• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 45
  • Last Modified:

Complex drive mapping

Hi

Bit of a complicated one
We have a departmental folder structure that is open to users in that department but also has a secure folder, with subfolders that are restricted via AD groups.

Finance
        Secure
               Payroll
If you are a member of the Finance group (an AD group) a drive is mapped to O:\ and takes you straight into organisational folder (i.e. no need to click on the Finance Folder)

In the secure area of the department folder, we may have the need to have people outside of the finance department to have access and we want to map a separate drive (s:\) for this.

So essentially if someone from HR required access to the Payroll in 'finance', the HR person will have in their S:\ drive - Finance\Secure\Payroll, and they will have access via the read or read/write group applied to the payroll folder.

So this is fine and is ok.
The problem is that we don't want a member of staff from finance who has access to one of their own secure folders to end up with an S drive with S:\Finance\Secure\Payroll (as its duplicated with their O'\ drive and will confuse them)

So we essentially want to map a drive to S:\ but hide always hide your own department folder

Hope that makes sense but please let me know if you want me to clarify anything.
0
Kevin Watt
Asked:
Kevin Watt
  • 4
  • 2
2 Solutions
 
LesterClaytonCommented:
This can be easily achieved using group policies, and item level targetting on the drive maps.  Using GPO's, you can replace your login scripts which do the drive maps and have a lot more control over which drives are mapped, and for which groups.  Here is a screenshot showing the P: drive being mapped only for users who are in the group named "NS\Terminal Server Users"

Item Level Targetting
0
 
Niten KumarPrincipal Systems AdministratorCommented:
Best would be create a separate GPO for Finance and a separate one for HR and each of the GPO should have separate settings.  Do not modify the Default Domain policy.
0
 
Kevin WattAuthor Commented:
Hi

Thanks for the comments

Item level targeting doesn't solve my issue, I can do this, which is fine, but it wont prevent staff from seeing their own departmental folder on the S;\ Drive (this is the challenge)

To summarise, each department will have their own departmental folder on the O:\ drive, however if you need access to something from another department, the other departments folder will appear on your S:\ drive. However I don't want staff seeing their own department folder on the S;\ Drive (as they have access) as then they have the same thing on O and S which is confusing.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LesterClaytonCommented:
How are the drives mapped today?

You just need to start including some logic to the drive maps, so, for example, if the S: drive is mapped because they're in a group called "Finance", and they get the O: drive mapped because they're in a group called "Payroll", then make the S: drive map only if they are in a member of Finance, and also NOT in the group "Payroll".  The group policy item level targetting can include quite a large amount of logic, but I can't tell you exactly how you should do it without knowing more about your environment.
0
 
Kevin WattAuthor Commented:
This is planning for a restructure so the current setup wont exist. But we do use GPO to map S:\ for all users and then they get access to the various folders through AD permissions and access based enumeration.

I think the standard GPO settings wont work here as its too complex

If you are In IT, your O would be the IT folder, if you also had access to things in finance and also HR, your S;\ should show Finance and HR but not IT
0
 
LesterClaytonCommented:
OK let's use your example.  S: drive is mapped to "All Users".  Let's assume for argument sake that you use the group named "Domain Users" for the S: drive.  If the O: drive is mapped for a group called "IT Users", then you don't want the S: drive mapped, right?  This is what you'd do.

For the S: drive

ExampleS.png
For the O: drive

ODrive.png
You can add multiple "Is Not's" to your S: drive mapping to cater any other O: drives you want to exclude.
0
 
LesterClaytonCommented:
Answers provided are technically correct based on the question asked and the answers provided.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now