Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Complex drive mapping

Posted on 2016-11-07
7
35 Views
Last Modified: 2016-11-29
Hi

Bit of a complicated one
We have a departmental folder structure that is open to users in that department but also has a secure folder, with subfolders that are restricted via AD groups.

Finance
        Secure
               Payroll
If you are a member of the Finance group (an AD group) a drive is mapped to O:\ and takes you straight into organisational folder (i.e. no need to click on the Finance Folder)

In the secure area of the department folder, we may have the need to have people outside of the finance department to have access and we want to map a separate drive (s:\) for this.

So essentially if someone from HR required access to the Payroll in 'finance', the HR person will have in their S:\ drive - Finance\Secure\Payroll, and they will have access via the read or read/write group applied to the payroll folder.

So this is fine and is ok.
The problem is that we don't want a member of staff from finance who has access to one of their own secure folders to end up with an S drive with S:\Finance\Secure\Payroll (as its duplicated with their O'\ drive and will confuse them)

So we essentially want to map a drive to S:\ but hide always hide your own department folder

Hope that makes sense but please let me know if you want me to clarify anything.
0
Comment
Question by:Kevin Watt
  • 4
  • 2
7 Comments
 
LVL 18

Accepted Solution

by:
LesterClayton earned 500 total points (awarded by participants)
ID: 41877823
This can be easily achieved using group policies, and item level targetting on the drive maps.  Using GPO's, you can replace your login scripts which do the drive maps and have a lot more control over which drives are mapped, and for which groups.  Here is a screenshot showing the P: drive being mapped only for users who are in the group named "NS\Terminal Server Users"

Item Level Targetting
0
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41878155
Best would be create a separate GPO for Finance and a separate one for HR and each of the GPO should have separate settings.  Do not modify the Default Domain policy.
0
 

Author Comment

by:Kevin Watt
ID: 41878999
Hi

Thanks for the comments

Item level targeting doesn't solve my issue, I can do this, which is fine, but it wont prevent staff from seeing their own departmental folder on the S;\ Drive (this is the challenge)

To summarise, each department will have their own departmental folder on the O:\ drive, however if you need access to something from another department, the other departments folder will appear on your S:\ drive. However I don't want staff seeing their own department folder on the S;\ Drive (as they have access) as then they have the same thing on O and S which is confusing.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 18

Expert Comment

by:LesterClayton
ID: 41879008
How are the drives mapped today?

You just need to start including some logic to the drive maps, so, for example, if the S: drive is mapped because they're in a group called "Finance", and they get the O: drive mapped because they're in a group called "Payroll", then make the S: drive map only if they are in a member of Finance, and also NOT in the group "Payroll".  The group policy item level targetting can include quite a large amount of logic, but I can't tell you exactly how you should do it without knowing more about your environment.
0
 

Author Comment

by:Kevin Watt
ID: 41879028
This is planning for a restructure so the current setup wont exist. But we do use GPO to map S:\ for all users and then they get access to the various folders through AD permissions and access based enumeration.

I think the standard GPO settings wont work here as its too complex

If you are In IT, your O would be the IT folder, if you also had access to things in finance and also HR, your S;\ should show Finance and HR but not IT
0
 
LVL 18

Assisted Solution

by:LesterClayton
LesterClayton earned 500 total points (awarded by participants)
ID: 41879056
OK let's use your example.  S: drive is mapped to "All Users".  Let's assume for argument sake that you use the group named "Domain Users" for the S: drive.  If the O: drive is mapped for a group called "IT Users", then you don't want the S: drive mapped, right?  This is what you'd do.

For the S: drive

ExampleS.png
For the O: drive

ODrive.png
You can add multiple "Is Not's" to your S: drive mapping to cater any other O: drives you want to exclude.
0
 
LVL 18

Expert Comment

by:LesterClayton
ID: 41905440
Answers provided are technically correct based on the question asked and the answers provided.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question