Solved

Complex drive mapping

Posted on 2016-11-07
7
28 Views
Last Modified: 2016-11-29
Hi

Bit of a complicated one
We have a departmental folder structure that is open to users in that department but also has a secure folder, with subfolders that are restricted via AD groups.

Finance
        Secure
               Payroll
If you are a member of the Finance group (an AD group) a drive is mapped to O:\ and takes you straight into organisational folder (i.e. no need to click on the Finance Folder)

In the secure area of the department folder, we may have the need to have people outside of the finance department to have access and we want to map a separate drive (s:\) for this.

So essentially if someone from HR required access to the Payroll in 'finance', the HR person will have in their S:\ drive - Finance\Secure\Payroll, and they will have access via the read or read/write group applied to the payroll folder.

So this is fine and is ok.
The problem is that we don't want a member of staff from finance who has access to one of their own secure folders to end up with an S drive with S:\Finance\Secure\Payroll (as its duplicated with their O'\ drive and will confuse them)

So we essentially want to map a drive to S:\ but hide always hide your own department folder

Hope that makes sense but please let me know if you want me to clarify anything.
0
Comment
Question by:Kevin Watt
  • 4
  • 2
7 Comments
 
LVL 17

Accepted Solution

by:
LesterClayton earned 500 total points (awarded by participants)
ID: 41877823
This can be easily achieved using group policies, and item level targetting on the drive maps.  Using GPO's, you can replace your login scripts which do the drive maps and have a lot more control over which drives are mapped, and for which groups.  Here is a screenshot showing the P: drive being mapped only for users who are in the group named "NS\Terminal Server Users"

Item Level Targetting
0
 
LVL 6

Expert Comment

by:Niten Kumar
ID: 41878155
Best would be create a separate GPO for Finance and a separate one for HR and each of the GPO should have separate settings.  Do not modify the Default Domain policy.
0
 

Author Comment

by:Kevin Watt
ID: 41878999
Hi

Thanks for the comments

Item level targeting doesn't solve my issue, I can do this, which is fine, but it wont prevent staff from seeing their own departmental folder on the S;\ Drive (this is the challenge)

To summarise, each department will have their own departmental folder on the O:\ drive, however if you need access to something from another department, the other departments folder will appear on your S:\ drive. However I don't want staff seeing their own department folder on the S;\ Drive (as they have access) as then they have the same thing on O and S which is confusing.
0
 
LVL 17

Expert Comment

by:LesterClayton
ID: 41879008
How are the drives mapped today?

You just need to start including some logic to the drive maps, so, for example, if the S: drive is mapped because they're in a group called "Finance", and they get the O: drive mapped because they're in a group called "Payroll", then make the S: drive map only if they are in a member of Finance, and also NOT in the group "Payroll".  The group policy item level targetting can include quite a large amount of logic, but I can't tell you exactly how you should do it without knowing more about your environment.
0
 

Author Comment

by:Kevin Watt
ID: 41879028
This is planning for a restructure so the current setup wont exist. But we do use GPO to map S:\ for all users and then they get access to the various folders through AD permissions and access based enumeration.

I think the standard GPO settings wont work here as its too complex

If you are In IT, your O would be the IT folder, if you also had access to things in finance and also HR, your S;\ should show Finance and HR but not IT
0
 
LVL 17

Assisted Solution

by:LesterClayton
LesterClayton earned 500 total points (awarded by participants)
ID: 41879056
OK let's use your example.  S: drive is mapped to "All Users".  Let's assume for argument sake that you use the group named "Domain Users" for the S: drive.  If the O: drive is mapped for a group called "IT Users", then you don't want the S: drive mapped, right?  This is what you'd do.

For the S: drive

ExampleS.png
For the O: drive

ODrive.png
You can add multiple "Is Not's" to your S: drive mapping to cater any other O: drives you want to exclude.
0
 
LVL 17

Expert Comment

by:LesterClayton
ID: 41905440
Answers provided are technically correct based on the question asked and the answers provided.
0

Join & Write a Comment

OfficeMate Freezes on login or does not load after login credentials are input.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now