One GPO for mapped drives with same drive letters within.
Good morning,
I'm currently looking to implement a GPO for mapped drives to replace the login scripts that are in place.
However I have come across an issue.
Initially I was going to create a separate GPO for each folder share requiring mapped drives.
But then I thought it would be better to create one GPO for all mapped drive letters required throughout the business.
I'm using the 'Item level targeting' setting based on security group membership to apply each mapping.
The main issue I have come across is that currently some scripted drive mapping letters are used to multiple locations i.e. User A has an M:\ drive mapping to M:\servername\Accounts. User B has an M:\ drive mapping to M:\servername\Marketing.
When the same drive letter is used within the GPO with Item level targeting it doesn't seem to map either of the mapped drives if User A is in the Accounts security folder but not in the Marketing security folder.
The GPO is set at the top level OU where each user is located.
If I take out one of the conflicting drive letter mappings fro the GPO the remaining mapping will work.
How can I get both mappings to work based on the Item level targeting within the same GPO?
Any help would be appreciated.
If you need any further information feel free to ask.
Cheers,
Rich
I'm currently looking to implement a GPO for mapped drives to replace the login scripts that are in place.
However I have come across an issue.
Initially I was going to create a separate GPO for each folder share requiring mapped drives.
But then I thought it would be better to create one GPO for all mapped drive letters required throughout the business.
I'm using the 'Item level targeting' setting based on security group membership to apply each mapping.
The main issue I have come across is that currently some scripted drive mapping letters are used to multiple locations i.e. User A has an M:\ drive mapping to M:\servername\Accounts. User B has an M:\ drive mapping to M:\servername\Marketing.
When the same drive letter is used within the GPO with Item level targeting it doesn't seem to map either of the mapped drives if User A is in the Accounts security folder but not in the Marketing security folder.
The GPO is set at the top level OU where each user is located.
If I take out one of the conflicting drive letter mappings fro the GPO the remaining mapping will work.
How can I get both mappings to work based on the Item level targeting within the same GPO?
Any help would be appreciated.
If you need any further information feel free to ask.
Cheers,
Rich
ASKER
Client OS is Windows 7.
I think the issue is the conflicting Delete drive mapping action based on not being a member of the refeenced security group.
For e.g.
User A wants a mapping to M:\servername\Accounts
User A is placed in the FOLDER_Accounts security group which the Item level targeting setting references.
User B wants a mapping to M:\servername\Marketing.
User B is placed in the FOLDER_Marketing security group which the Item level targeting setting references.
There is a separate delete setting in the GPO to delete the M:\ drive if user IS NOT a member of either the FOLDER_Accounts or the FOLDER_Marketing security group.
I think the issue is the conflicting Delete drive mapping action based on not being a member of the refeenced security group.
For e.g.
User A wants a mapping to M:\servername\Accounts
User A is placed in the FOLDER_Accounts security group which the Item level targeting setting references.
User B wants a mapping to M:\servername\Marketing.
User B is placed in the FOLDER_Marketing security group which the Item level targeting setting references.
There is a separate delete setting in the GPO to delete the M:\ drive if user IS NOT a member of either the FOLDER_Accounts or the FOLDER_Marketing security group.
Have you looked into group policy preferences GPP.
Here is an article I wrote for printer deployment, but can easily apply for map drives
https://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_11321-Deploying-Printers-using-Group-Policy-Preferences.html
Here is an article I wrote for printer deployment, but can easily apply for map drives
https://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/A_11321-Deploying-Printers-using-Group-Policy-Preferences.html
ASKER
I believe it's the delete drive action based on item level targeting which is getting in the way.
I want it so if a user is not a member of FOLDER_Accounts to delete the M:\ drive.
But as there is another mapping for M:\servername\Marketing and the user who had the accounts drive mapped wouldn't be in the FOLDER_Marketing its deleting the M:\servername\Marketing drive.
I can get it to work as separate GPO's but when using the same GPO for multiple mappings using the same drive letter I can't seem to figure out the way to get it working.
I want it so if a user is not a member of FOLDER_Accounts to delete the M:\ drive.
