[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Nested groups and GPO mapping

Posted on 2014-01-30
2
Medium Priority
?
2,174 Views
Last Modified: 2014-02-03
We have opted to do drive mapping by GPO using security groups as the determining factor as to who gets what mapped, the issue is say there is a security group called Sales and there is a sub group that is called Marketing. The Sales share contains the Marketing folder, the Sales manager overseas all so his security group is nested in the Marketing group; so when the GPO is created members of the Marketing group get their mapping and the members of the Sales group get both Marketing and Sales when all they really need is Sales as that already contains Marketing. So this is simply an example but what I am dealing with in real world would end up with the Manager (who has a real need to access all folders sub to Sales) that has 10 different drive mappings when s/he only needs one. Any suggestions you could provide that would limit the Sales manager to simply the parent folder and not map the groups he is nested in would be highly appreciated.
0
Comment
Question by:juslearning
2 Comments
 
LVL 25

Accepted Solution

by:
Coralon earned 2000 total points
ID: 39822953
The easiest thing to do is to use your Item Level targeting.

You will configure the drive mapping as
the user is a member of security group <groupname>
AND the user is not a member of the security group <groupname>

Go to the GPP for the drive mapping
Go to the Common page
Select the Item Level Targeting
In the targeting dialog:
Click New Item, and select Security Group
Enter in the correct security group information
Click New Item, and select another Security Group (or a user)
Fill in that information
Select the Item Options menu, and select Is Not.

There's obviously a *lot* of options for doing this.  This technology uses WMI, so the more complicated your filtering, the slower the GPP's will be, but you can definitely accomplish what you want.

In your example (with some made up items)
Drive Q = \\server\share
Item Level targeting
User is a member of Sales
User is a member of Marketing
User is not Joe Smith

Or you can create some negative mapping groups for this use
Drive Q = \\server\share
Item Level targeting
User is a member of Sales
User is a member of Marketing
User is not a member of NoDriveQ

Coralon
0
 

Author Comment

by:juslearning
ID: 39823249
Not at work today, I will try that on Monday and see if it works... thanks.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

591 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question