Solved

options for drive mappings.

Posted on 2016-09-18
8
33 Views
Last Modified: 2016-11-02
Dear exprts,

could you please help me to understand in what cases we have to map a drive using GPO?  I understand we can also do it with old style logon scripts.

for instance, if you need only  5 users in your domain to use a mapped drive for an application, is it compulsory to use GPO option in 2012 environment? can it not be resolved with locally on the client or app server itself?

I am trying to understand what all my options are with sensible explanations so I Can learn please.

Additionally, can we map multiple shares  to clients using the  same drive letter on the same server? for example:

on the same Active Directory server
m:\\server1\shareXYZ\ , m:\\server2\shareabc    

I have run out spare drive letters on AD server and I don't know what my options are to get rid off some of them as I can see some drives are only for 4 or 5 people.  is there a need for GPO in 2012 ?

we have DFS for file shares and ABE enabled for permissions. is there a need for mapped drive while we are using DFS and ABE enabled on shares?

sorry for multiple questions but there seem to be a lot of questions on forums about this and could not find clear answer.
0
Comment
Question by:kuzum
  • 3
  • 3
8 Comments
 
LVL 4

Accepted Solution

by:
Felicia King earned 375 total points
ID: 41803725
Congratulations on using DFS. I use it everywhere. A lot of the answer to your question is based upon your folder structure that you have created under the DFSRoot. You talk about running out of drive letters, which suggests to me that the DFS and the share system is not setup properly.

Here is what I suggest.
D:\DataRoot
Now let's look at what we might do with the I: drive for all users.
D:\DataRoot\IDrive
D:\DataRoot\KDrive

So now you have the publishing point for the I: and K: drives.
Now in the I: drive, you will create subfolders and then apply proper permissions to the subfolders to segment for Marketing, HR, etc.
D:\DataRoot\IDrive\Marketing - Apply permissions System:F, Administrators:F, Marketing:C
D:\DataRoot\IDrive\HR              - Apply permissions SYSTEM:F, Administrators:F, HR:C

In this way, everyone has the same I: drive. Sure marketing can see the HR folder, but they get an access denied message when trying to access it. So you have security and you have a very organized method of doing folder structures.
Furthermore, you have ONE FOLDER to backup. You backup D:\DataRoot.

D:\DataRoot\IDrive is shared as \\domain.local\Domain\IDrive in DFS.

I prefer to deliver drive mappings via logon script. However, if you have remote people that connect via VPN, the GPO option may be better. Frankly, that part does not matter as long as it works. Both methods work perfectly fine in 2012R2 and any currently supported version of Windows server.

Drive mappings should be used because it assists in maintaining linking between files as your need to change the back end of your infrastructure.
0
 
LVL 16

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 125 total points
ID: 41804385
Good morning, Note quite understand your question properly. But to answer the one I understand, please see the below.

First if the best way to map a drive is to use Group Policy Preferences because it removes many of the reasons we had to use scripts in the past and it's very flexible to administer and managed. If you still want to use script u can still use because your users are very small but if the means is already provided, I don't see the reason why you will not want to use GPO preference  

On the same Active Directory server you cannot use the same drive letter to map to different path, the drive letter has to be different.
m:\\server1\shareXYZ\ , m:\\server2\shareabc    

If you have ran our drive letters, you can mount drives in folders. Go to the disk management. If you do this the drive will behave like a folder inside another drive.

To assign a mount-point folder path to a drive by using the Windows interface In Disk Manager, right-click the partition or volume where you want to assign the mount-point folder path, and then click Change Drive Letter and Paths.
Do one of the following:
To assign a mount-point folder path, click Add. Click Mount in the following empty NTFS folder, type the path to an empty folder on an NTFS volume, or click Browse to locate it.
To remove the mount-point folder path, click it and then click Remove

For the DFS, Felicia has provided the guideline to follows.

I hope this helps

Regards
0
 

Author Comment

by:kuzum
ID: 41804436
thanks for your detailed sensible explanation Felicia.

