Managing Local Mapped Drives through GPO

Posted on 2011-10-11
Last Modified: 2012-05-12
Hi Everyone,

I will try to layout the situation as best as possible.

We have a login script that maps all network drives to our machines. The problem comes in that we all have different local drive letters that map multiple devices such as 4 SD Card Slots. Is there a way to "block off" the network drive letters to be used for mapping local devices on the machine.


I have A: B: D: H: and L: being mapped locally.
We are mapping the following letters via network mappings:  H:, L:, Q:. S: T:, and Z:

I know I can go to my machine and use "Computer Management -> Disk Management" to just re assign the LOCAL letters of H and L to other letters that don't cross the network mappings BUT that's not the point of this question.

I want way that I can pretty much "reserve" the network letters on the local machines so that network drives can be mapped throughout the office without individually going to each machine's disk management. Can this be accomplished through GPO? Is there a better solution? We do not want to assign different letters to the map drives.

Question by:PssTech
    LVL 38

    Expert Comment

    you are already doing this with a logon script to map network drives. You can create multiple logon scripts:
    Let's say the CEO wants to map to shares of auditing, safety and executive folders...

    You can map to a specific drive for that using a CEO logon script.

    Place that logon script in the netlogon folder and then go into active directory and have only the CO run that logon script.

    Then, the IT guy needs acces to files of Network shares, IT downloads, and IT audits shares:

    You can create a special logon script for the IT guy.

    Place that logon script in the netlogon folder and then go into active directory users and computers and have only the IT guy run that logon script.

    Then, you can create your Entire office logon script that maps to the typical shares.


    No reservation is needed since you are creating a logon script to a specific virtual drive.

    LVL 5

    Accepted Solution

    The reservation would be nice. Especially with all the SD card devices in new pc's which take up 6 or worse 10 drive letters.
    I guess you're problem is with the H: drive which will be taken now and then by a local device.

    I looked into this a few months ago, there isnt a real good solution for this. The only advice i can give, network drives should use high drive letters    (z, y, ......)   Microsoft advices (dont tell me where) to use this high letters.
    New devices are just added in alphabetical order

    Author Comment

    @ChiefIT: We already know that but that's not the issue. The issue is if the logon script contains a letter such as H:\ but the local machine maps a LOCAL DRIVE, such as an sd slot, as H:\. The local machine mapping overrides the network mapping and you can't remove the local mapping without using Computer Management -> Disk Management and assigning it a new letter. Is there a way to automatically map the local letter as something that is NOT any of the network letters I provided above?

    @peter197911: Yea I'm starting to feel there is no way to do this without locally being on the machine and remapping the sd drive to another letter.
    LVL 38

    Assisted Solution

    I See:

    I have never done that before. Instead, I am the network admin and deleted all mapped drives within my logon script. If they wanted additional drives, I would create a custom logon script for them or their department. It's much cleaner that way. What I had to do is include in my script delet all virtually mapped drives   ; )  This forces them to come to you and create the Second logon scripts for the other drives. This helps me manage their network drives better. I sent out a warning prior to this to all department heads that I needed them to inform me what their clients wanted mapped. After the warning, my script was edited and there mappings (locally) were deleted.
    There is a GPO to hide certain drives. You might be able to create a custom .ADM template to restrict the drives you wish to reserve. While hidden, I believe they may also NOT be able to map to these drives. If you apply this GPO to users, you can neglect to apply the GPO to the domain Admin account, and therefore the policy doesn't apply to you.

    Thisis a USER GPO, computer based:

    I have not tried it this way, but I think it will work for you. I might be a little more authoritative on my network. It's probably not the best customer service ploy, but I often have to remind them that they hired me for my IT expertise, and I know best ; )

    Author Closing Comment

    Thanks for your attempt on this but it seems as though what I am looking for can't be done and must be done on the local machine level itself.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
    I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    730 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now