One GPO for mapped drives with same drive letters within.

Good morning,

I'm currently looking to implement a GPO for mapped drives to replace the login scripts that are in place.

However I have come across an issue.
Initially I was going to create a separate GPO for each folder share requiring mapped drives.
But then I thought it would be better to create one GPO for all mapped drive letters required throughout the business.
I'm using the 'Item level targeting' setting based on security group membership to apply each mapping.

The main issue I have come across is that currently some scripted drive mapping letters are used to multiple locations i.e. User A has an M:\ drive mapping to M:\servername\Accounts. User B has an M:\ drive mapping to M:\servername\Marketing.
When the same drive letter is used within the GPO with Item level targeting it doesn't seem to map either of the mapped drives if User A is in the Accounts security folder but not in the Marketing security folder.
The GPO is set at the top level OU where each user is located.
If I take out one of the conflicting drive letter mappings fro the GPO the remaining mapping will work.

How can I get both mappings to work based on the Item level targeting within the same GPO?

Any help would be appreciated.

If you need any further information feel free to ask.

Cheers,
Rich
mudfrogAsked:
Who is Participating?
 
yo_beeConnect With a Mentor Director of Information TechnologyCommented:
1:Can have the M:\  deleted on all machines and have it run once by checking off the Run Once option under Common tab.
Make this the #1 in the order.

2: Then create two new update objects with ILT for each security group you want to target.
IE.
Update, Loction, Reconnect, Label As, Use M:\.  Create a security Group called Accounting and apply,  Do the same for the Marketing. IF there are more M:\ you need to address then you just keep repeating the step two.

That should work.

So you will need to have a total of three new GPP Map items.
0
 
tidupCommented:
Hi,

You can define many drive map with the same letter and different item level targetting

Which OS for client ?
0
 
mudfrogAuthor Commented:
Client OS is Windows 7.

I think the issue is the conflicting Delete drive mapping action based on not being a member of the refeenced security group.
For e.g.
User A wants a mapping to M:\servername\Accounts
User A is placed in the FOLDER_Accounts security group which the Item level targeting setting references.
User B wants a mapping to M:\servername\Marketing.
User B is placed in the FOLDER_Marketing security group which the Item level targeting setting references.
There is a separate delete setting in the GPO to delete the M:\ drive if user IS NOT a member of either the FOLDER_Accounts or the FOLDER_Marketing security group.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
yo_beeDirector of Information TechnologyCommented:
Have you looked into group policy preferences GPP.
Here is an article I wrote for printer deployment, but can easily apply for map drives

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_11321-Deploying-Printers-using-Group-Policy-Preferences.html
0
 
mudfrogAuthor Commented:
I believe it's the delete drive action based on item level targeting which is getting in the way.
I want it so if a user is not a member of FOLDER_Accounts to delete the M:\ drive.
But as there is another mapping for M:\servername\Marketing and the user who had the accounts drive mapped wouldn't be in the FOLDER_Marketing its deleting the M:\servername\Marketing drive.
I can get it to work as separate GPO's but when using the same GPO for multiple mappings using the same drive letter I can't seem to figure out the way to get it working.
0
 
mudfrogAuthor Commented:
Thanks for the advice guys.

I think I have managed to find a solution.

Within the same GPO I have created 1 Delete M:\ drive action based on Item level targeting with the following settings:

the user IS NOT a member of the security group FOLDER_Accounts
AND the user is not a member of the security group FOLDER_Marketing

It will still map the drives and keep them mapped if users a separately in either of the above security groups. And remove the drive mappings if in neither of the above also. So I think this will solve my problems.
I've tested it in a test OU with a test user account and it appears to be working OK.
0
 
yo_beeDirector of Information TechnologyCommented:
I though that is what you were doing and it was not applying.
That is basically what I suggested, but clean it up.  If you get new members of either group then they will get the Map drive.  If you leave yours the way you stated  you get new members add they may not get the map drive.
You will need one for each Security Group you want to target.
0
 
mudfrogAuthor Commented:
I had separate delete actions for either the Accounts and Marketing drive map within the same GPO, which I think were conflicting with each other.

Once I figured out the wording for the delete action being AND and not OR it seems to be OK and I was able to combine the same delete action.

The GPO is setup purely for mapping drives and will only target security groups called FOLDER_Accounts or FOLDER_Marketing etc...

Could you explain why you say 'If you leave yours the way you stated  you get new members add they may not get the map drive.'
I'm not sure why the above solution wouldn't do the job if new members are added?

Any advice on where to link the GPO for the mapped drives? Would it be best at the top OU level or link it to separate department OU's?
0
 
yo_beeDirector of Information TechnologyCommented:
Oh.
That makes sense.

I think the GPO needs to apply to a user and if they are part of a Group.
So you want it at the highest part of your hierarchy that covers all users that would be in one of these two groups and not to high that it applies user settings to a user that should not get them.
You can also control how the GPO itself is processed by using security context. So rather than applying the GPO to all authenticated users you can apply it to ACCOUNT and Marketing groups.
So if a user is not part either group the GPO is completely skipped. So placing this at the highest level would still apply to just Accounting or Marketing groups.

There are so many ways to address this. All will work.

Here is a good link
http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.