But as there is another mapping for M:\servername\Marketing and the user who had the accounts drive mapped wouldn't be in the FOLDER_Marketing its deleting the M:\servername\Marketing drive.
I can get it to work as separate GPO's but when using the same GPO for multiple mappings using the same drive letter I can't seem to figure out the way to get it working.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the advice guys.
I think I have managed to find a solution.
Within the same GPO I have created 1 Delete M:\ drive action based on Item level targeting with the following settings:
the user IS NOT a member of the security group FOLDER_Accounts
AND the user is not a member of the security group FOLDER_Marketing
It will still map the drives and keep them mapped if users a separately in either of the above security groups. And remove the drive mappings if in neither of the above also. So I think this will solve my problems.
I've tested it in a test OU with a test user account and it appears to be working OK.
I think I have managed to find a solution.
Within the same GPO I have created 1 Delete M:\ drive action based on Item level targeting with the following settings:
the user IS NOT a member of the security group FOLDER_Accounts
AND the user is not a member of the security group FOLDER_Marketing
It will still map the drives and keep them mapped if users a separately in either of the above security groups. And remove the drive mappings if in neither of the above also. So I think this will solve my problems.
I've tested it in a test OU with a test user account and it appears to be working OK.
I though that is what you were doing and it was not applying.
That is basically what I suggested, but clean it up. If you get new members of either group then they will get the Map drive. If you leave yours the way you stated you get new members add they may not get the map drive.
You will need one for each Security Group you want to target.
That is basically what I suggested, but clean it up. If you get new members of either group then they will get the Map drive. If you leave yours the way you stated you get new members add they may not get the map drive.
You will need one for each Security Group you want to target.
ASKER
I had separate delete actions for either the Accounts and Marketing drive map within the same GPO, which I think were conflicting with each other.
Once I figured out the wording for the delete action being AND and not OR it seems to be OK and I was able to combine the same delete action.
The GPO is setup purely for mapping drives and will only target security groups called FOLDER_Accounts or FOLDER_Marketing etc...
Could you explain why you say 'If you leave yours the way you stated you get new members add they may not get the map drive.'
I'm not sure why the above solution wouldn't do the job if new members are added?
Any advice on where to link the GPO for the mapped drives? Would it be best at the top OU level or link it to separate department OU's?
Once I figured out the wording for the delete action being AND and not OR it seems to be OK and I was able to combine the same delete action.
The GPO is setup purely for mapping drives and will only target security groups called FOLDER_Accounts or FOLDER_Marketing etc...
Could you explain why you say 'If you leave yours the way you stated you get new members add they may not get the map drive.'
I'm not sure why the above solution wouldn't do the job if new members are added?
Any advice on where to link the GPO for the mapped drives? Would it be best at the top OU level or link it to separate department OU's?
Oh.
That makes sense.
I think the GPO needs to apply to a user and if they are part of a Group.
So you want it at the highest part of your hierarchy that covers all users that would be in one of these two groups and not to high that it applies user settings to a user that should not get them.
You can also control how the GPO itself is processed by using security context. So rather than applying the GPO to all authenticated users you can apply it to ACCOUNT and Marketing groups.
So if a user is not part either group the GPO is completely skipped. So placing this at the highest level would still apply to just Accounting or Marketing groups.
There are so many ways to address this. All will work.
Here is a good link
http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/
That makes sense.
I think the GPO needs to apply to a user and if they are part of a Group.
So you want it at the highest part of your hierarchy that covers all users that would be in one of these two groups and not to high that it applies user settings to a user that should not get them.
You can also control how the GPO itself is processed by using security context. So rather than applying the GPO to all authenticated users you can apply it to ACCOUNT and Marketing groups.
So if a user is not part either group the GPO is completely skipped. So placing this at the highest level would still apply to just Accounting or Marketing groups.
There are so many ways to address this. All will work.
Here is a good link
http://www.grouppolicy.biz/2010/05/how-to-apply-a-group-policy-object-to-individual-users-or-computer/
You can define many drive map with the same letter and different item level targetting
Which OS for client ?