Using variables in Home drive path in AD   -  group policy

Posted on 2015-02-06
Last Modified: 2015-02-07
Hi there,
Running server 2008 R2 domain.  Need to do:
1) Hide the home drive paths from the user sessions.  Example At the moment all users get the   H:\\server\AllStudents\grade1\Jmisha   mapped.  How/where I can make changes in GPO to have users only see 'H:' instead of the full server path.

2) In the Ad user properties, profile tab, home folder  I simply put \\server\AllStudents\grade1\%username% and the home folder with appropriate permissions is made under 'Each Grade'.  Keeping in mind that the number after the 'grade' changes for each user in different grades what variable path I can put in so that the user home folders are successfully created for each grade.  Example:
\\server\AllStudents  = is a permanent path
grade(number)\%username% = is a variable path.  What can I use for grade(number)?

Need help
Question by:amanzoor
  • 4
  • 3
  • 3
LVL 33

Expert Comment

ID: 40593931
The variables in question are set on the client.  Potentially you could create a new environment variable that is retrieved via a script mechanism for the Grade Number (I'm just not certain in the scheme of things if scripts are ran before the home folder is set or after, you may have to do some testing, otherwise, you may have to use a login script to map the drive for you).

As for setting an environment variable.  What operating system is on your client computers?  If they are all Vista and above you can use SETX to set an environment variable; i.e. -

Open in new window

Then you could reference it in your Home Directory setting as -

Open in new window

LVL 35

Accepted Solution

Mahesh earned 250 total points
ID: 40594468
By default windows sets the mapped drive label with the associated path. Through GPO, you can set a label to the mapped drive under "Label as" option.
Create new GPO, in GPO under user configuration\preferences use drive map GP Preferences and create new home drive as drive map, do not forget to select "Run in logged user security context, otherwise GPO preference will not apply
Apply this GPO to OU containing users
If you have XP machines, download CSE for XP and install it on XP  to apply GP preferences item

Attached here settings
Drive MapCommon tab setting
Either you have to use the GPO or use logon script to map drive and rename it.​7dd02dca-d177-478b-9a20-d0210413ab2d

Author Comment

ID: 40594492
Mahesh and Saige;
Saige is suggesting to create the environment variable first.  Please look under preferences, drive maps, Environment.  I need help making this for my 'grade1' 'grade2' on
Then I can put this path in the drive maps like:
\\server\allstudents\%grade(1)(2)(3)......%\%username%.  Please help me how to make the environment variable for:
grade(number) where number is the variable.
LVL 33

Expert Comment

ID: 40594501
The first question, then, is where is the grade number stored? If it is stored in Active Directory, which property are you assigning it to?


Author Comment

ID: 40594560
It saves the folders on '\\server' If I want to make a home drive for a group of users in the same OU, I simply highlight them, go to profile tab, in the home drive select H: and put the path like \\server\Allstudents\grade2\%username%.  So under this server, AllStudents I can see folders of all grades(grade1, grade2.....................)  I am trying to play around with Environment in preferences (not productive as yet).  Need help
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

LVL 35

Expert Comment

ID: 40594640
Anyways you have to enter grade in form of environmental form in home directory path, what I mean you cannot keep it common for all users just like %username%, it will apply to all users
According to my understanding, you can't achieve what you want by deploying environmental variables because you have multiple grades and for that you do require multiple variables defined
Further more it will not hide grade folder

Better you could deploy GP Preferences with "Label As" it will hide home drive path

If you wanted that user would not be able to locate path on server directly, you could enable access based enumeration on server share
Also you need to replace authenticated users with specific students group having same grade on each grade folder
LVL 33

Assisted Solution

it_saige earned 250 total points
ID: 40594868
I understand that you save the folders as grade1, grade2, etc.  But how do you determine the students grade level?  Normally, you would create an (or use an existing) attribute in order to identify the students grade level.

To create a custom attribute you could do the following:

1. Register schmmgmt.dll

Open an administrative command prompt.Type in 'regsvr32 schmmgmt.dll' and press enter.You should receive a message that schmmgmt.dll registration succeeded.  Press OK to acknowledge the message box.

2. Open the Active Directory Schema mmc snap-in

Open the Microsoft Management Console (mmc.exe).With the Microsoft Management Console open, select File --> Add/Remove Snap-in...In the Add or Remove Snap-ins Dialog, choose 'Active Directory Schema' and click 'Add'.Once added in the Selected snap-ins tree, click OK.

3. Add a new attribute for gradeLevel (or any other name that will assist you with identifying the attribute). Note: In order to add an attribute, you must be a member of the Schema Admins administrative group.

Expand the Active Directory Schema tree.Right-click on 'Attributes' and select 'Create Attribute...'.Click 'Continue' to acknowledge the warning.Since we are dealing with Grade Levels, I chose a syntax of Enumeration with a Minimum value of 0 (Kindergartener) and 12 (High School Senior).Note: You must enter a valid Unique X500 Object ID.  You can generate a valid object id by using the script presented here: refreshing the Attributes, you can see your new attribute defined.

4. Assign the attribute to the user class.

Select the Classes tree.Right-click on the user class object and choose 'Properties'.Select the 'Attributes' tab, and press 'Add'.Locate and select the attribute you just added.  Press OK to add the attribute.After adding the attribute.  Press OK.You can then use a script, powershell or ADSI Edit to modify the custom attributes for your users.  Conversely, you can then use a script to get the custom attribute for the user in order to assign it to an environment variable.

Edit:  Another idea (using the custom attribute) is to use the powershell presented here, in order to not only create but set the user's home directory.


Author Closing Comment

ID: 40595706
Thanks guys,
Really appreciate your time.
I was able to achieve what I needed in a very simple way as Mahesh guided,
-Simple connected the Mapped drive in General tab under preferences 'REPLACE' H: to the \\server\Allstudent\grade1\%logonuser%, labeled it 'HOMEDRIVE'  In the common tab, simple pull up the OU in which the users for grade1 reside.
-Do all Maps for H drive for each grade level, and in Common tab keep on pulling down the corresponding OU.
-In the properties of the user in AD, does not matter even if the user already has the H drive mapped to  \\server\Allstudent\grade1\%logonuser% the REPLACE map drive takes care of this.
-End result, I tried with each user in each OU and wallah, I simply got 'HOME DRIVE H:, nicely  mapped to users homedrives.
-no need to tweak down to variable level.
LVL 35

Expert Comment

ID: 40595773
Instead of "Replace" select "Update"

What it will do, it will create map drive 1st time, next time it will look for map drive with appropriate path and if found wrong path, it will just update it to correct one,
if correct path found just skip it

Thanks for excellent walk through wrt new attribute creation.
Thank You.
LVL 33

Expert Comment

ID: 40595795
@Mahesh - Thanks for the compliment.

@amonzoor - Glad you got it sorted out.


Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now