I'm running out drive letters on the servers but I believe you answered this question. I can map different shares using the same drive letter if I use security groups or ABE.
my issue here was I used a drive letter that is also used by an application that is causing conflict. I would imagine that as long as users are not the same users for my shares and apps it should not cause any conflict?  this is the reason I wanted to understand how we handle drive letters with DFS on ABE enabled shares.

additionally,  here is the issue I'm having:

I have file shares on DFS  with ABE enabled and two departments I'm testing are shared via GPO as

\\servername\customerservice  (f)        
\\servername\finance (N)        

I have disabled F drive from GPO mapping and when logged in to client machine I received drive mapped for customer service with different drive letter although it is set to use F:  ( question- why am I still receving it when GPO is disabled? is it because I enabled ABE and added my test account to Universal Security Group to view the share? in this case do we really need GPO to map a drive? can we not just use ABE to give access to users with their permitted folders?)

I disabled N drive for Finance  and I receive none as expected. ( Question - Same approached followed as customer services and I should be seeing the drive mapped by ABE?

IS there a really need to map a drive while we can use security groups and add users in to that security group to use with ABE?  if the is a true case to help drive letter limitation, it would help me a lot.

regards
kuzum
0
 

Author Comment

by:kuzum
ID: 41804567
@Emmanuel Adebayo  - your explanation fixed my issue partly where I needed to find another solution for small group of people for application. thanks for that.

regards to DFS, I think main question is that is there a need of GPO or Scripted mapped drives while using ABE on 2012?  

I honestly don't understand much about ABE and GPO  relationship here. please help me on this as posted on my previous comment

thanks.
0
 
LVL 4

Assisted Solution

by:Felicia King
Felicia King earned 375 total points
ID: 41804649
The only advantage GPO drive mappings have over logon scripts can actually be a disadvantage in other contexts.
GPO-based mappings will apply mappings to all users in an OU.
Logon scripts give you an option to set a different logon script on a per-user basis.
So the answer is really what is going to work best in your organization.
I find that logon scripts are a lot easier to manage.

Regarding these two:
\\servername\customerservice  (f)        
 \\servername\finance (N)  
If this is how you are using it, then you are really not using DFS properly.

Users would never receive a drive mapping to a server name in DFS. They would always get a drive mapping to the DFS infrastructure.
\\domain.local\rootname\IDrive\CustomerService
\\domain.local\rootname\IDrive\Finance
Both Finance and CustomerService are delivered as the I: drive mapping.
Each folder has different permissions so that Customer service staff cannot see INTO the Finance folder.
They may be able to see that it exists, but not click into it.

If you are delivering drive mappings to users via server name, then DFS has no consequence in terms of providing a long-term reliable and redundant file server connection for the users.
0
 

Author Comment

by:kuzum
ID: 41804688
HI Felicia,

thanks again. Few things not clear to me

"GPO-based mappings will apply mappings to all users in an OU."  I can set security groups and allow only specific group to see my shared data in DFS.  Specially using ABE? Would you not agree with this?

"Users would never receive a drive mapping to a server name in DFS. They would always get a drive mapping to the DFS infrastructure"  Yes I agree and I think I have not explained it very clearly.

No shares are presented directly from Server to end users. I am not happy to present my mapped drives using same drive letter for very obvious reasons...  there is always chance for someone requesting access to both areas such as IT guys directors, auditors.....
0
 
LVL 4

Assisted Solution

by:Felicia King
Felicia King earned 375 total points
ID: 41804726
Yes you can do mappings based upon security groups. Again, do what works for your company and the AD structure.

Regarding not presenting the drive mappings as the same to all users ... I've been doing this for 16 years as an AD architect. It actually simplifies everything for the end users.
In most scenarios, there are only a few drive mappings that users have.
H: goes to their home drive
I: goes to a main data drive where subfolders are for different departments or different data classes and segmentation is controlled by security permissions.
The drive mapping should never be used as a security segmenter device.
P: goes to an applications share    where
P:\Apps\MPN
P:\Apps\DDP
As stated previously, this facilitates your easy backup of a single folder (Apps) and the users that use MPN get resource group permissions to that folder and no other users can get into that.
Ditto with DDP.
The users really do not care that they can see other folders. They know they cannot click into them and it does not matter to them.
What matters is that getting down to a minimum number of drive mappings simplifies the environment and reduces the confusion that the users have without having any adverse impact on security.
0

Join & Write a Comment

The article will show you how you can maintain a simple logfile of all Startup and Shutdown events on Windows servers and desktops with PowerShell. The script can be easily adapted into doing more like gracefully silencing/updating your monitoring s…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now