Solved

Nested groups and GPO mapping

Posted on 2014-01-30
2
1,799 Views
Last Modified: 2014-02-03
We have opted to do drive mapping by GPO using security groups as the determining factor as to who gets what mapped, the issue is say there is a security group called Sales and there is a sub group that is called Marketing. The Sales share contains the Marketing folder, the Sales manager overseas all so his security group is nested in the Marketing group; so when the GPO is created members of the Marketing group get their mapping and the members of the Sales group get both Marketing and Sales when all they really need is Sales as that already contains Marketing. So this is simply an example but what I am dealing with in real world would end up with the Manager (who has a real need to access all folders sub to Sales) that has 10 different drive mappings when s/he only needs one. Any suggestions you could provide that would limit the Sales manager to simply the parent folder and not map the groups he is nested in would be highly appreciated.
0
Comment
Question by:juslearning
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 25

Accepted Solution

by:
Coralon earned 500 total points
ID: 39822953
The easiest thing to do is to use your Item Level targeting.

You will configure the drive mapping as
the user is a member of security group <groupname>
AND the user is not a member of the security group <groupname>

Go to the GPP for the drive mapping
Go to the Common page
Select the Item Level Targeting
In the targeting dialog:
Click New Item, and select Security Group
Enter in the correct security group information
Click New Item, and select another Security Group (or a user)
Fill in that information
Select the Item Options menu, and select Is Not.

There's obviously a *lot* of options for doing this.  This technology uses WMI, so the more complicated your filtering, the slower the GPP's will be, but you can definitely accomplish what you want.

In your example (with some made up items)
Drive Q = \\server\share
Item Level targeting
User is a member of Sales
User is a member of Marketing
User is not Joe Smith

Or you can create some negative mapping groups for this use
Drive Q = \\server\share
Item Level targeting
User is a member of Sales
User is a member of Marketing
User is not a member of NoDriveQ

Coralon
0
 

Author Comment

by:juslearning
ID: 39823249
Not at work today, I will try that on Monday and see if it works... thanks.
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server Room Construction 4 51
Powershell to list unused Group Policy Object ? 9 88
How to add space to a free business gmail box 3 27
Setting up two DCs 4 46
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
When the s#!t hits the fan, you don’t have time to look up who’s on call, draft emails, call collaborators, or send text messages. An instant chat window is definitely the way to go, especially one like HipChat. HipChat is a true business app. An…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question