One GPO for mapped drives with same drive letters within.

Good morning,

I'm currently looking to implement a GPO for mapped drives to replace the login scripts that are in place.

However I have come across an issue.
Initially I was going to create a separate GPO for each folder share requiring mapped drives.
But then I thought it would be better to create one GPO for all mapped drive letters required throughout the business.
I'm using the 'Item level targeting' setting based on security group membership to apply each mapping.

The main issue I have come across is that currently some scripted drive mapping letters are used to multiple locations i.e. User A has an M:\ drive mapping to M:\servername\Accounts. User B has an M:\ drive mapping to M:\servername\Marketing.
When the same drive letter is used within the GPO with Item level targeting it doesn't seem to map either of the mapped drives if User A is in the Accounts security folder but not in the Marketing security folder.
The GPO is set at the top level OU where each user is located.
If I take out one of the conflicting drive letter mappings fro the GPO the remaining mapping will work.

How can I get both mappings to work based on the Item level targeting within the same GPO?

Any help would be appreciated.

If you need any further information feel free to ask.

Cheers,
Rich
mudfrogAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tidupCommented:
Hi,

You can define many drive map with the same letter and different item level targetting

Which OS for client ?
0
mudfrogAuthor Commented:
Client OS is Windows 7.

I think the issue is the conflicting Delete drive mapping action based on not being a member of the refeenced security group.
For e.g.
User A wants a mapping to M:\servername\Accounts
User A is placed in the FOLDER_Accounts security group which the Item level targeting setting references.
User B wants a mapping to M:\servername\Marketing.
User B is placed in the FOLDER_Marketing security group which the Item level targeting setting references.
There is a separate delete setting in the GPO to delete the M:\ drive if user IS NOT a member of either the FOLDER_Accounts or the FOLDER_Marketing security group.
0
yo_beeDirector of Information TechnologyCommented:
Have you looked into group policy preferences GPP.
Here is an article I wrote for printer deployment, but can easily apply for map drives

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_11321-Deploying-Printers-using-Group-Policy-Preferences.html
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

mudfrogAuthor Commented:
I believe it's the delete drive action based on item level targeting which is getting in the way.
I want it so if a user is not a member of FOLDER_Accounts to delete the M:\ drive.
But as there is another mapping for M:\servername\Marketing and the user who had the accounts drive mapped wouldn't be in the FOLDER_Marketing its deleting the M:\servername\Marketing drive.
I can get it to work as separate GPO's but when using the same GPO for multiple mappings using the same drive letter I can't seem to figure out the way to get it working.
0
yo_beeDirector of Information TechnologyCommented:
1:Can have the M:\  deleted on all machines and have it run once by checking off the Run Once option under Common tab.
Make this the #1 in the order.

2: Then create two new update objects with ILT for each security group you want to target.
IE.
Update, Loction, Reconnect, Label As, Use M:\.  Create a security Group called Accounting and apply,  Do the same for the Marketing. IF there are more M:\ you need to address then you just keep repeating the step two.

That should work.

So you will need to have a total of three new GPP Map items.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mudfrogAuthor Commented:
Thanks for the advice guys.

I think I have managed to find a solution.

Within the same GPO I have created 1 Delete M:\ drive action based on Item level targeting with the following settings:

the user IS NOT a member of the security group FOLDER_Accounts
AND the user is not a member of the security group FOLDER_Marketing

It will still map the drives and keep them mapped if users a separately in either of the above security groups. And remove the drive mappings if in neither of the above also. So I think this will solve my problems.
I've tested it in a test OU with a test user account and it appears to be working OK.
0
yo_beeDirector of Information TechnologyCommented:
I though that is what you were doing and it was not applying.
That is basically what I suggested, but clean it up.  If you get new members of either group then they will get the Map drive.  If you leave yours the way you stated  you get new members add they may not get the map drive.
You will need one for each Security Group you want to target.
0
mudfrogAuthor Commented:
I had separate delete actions for either the Accounts and Marketing drive map within the same GPO, which I think were conflicting with each other.

Once I figured out the wording for the delete action being AND and not OR it seems to be OK and I was able to combine the same delete action.

The GPO is setup purely for mapping drives and will only target security groups called FOLDER_Accounts or FOLDER_Marketing etc...

Could you explain why you say 'If you leave yours the way you stated  you get new members add they may not get the map drive.'
I'm not sure why the above solution wouldn't do the job if new members are added?

Any advice on where to link the GPO for the mapped drives? Would it be best at the top OU level or link it to separate department OU's?
0
yo_beeDirector of Information TechnologyCommented:
Oh.
That makes sense.

I think the GPO needs to apply to a user and if they are part of a Group.
So you want it at the highest part of your hierarchy that covers all users that would be in one of these two groups and not to high that it applies user settings to a user that should not get them.
You can also control how the GPO itself is processed by using security context. So rather than applying the GPO to all authenticated users you can apply it to ACCOUNT and Marketing groups.
So if a user is not part either group the GPO is completely skipped. So placing this at the highest level would still apply to just Accounting or Marketing groups.

There are so many ways to address this. All will work.

Here is a good link
http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.