Solved

Nested groups and GPO mapping

Posted on 2014-01-30
2
1,652 Views
Last Modified: 2014-02-03
We have opted to do drive mapping by GPO using security groups as the determining factor as to who gets what mapped, the issue is say there is a security group called Sales and there is a sub group that is called Marketing. The Sales share contains the Marketing folder, the Sales manager overseas all so his security group is nested in the Marketing group; so when the GPO is created members of the Marketing group get their mapping and the members of the Sales group get both Marketing and Sales when all they really need is Sales as that already contains Marketing. So this is simply an example but what I am dealing with in real world would end up with the Manager (who has a real need to access all folders sub to Sales) that has 10 different drive mappings when s/he only needs one. Any suggestions you could provide that would limit the Sales manager to simply the parent folder and not map the groups he is nested in would be highly appreciated.
0
Comment
Question by:juslearning
2 Comments
 
LVL 24

Accepted Solution

by:
Coralon earned 500 total points
ID: 39822953
The easiest thing to do is to use your Item Level targeting.

You will configure the drive mapping as
the user is a member of security group <groupname>
AND the user is not a member of the security group <groupname>

Go to the GPP for the drive mapping
Go to the Common page
Select the Item Level Targeting
In the targeting dialog:
Click New Item, and select Security Group
Enter in the correct security group information
Click New Item, and select another Security Group (or a user)
Fill in that information
Select the Item Options menu, and select Is Not.

There's obviously a *lot* of options for doing this.  This technology uses WMI, so the more complicated your filtering, the slower the GPP's will be, but you can definitely accomplish what you want.

In your example (with some made up items)
Drive Q = \\server\share
Item Level targeting
User is a member of Sales
User is a member of Marketing
User is not Joe Smith

Or you can create some negative mapping groups for this use
Drive Q = \\server\share
Item Level targeting
User is a member of Sales
User is a member of Marketing
User is not a member of NoDriveQ

Coralon
0
 

Author Comment

by:juslearning
ID: 39823249
Not at work today, I will try that on Monday and see if it works... thanks.
0

Featured Post

DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question