[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Complex drive mapping

Posted on 2016-11-07
7
Medium Priority
?
44 Views
Last Modified: 2016-11-29
Hi

Bit of a complicated one
We have a departmental folder structure that is open to users in that department but also has a secure folder, with subfolders that are restricted via AD groups.

Finance
        Secure
               Payroll
If you are a member of the Finance group (an AD group) a drive is mapped to O:\ and takes you straight into organisational folder (i.e. no need to click on the Finance Folder)

In the secure area of the department folder, we may have the need to have people outside of the finance department to have access and we want to map a separate drive (s:\) for this.

So essentially if someone from HR required access to the Payroll in 'finance', the HR person will have in their S:\ drive - Finance\Secure\Payroll, and they will have access via the read or read/write group applied to the payroll folder.

So this is fine and is ok.
The problem is that we don't want a member of staff from finance who has access to one of their own secure folders to end up with an S drive with S:\Finance\Secure\Payroll (as its duplicated with their O'\ drive and will confuse them)

So we essentially want to map a drive to S:\ but hide always hide your own department folder

Hope that makes sense but please let me know if you want me to clarify anything.
0
Comment
Question by:Kevin Watt
  • 4
  • 2
7 Comments
 
LVL 18

Accepted Solution

by:
LesterClayton earned 2000 total points (awarded by participants)
ID: 41877823
This can be easily achieved using group policies, and item level targetting on the drive maps.  Using GPO's, you can replace your login scripts which do the drive maps and have a lot more control over which drives are mapped, and for which groups.  Here is a screenshot showing the P: drive being mapped only for users who are in the group named "NS\Terminal Server Users"

Item Level Targetting
0
 
LVL 7

Expert Comment

by:Niten Kumar
ID: 41878155
Best would be create a separate GPO for Finance and a separate one for HR and each of the GPO should have separate settings.  Do not modify the Default Domain policy.
0
 

Author Comment

by:Kevin Watt
ID: 41878999
Hi

Thanks for the comments

Item level targeting doesn't solve my issue, I can do this, which is fine, but it wont prevent staff from seeing their own departmental folder on the S;\ Drive (this is the challenge)

To summarise, each department will have their own departmental folder on the O:\ drive, however if you need access to something from another department, the other departments folder will appear on your S:\ drive. However I don't want staff seeing their own department folder on the S;\ Drive (as they have access) as then they have the same thing on O and S which is confusing.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 18

Expert Comment

by:LesterClayton
ID: 41879008
How are the drives mapped today?

You just need to start including some logic to the drive maps, so, for example, if the S: drive is mapped because they're in a group called "Finance", and they get the O: drive mapped because they're in a group called "Payroll", then make the S: drive map only if they are in a member of Finance, and also NOT in the group "Payroll".  The group policy item level targetting can include quite a large amount of logic, but I can't tell you exactly how you should do it without knowing more about your environment.
0
 

Author Comment

by:Kevin Watt
ID: 41879028
This is planning for a restructure so the current setup wont exist. But we do use GPO to map S:\ for all users and then they get access to the various folders through AD permissions and access based enumeration.

I think the standard GPO settings wont work here as its too complex

If you are In IT, your O would be the IT folder, if you also had access to things in finance and also HR, your S;\ should show Finance and HR but not IT
0
 
LVL 18

Assisted Solution

by:LesterClayton
LesterClayton earned 2000 total points (awarded by participants)
ID: 41879056
OK let's use your example.  S: drive is mapped to "All Users".  Let's assume for argument sake that you use the group named "Domain Users" for the S: drive.  If the O: drive is mapped for a group called "IT Users", then you don't want the S: drive mapped, right?  This is what you'd do.

For the S: drive

ExampleS.png
For the O: drive

ODrive.png
You can add multiple "Is Not's" to your S: drive mapping to cater any other O: drives you want to exclude.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 41905440
Answers provided are technically correct based on the question asked and the answers provided.
0

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

613 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question