[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 242
  • Last Modified:

Group Policy Question

I have recently created a file server in my small duplex.  I'm using windows server 2008.  The machines are windows 7 machines.  I have multiple users at this point, and I would like to create a group that will allow users to log into their profile and have their shared folder mapped automatically to their machine regardless of where they log in.

Ex:  I have created a Folder called "File Directories" on my server.  I want to create a group called "Legal Dept", that will not only give me access to the  "File Directories" folder and/or sub folders, but that will map that directory to any machine I happen to assign my profile to.

I hope that this is clear.  Any direction that could be provided would be great.
0
OutstandingO
Asked:
OutstandingO
  • 8
  • 7
1 Solution
 
LesterClaytonCommented:
Doing this is a relatively simple task - the best way is to make use of the Client Side Extention Group Policy Objects, because you can map a drive based on user groups.  Here is a detailed instruction of how to do it :

1

Create a group in Active Directory

2

Assign the NTFS Permissions of the Group in question

3

Create a new group policy, and link it to the container which will affect all users

4

Edit the policy as follows:
Navigate to User Configuration -> Preferences -> Windows Settings -> Drive Maps
Right Click Drive Maps -> New -> Mapped Drive
On the General Tab, specify the settings you'd like the drive to have.  Example:
New Drive Properties - General
On the Common tab, check  "Run in logged-on-user's security context" and "Item-level targeting"
New Drive Properties - Common
Click "Targeting" and then, "New Item" - choose "Security Group".  Use the browse button (....) to choose your Active Directory Group
Targeting Editor

5

Click OK, and OK.  Add more drive maps as necessary (each drive map can have it's own targeting).
Your Group Policy is saved automatically - just close Group Policy Management Editor, and test a user login.
0
 
OutstandingOAuthor Commented:
Thanks for the help so far.  This has been very helpful.  

One small question however, how would I link the created group policy to the created group?
0
 
LesterClaytonCommented:
You can't link group policies to groups - you link them to Organizational Units.  If you want however, you can use Security Filtering so that the policy is only seen by a specific group.  I would suggest you use the other method though, which is the Targeting explained above.  It's more flexible than using Security Filtering.

Example:

Security Filtering
Remove "Authenticated Users" so that other groups or users can see the policy.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
OutstandingOAuthor Commented:
Okay.  Either I've missed something or I don't have things configured correctly.

In the server box that I have there are two 1.5TB drives.  

The OS is installed on C: and the second (D:) has the desired folders that I want to share.  I've attempted what was suggested in the first screen shot, however, after I run gpupdate /force under the user profile the mapped drive does not appear.  

Did I mess up implementing the steps or in understanding the concept?

Thanks again.
0
 
LesterClaytonCommented:
Without knowing more about your environment, I can't hypothesize as to why it doesn't work.

Can you run GPRESULT /V from the command line and see if your policy is being picked up at all?

NOTE: The results may be too large to fit on your screen - you can pipe it to a text file, like so:

gpresult /v > gpresult.txt
notepad gpresult.txt

Open in new window

0
 
LesterClaytonCommented:
Something that may be hindering your testing - adding a user to a group does not give them that group's rights (yet).  The user account probably doesn't know about it's own group memberships - so be sure to update the kerberos token.  Do this by logging the user out and back in.
0
 
OutstandingOAuthor Commented:
I've checked the script that populated and I was unable to find that the policy was received.  Even though after I did the gpupdate it said that it was successful.  

 mapped drive
0
 
LesterClaytonCommented:
Your path is clearly invalid.  Please ensure that your path you've chosen is valid and you can connect to it, prior to setting it here.
0
 
OutstandingOAuthor Commented:
Hmmm.  From one of the client machines I'm able to path my way directly to that folder.  I simply coped and pasted that path in the location field specified in image 1.
0
 
LesterClaytonCommented:
It's impossible.  A UNC path cannot contain a semicolon (:)

That Path is invalid from the client point of view.  From the client try to browse to the path using Windows Explorer.  Start with \\skynet-serv and see where you go from there.
0
 
OutstandingOAuthor Commented:
You are correct.  I attempted to type the path directly and forgot myself.  I have however path directly to the directory, copied and pasted, and the results are still the same.  The gpupdate completes without error but when I log out of the profile and log back in the path isn't mapped.

 Image1a
0
 
LesterClaytonCommented:
Excellent, we're getting a little further :)

Now, can you try the GPRESULT I suggested earlier.  Look up for comment ID 36973244

Go through the gpresult.txt file, and see that it's found the Group Policy you created.  If it hasn't make sure that:

The group policy has been linked to an Organizational Unit which is higher up than where the user sits
The computer that the user is on is a member of the domain
The user is a member of the group you've limited the GPO to (you can see this in her gpresult.txt file)

If you're still stuck ZIP up the gpresult.txt file and attach it as a file so that I may review it for you.  Give me the name of the Group and the name of the GPO too, so I can match it up.
0
 
OutstandingOAuthor Commented:
The name of the GPO is SND File Directory.  The name of the Group is SND File Group
gpresult.zip
0
 
yo_beeDirector of ITCommented:
I have one question. If you are using Item level targeting why apply to security fillterimg to the group or vice versa.
0
 
LesterClaytonCommented:
OK OutstandingO.

Can you tell me where this drive mapping group policy is linked?  Or better, can you show me where it's linked?

Have you linked it at all?  To link it, drag and drop the policy onto the domain skynetdomain.

See image below for an example.  after you drop it, it will ask you if you want to link it - say Yes.  Then please reboot the workstation and test again.

I also note that the user you are logged in as - Oluseun Ogunlegan, does not appear to be a member of any Legal group.  Have you made the member of the group which is being filtered out by the policy?

How to link a Group Policy Object to the Domain.
0
 
OutstandingOAuthor Commented:
LOL!!!  OH MY GOODNESS!!  If it was a snake it would have bit me!!!!  That fixed it.

I didn't drag it to the domain.  SMH.  I feel like such a fool.   I assumed by the very nature of it being created under the GPO that it would be recognized once the other groups/users were linked to it, because they were in the domain already.  SMH.  

 But I will forever sing the praises of LesterClayton!!!  Of his patience, professionalism, and his expertiece.  I thank you sir.  
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now