Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


options for drive mappings.

Posted on 2016-09-18
Medium Priority
Last Modified: 2016-11-02
Dear exprts,

could you please help me to understand in what cases we have to map a drive using GPO?  I understand we can also do it with old style logon scripts.

for instance, if you need only  5 users in your domain to use a mapped drive for an application, is it compulsory to use GPO option in 2012 environment? can it not be resolved with locally on the client or app server itself?

I am trying to understand what all my options are with sensible explanations so I Can learn please.

Additionally, can we map multiple shares  to clients using the  same drive letter on the same server? for example:

on the same Active Directory server
m:\\server1\shareXYZ\ , m:\\server2\shareabc    

I have run out spare drive letters on AD server and I don't know what my options are to get rid off some of them as I can see some drives are only for 4 or 5 people.  is there a need for GPO in 2012 ?

we have DFS for file shares and ABE enabled for permissions. is there a need for mapped drive while we are using DFS and ABE enabled on shares?

sorry for multiple questions but there seem to be a lot of questions on forums about this and could not find clear answer.
Question by:kuzum
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Accepted Solution

Felicia King earned 1500 total points
ID: 41803725
Congratulations on using DFS. I use it everywhere. A lot of the answer to your question is based upon your folder structure that you have created under the DFSRoot. You talk about running out of drive letters, which suggests to me that the DFS and the share system is not setup properly.

Here is what I suggest.
Now let's look at what we might do with the I: drive for all users.

So now you have the publishing point for the I: and K: drives.
Now in the I: drive, you will create subfolders and then apply proper permissions to the subfolders to segment for Marketing, HR, etc.
D:\DataRoot\IDrive\Marketing - Apply permissions System:F, Administrators:F, Marketing:C
D:\DataRoot\IDrive\HR              - Apply permissions SYSTEM:F, Administrators:F, HR:C

In this way, everyone has the same I: drive. Sure marketing can see the HR folder, but they get an access denied message when trying to access it. So you have security and you have a very organized method of doing folder structures.
Furthermore, you have ONE FOLDER to backup. You backup D:\DataRoot.

D:\DataRoot\IDrive is shared as \\domain.local\Domain\IDrive in DFS.

I prefer to deliver drive mappings via logon script. However, if you have remote people that connect via VPN, the GPO option may be better. Frankly, that part does not matter as long as it works. Both methods work perfectly fine in 2012R2 and any currently supported version of Windows server.

Drive mappings should be used because it assists in maintaining linking between files as your need to change the back end of your infrastructure.
LVL 18

Assisted Solution

by:Emmanuel Adebayo
Emmanuel Adebayo earned 500 total points
ID: 41804385
Good morning, Note quite understand your question properly. But to answer the one I understand, please see the below.

First if the best way to map a drive is to use Group Policy Preferences because it removes many of the reasons we had to use scripts in the past and it's very flexible to administer and managed. If you still want to use script u can still use because your users are very small but if the means is already provided, I don't see the reason why you will not want to use GPO preference  

On the same Active Directory server you cannot use the same drive letter to map to different path, the drive letter has to be different.
m:\\server1\shareXYZ\ , m:\\server2\shareabc    

If you have ran our drive letters, you can mount drives in folders. Go to the disk management. If you do this the drive will behave like a folder inside another drive.

To assign a mount-point folder path to a drive by using the Windows interface In Disk Manager, right-click the partition or volume where you want to assign the mount-point folder path, and then click Change Drive Letter and Paths.
Do one of the following:
To assign a mount-point folder path, click Add. Click Mount in the following empty NTFS folder, type the path to an empty folder on an NTFS volume, or click Browse to locate it.
To remove the mount-point folder path, click it and then click Remove

For the DFS, Felicia has provided the guideline to follows.

I hope this helps


Author Comment

ID: 41804436
thanks for your detailed sensible explanation Felicia.

