Solved

Nested groups and GPO mapping

Posted on 2014-01-30
2
1,512 Views
Last Modified: 2014-02-03
We have opted to do drive mapping by GPO using security groups as the determining factor as to who gets what mapped, the issue is say there is a security group called Sales and there is a sub group that is called Marketing. The Sales share contains the Marketing folder, the Sales manager overseas all so his security group is nested in the Marketing group; so when the GPO is created members of the Marketing group get their mapping and the members of the Sales group get both Marketing and Sales when all they really need is Sales as that already contains Marketing. So this is simply an example but what I am dealing with in real world would end up with the Manager (who has a real need to access all folders sub to Sales) that has 10 different drive mappings when s/he only needs one. Any suggestions you could provide that would limit the Sales manager to simply the parent folder and not map the groups he is nested in would be highly appreciated.
0
Comment
Question by:juslearning
2 Comments
 
LVL 23

Accepted Solution

by:
Coralon earned 500 total points
ID: 39822953
The easiest thing to do is to use your Item Level targeting.

You will configure the drive mapping as
the user is a member of security group <groupname>
AND the user is not a member of the security group <groupname>

Go to the GPP for the drive mapping
Go to the Common page
Select the Item Level Targeting
In the targeting dialog:
Click New Item, and select Security Group
Enter in the correct security group information
Click New Item, and select another Security Group (or a user)
Fill in that information
Select the Item Options menu, and select Is Not.

There's obviously a *lot* of options for doing this.  This technology uses WMI, so the more complicated your filtering, the slower the GPP's will be, but you can definitely accomplish what you want.

In your example (with some made up items)
Drive Q = \\server\share
Item Level targeting
User is a member of Sales
User is a member of Marketing
User is not Joe Smith

Or you can create some negative mapping groups for this use
Drive Q = \\server\share
Item Level targeting
User is a member of Sales
User is a member of Marketing
User is not a member of NoDriveQ

Coralon
0
 

Author Comment

by:juslearning
ID: 39823249
Not at work today, I will try that on Monday and see if it works... thanks.
0

Join & Write a Comment

Communication between departments might not happen in two different languages, but they do exist in two different worlds. With different targets and performance goals the same phrase often means something completely different to each party. Learn ho…
Online collaboration can help businesses be more efficient, help employees grow their skills and foster a team environment.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now