-policy-able-define-variable-user-context

By using 2 commands that copy/delete a file stored on the network drive we were able to sucesfully use SNAC in determining if certain network drives were mapped.

        cmd /c "del %windir%\Temp\SNAC.txt"

        cmd /c "copy G:\SNAC.txt %windir%\Temp\"

If the file was not able to be copied the next command would continue on to run the login script. If it was there the HI would then Pass.

        %windir%\Temp\SNAC.txt

SOLUTION