I'm running out drive letters on the servers but I believe you answered this question. I can map different shares using the same drive letter if I use security groups or ABE.
my issue here was I used a drive letter that is also used by an application that is causing conflict. I would imagine that as long as users are not the same users for my shares and apps it should not cause any conflict?  this is the reason I wanted to understand how we handle drive letters with DFS on ABE enabled shares.

additionally,  here is the issue I'm having:

I have file shares on DFS  with ABE enabled and two departments I'm testing are shared via GPO as

\\servername\customerservice  (f)        
\\servername\finance (N)        

I have disabled F drive from GPO mapping and when logged in to client machine I received drive mapped for customer service with different drive letter although it is set to use F:  ( question- why am I still receving it when GPO is disabled? is it because I enabled ABE and added my test account to Universal Security Group to view the share? in this case do we really need GPO to map a drive? can we not just use ABE to give access to users with their permitted folders?)

I disabled N drive for Finance  and I receive none as expected. ( Question - Same approached followed as customer services and I should be seeing the drive mapped by ABE?

IS there a really need to map a drive while we can use security groups and add users in to that security group to use with ABE?  if the is a true case to help drive letter limitation, it would help me a lot.

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.


Author Comment

ID: 41804567
@Emmanuel Adebayo  - your explanation fixed my issue partly where I needed to find another solution for small group of people for application. thanks for that.

regards to DFS, I think main question is that is there a need of GPO or Scripted mapped drives while using ABE on 2012?  

I honestly don't understand much about ABE and GPO  relationship here. please help me on this as posted on my previous comment


Assisted Solution

by:Felicia King
Felicia King earned 1500 total points
ID: 41804649
The only advantage GPO drive mappings have over logon scripts can actually be a disadvantage in other contexts.
GPO-based mappings will apply mappings to all users in an OU.
Logon scripts give you an option to set a different logon script on a per-user basis.
So the answer is really what is going to work best in your organization.
I find that logon scripts are a lot easier to manage.

Regarding these two:
\\servername\customerservice  (f)        
 \\servername\finance (N)  
If this is how you are using it, then you are really not using DFS properly.

Users would never receive a drive mapping to a server name in DFS. They would always get a drive mapping to the DFS infrastructure.
Both Finance and CustomerService are delivered as the I: drive mapping.
Each folder has different permissions so that Customer service staff cannot see INTO the Finance folder.
They may be able to see that it exists, but not click into it.

If you are delivering drive mappings to users via server name, then DFS has no consequence in terms of providing a long-term reliable and redundant file server connection for the users.

Author Comment

ID: 41804688
HI Felicia,

thanks again. Few things not clear to me

"GPO-based mappings will apply mappings to all users in an OU."  I can set security groups and allow only specific group to see my shared data in DFS.  Specially using ABE? Would you not agree with this?

"Users would never receive a drive mapping to a server name in DFS. They would always get a drive mapping to the DFS infrastructure"  Yes I agree and I think I have not explained it very clearly.

No shares are presented directly from Server to end users. I am not happy to present my mapped drives using same drive letter for very obvious reasons...  there is always chance for someone requesting access to both areas such as IT guys directors, auditors.....

Assisted Solution

by:Felicia King
Felicia King earned 1500 total points
ID: 41804726
Yes you can do mappings based upon security groups. Again, do what works for your company and the AD structure.

Regarding not presenting the drive mappings as the same to all users ... I've been doing this for 16 years as an AD architect. It actually simplifies everything for the end users.
In most scenarios, there are only a few drive mappings that users have.
H: goes to their home drive
I: goes to a main data drive where subfolders are for different departments or different data classes and segmentation is controlled by security permissions.
The drive mapping should never be used as a security segmenter device.
P: goes to an applications share    where
As stated previously, this facilitates your easy backup of a single folder (Apps) and the users that use MPN get resource group permissions to that folder and no other users can get into that.
Ditto with DDP.
The users really do not care that they can see other folders. They know they cannot click into them and it does not matter to them.
What matters is that getting down to a minimum number of drive mappings simplifies the environment and reduces the confusion that the users have without having any adverse impact on security.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question