Group Policy using Item Level Targeting maps the drive even if the Target test is wrong
I have a Windows 2011 SBS domain with multiple DC's -- fully updated, replicating properly, no other issues EXCEPT: implementing Group Policy to map network drives based on security groups (Item Level Targeting) using the REPLACE option; when using the REPLACE option (in order to overwrite existing maps) I get all 7 drives mapped even if the test is not true. For example, mapping x: only if the user is a member of the security group ABC. I get the drive mapping regardless of whether the user is or is not a member of ABC. So in my situation, the test user ends up with 7 drives mapped but only should have 4.
Does not affect user access rights, but provides confusion (what is drive x: ?, why do I have drive x: ?)
I presume this behavior is because of using the REPLACE option but the others don't seem to do the job I need. Domain is at 2008 functional level; Security Filtering is "authenticated users". Other GPO's applying properly. Any insights would be appreciated.
Does not affect user access rights, but provides confusion (what is drive x: ?, why do I have drive x: ?)
I presume this behavior is because of using the REPLACE option but the others don't seem to do the job I need. Domain is at 2008 functional level; Security Filtering is "authenticated users". Other GPO's applying properly. Any insights would be appreciated.
You can do a delete and a create task separately. Might solve your issue
ASKER
1. Removed drives between tests, no change
2. No logon scripts -- at all
3. No other enabled mapping policies
4. GPResult shows the policy was enforced but JUST for the first drive of 9, even though all end up being mapped
5. GPResult does NOT accurately show the security group membership (probably a piece of the issue), though AD entry is clearly there
6. Remove nested groups. This was a pain but did it anyway. Why do they allow if it doesn't work? &$(#&&#!!!!!!
No real change in results.
Might try the delete/create step next.
2. No logon scripts -- at all
3. No other enabled mapping policies
4. GPResult shows the policy was enforced but JUST for the first drive of 9, even though all end up being mapped
5. GPResult does NOT accurately show the security group membership (probably a piece of the issue), though AD entry is clearly there
6. Remove nested groups. This was a pain but did it anyway. Why do they allow if it doesn't work? &$(#&&#!!!!!!
No real change in results.
Might try the delete/create step next.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Did you remove the Drives between each test to make sure only new mappings take place
Group Policy - ensure there are no other logon scripts or policies in place that maybe mapping the drives
GPResult - Confirm what policies are actually applying to the account on login
Group membership - Make sure you do not have nested permissions (groups within groups)
Setup a Test OU for the devices/user an apply only the one policy, change the group membership (restricted, with membership, no membership).
Take it back to first principals with your tests,