[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Complex drive mapping

Posted on 2016-11-07
7
Medium Priority
?
41 Views
Last Modified: 2016-11-29
Hi

Bit of a complicated one
We have a departmental folder structure that is open to users in that department but also has a secure folder, with subfolders that are restricted via AD groups.

Finance
        Secure
               Payroll
If you are a member of the Finance group (an AD group) a drive is mapped to O:\ and takes you straight into organisational folder (i.e. no need to click on the Finance Folder)

In the secure area of the department folder, we may have the need to have people outside of the finance department to have access and we want to map a separate drive (s:\) for this.

So essentially if someone from HR required access to the Payroll in 'finance', the HR person will have in their S:\ drive - Finance\Secure\Payroll, and they will have access via the read or read/write group applied to the payroll folder.

So this is fine and is ok.
The problem is that we don't want a member of staff from finance who has access to one of their own secure folders to end up with an S drive with S:\Finance\Secure\Payroll (as its duplicated with their O'\ drive and will confuse them)

So we essentially want to map a drive to S:\ but hide always hide your own department folder

Hope that makes sense but please let me know if you want me to clarify anything.
0
Comment
Question by:Kevin Watt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 18

Accepted Solution

by:
LesterClayton earned 2000 total points (awarded by participants)
ID: 41877823
This can be easily achieved using group policies, and item level targetting on the drive maps.  Using GPO's, you can replace your login scripts which do the drive maps and have a lot more control over which drives are mapped, and for which groups.  Here is a screenshot showing the P: drive being mapped only for users who are in the group named "NS\Terminal Server Users"

Item Level Targetting
0
 
LVL 7

Expert Comment

by:Niten Kumar
ID: 41878155
Best would be create a separate GPO for Finance and a separate one for HR and each of the GPO should have separate settings.  Do not modify the Default Domain policy.
0
 

Author Comment

by:Kevin Watt
ID: 41878999
Hi

Thanks for the comments

Item level targeting doesn't solve my issue, I can do this, which is fine, but it wont prevent staff from seeing their own departmental folder on the S;\ Drive (this is the challenge)

To summarise, each department will have their own departmental folder on the O:\ drive, however if you need access to something from another department, the other departments folder will appear on your S:\ drive. However I don't want staff seeing their own department folder on the S;\ Drive (as they have access) as then they have the same thing on O and S which is confusing.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 18

Expert Comment

by:LesterClayton
ID: 41879008
How are the drives mapped today?

You just need to start including some logic to the drive maps, so, for example, if the S: drive is mapped because they're in a group called "Finance", and they get the O: drive mapped because they're in a group called "Payroll", then make the S: drive map only if they are in a member of Finance, and also NOT in the group "Payroll".  The group policy item level targetting can include quite a large amount of logic, but I can't tell you exactly how you should do it without knowing more about your environment.
0
 

Author Comment

by:Kevin Watt
ID: 41879028
This is planning for a restructure so the current setup wont exist. But we do use GPO to map S:\ for all users and then they get access to the various folders through AD permissions and access based enumeration.

I think the standard GPO settings wont work here as its too complex

If you are In IT, your O would be the IT folder, if you also had access to things in finance and also HR, your S;\ should show Finance and HR but not IT
0
 
LVL 18

Assisted Solution

by:LesterClayton
LesterClayton earned 2000 total points (awarded by participants)
ID: 41879056
OK let's use your example.  S: drive is mapped to "All Users".  Let's assume for argument sake that you use the group named "Domain Users" for the S: drive.  If the O: drive is mapped for a group called "IT Users", then you don't want the S: drive mapped, right?  This is what you'd do.

For the S: drive

ExampleS.png
For the O: drive

ODrive.png
You can add multiple "Is Not's" to your S: drive mapping to cater any other O: drives you want to exclude.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 41905440
Answers provided are technically correct based on the question asked and the answers provided.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question