Mapped drive GPO not working

I have used GPOs before, but I cannot get one to map a network driver for me using a luser ogin script.
1. I have run gpupdate on the target machine
2. The Event Viewer on the target machine indicates Event ID 1704, Security Policy in the Group Policy Objects container has been applied successfully.
3. The  Group Policy Management's Group Policy Results indicates that the login script GPO was Applied Successfully.
4. The network share is available, as I manuall tested it from the target GPO machine.
5. The permissions are ok to establish the share.
6. I ran the userenv debug by making Registry changes, and I get the following text, indicating success:
USERENV(6a0.fc0) 17:02:12:637 ProcessGPO:  User has access to this GPO.
USERENV(6a0.fc0) 17:02:12:647 ProcessGPO:  GPO passes the filter check.
USERENV(6a0.fc0) 17:02:12:647 ProcessGPO:  Found functionality version of:  2
USERENV(6a0.fc0) 17:02:12:647 ProcessGPO:  Found file system path of: ......(ETC)

But I cannot get it to map a network drive!

When I type in the drive, that is supposed to be mapped via the GPO, I get the following error message: The system cannot find the drive specified.

Here is the script:
@echo off
if exist t:\ net use t: /delete
net use t: \\ris\cliffshare /persistent:no >nul

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This is all you should need.  If T does not exist, it's silently ignored.

@echo off
net use t: /delete
net use t: \\ris\cliffshare

This needs to be in a Logon script under User Configuration.  The users must be in the inheitance path of the policy.

If \\ris doesn't work, use the FQDN instead.

cliffordgormleyAuthor Commented:
tried that Netman...still does not work...
If you go to Start>Run and enter \\ris (the ENTER) does the server open up in Explorer?  Will it open with \\  Is your share hidden? - if so, it should be \\ris\cliffshare$

Let me know.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

..should be (then ENTER) - sorry!

cliffordgormleyAuthor Commented:
Yep, I can get to it via  Start>Run and enter \\ris (the ENTER) does the server open up in Explorer?  
So is cliffshare visible on \\ris when you did that?
cliffordgormleyAuthor Commented:
yes, it is visible using just \\ris.
I was able to manually map a drive to it too.
The script is not working, even though the Group Policy Mgt says it was applied.  I am stumped.

I tried another GPO that would disable IE's Connection page, and that didnt work either, even thought Group Policy Mgt says it is.
So, if you put this in a .cmd file and run it, does it work?

@echo off
net use t: /delete
net use t: \\ris\cliffshare

If it does, then the next step is to tell me where you added this in a GPO - where it was linked, if the user accounts are below the policy, and where you saved the script.  

You should store the script for the policy here:


If you select User Config>Windows Settings>Scripts(logon/logoff)>Logon, then hit the "Show Files" button it will take you right to the folder that this script needs to be copied to.  Then use the Add button above and select it by Browsing to it.

cliffordgormleyAuthor Commented:
hello Netman
I have left work for the day, but I will try running the .cmd file directly.
The script is stored exactly where you say:  \\{domain}\SysVol\{domain}\Policies\{9D377432-3AC1-449D-BC02-6E25B7C79957}\User\Scripts\Logon

i will let you know the results of running the .cmd directly; that is a good idea.
Before I go further -

I remember sweating out a similar issue a while ago, only to find that a different logon script was manually entered in the profile tab of the AD user properties.  
You may kick yourself (or whoever entered it), but what a relief.
cliffordgormleyAuthor Commented:
let me check that tomorrow Art.  So does a login script in the profile tab prevent application of any GPOs?  I wouldnt think so, but I am learning all the time.
Clifford, can you check the OU the GPO is applied to?  I had a similar problem, and was struggling with it for ages.  Then I realised I was applying the policy to a CN, not an OU.  If you apply it to a container, you won't get policies applying.  

Can you also please run GPRESULT from the command line, with the /V option, that should tell you on the client machine exactly what policies its actually getting.  
No it doesn't prevent it, it will run concurrently.

What I'm walking you through is a step by step process of determining where the fault lies.  We know the share exists, and you can see it and map to it manually.  We will now check your script.

If that works, then the next step is to see where your GPO is linked and whether the correct elements are configured.
Next will be Security on the GPO.

Lastly, we will disable fastboot here:

Computer Configuration>Admin Templates>System>Logon :: Always wait for network at computer startup and logon = ENABLED

This will make all XP clients wait for the network stack to initialize before logging in.  Right now, they use cached credentials - which allow a faster logon, but tend to skip group policies that you may need to fire off the first time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Also -
Suggest you do a quick download and install of the Group Policy Management Console, it is much more helpful in identifying where GPOs are linked

Also, we use RSOP (Resultant Set of Policy) to drill down to exactly which policies are applying to an object.  It's a little geeky, but if you have the time you can get THE answer there.  It also interfaces with the GP management console:;en-us;323276

To your earlier question:
Yes, the profile script will supercede any other with the same name.  The rule of thumb is that GPOs add up unless they conflict.  When they conflict the closer to the object itself (the user) applies.

The exceptions are:
There are additional settings to force or block GPO inheritance, which are not in place by default.
Permissions - users must have read permissions to the GPO itself (security tab of the GPO) for it to apply.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.