vmich
asked on
Way to setup new drive mapping for just 2 users who belong to different OUs via drive Preferences
we use drive preferences via GPO for all of our users drives.
I need to setup a new drive for just 2 users who belong to different OUs.
How can I set this up via the preferences in the GPO for just the 2 users to have access to this one drive since they both are in different GPOs?
I need to setup a new drive for just 2 users who belong to different OUs.
How can I set this up via the preferences in the GPO for just the 2 users to have access to this one drive since they both are in different GPOs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I would create a security group in AD, add the GPO to this security group and then have both users be a member of the newly created security group with the GPO assigned to it. this takes out the problem of OU
Not really since you'll still have to apply the GPO to both OU's
Either that or one higher in the domain
Either that or one higher in the domain
ASKER
Thomas,
So what I did was create a new security group. Then I created a new GPO, then I added the 2 users to the new security group.
So next I should link the new GPO to the new security group?
So what I did was create a new security group. Then I created a new GPO, then I added the 2 users to the new security group.
So next I should link the new GPO to the new security group?
See this link for how to use security filtering. As the article states, you also need to allow the compuer READ access to the GPO, or it will not apply. I usually just allow the group "Domain Computers" read access to the GPO.
http://www.rebeladmin.com/2018/04/group-policy-security-filtering/
http://www.rebeladmin.com/2018/04/group-policy-security-filtering/
If you use Group Policy preferences you don't need to separate out the GPO
Follow this technet article and you can set the drive mapping up in a granular way using item level targeting
https://blogs.technet.microsoft.com/askds/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership/
Follow this technet article and you can set the drive mapping up in a granular way using item level targeting
https://blogs.technet.microsoft.com/askds/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership/
I always have a single policy linked to the root of the domain that contains all my preference settings. From there you can use an item-level filter to apply to these two computers based on hostname
ASKER
So just so I am sure that I have this correct...
I will create a new GPO and then create a new security group.
I will add the 2 users that I want the new drive mapping to the security group membership.
Then I will remove authenticated users from the gpo and add the security group in place of that.
Now is it ok to link the new GPO to one of our existing OUs like AllUsers but only the 2 users that I added to the security group will get the new drive letter?
I will create a new GPO and then create a new security group.
I will add the 2 users that I want the new drive mapping to the security group membership.
Then I will remove authenticated users from the gpo and add the security group in place of that.
Now is it ok to link the new GPO to one of our existing OUs like AllUsers but only the 2 users that I added to the security group will get the new drive letter?
That's exactly what I said at the start of this thread!
...and make sure that the computer accounts have READ access to the GPO, or it will never apply.
ASKER
well under security filtering I add the security group which has the 2 users in it. Isnt that all I need?
So just so I am sure that I have this correct...No, that is far more complicated than required.
I will create a new GPO and then create a new security group.
I will add the 2 users that I want the new drive mapping to the security group membership.
Then I will remove authenticated users from the gpo and add the security group in place of that.
Now is it ok to link the new GPO to one of our existing OUs like AllUsers but only the 2 users that I added to the security group will get the new drive letter?
- Create one GPO (all future GPP will be in here)
- In this GPO create drive mapping preferences and set item level filtering to these computer name
No groups required, no extra GPOs, no links required to different OUs, no worries if computers move to another OU, no restart required (adding a computer account into the group requires a restart or Kerberos ticket expiration)
ASKER
Shaun,
I added the users accounts to the item targeting will not that work also instead of the computer name
I added the users accounts to the item targeting will not that work also instead of the computer name
Sure
ASKER
Actually I setup a security group and added the users into this group
Then they need to log in and back on before it will work. I would not create a group for 2 users
You need to give READ access to the GPO by the computers (you can use individual machine names or use Domain Computers), and you need to assign APPLY (and maybe READ) permission to the users. The reason is that there was a change to the security model several years ago, and it is the GPO is read via the machine account, and then gets applied via the user account. If you just assign the users to the GPO, they will never be ab;e to get the GPO read so that it can be applied.
You need to give READ access to the GPO by the computers (you can use individual machine names or use Domain Computers), and you need to assign APPLY (and maybe READ) permission to the users. The reason is that there was a change to the security model several years ago, and it is the GPO is read via the machine account, and then gets applied via the user account. If you just assign the users to the GPO, they will never be ab;e to get the GPO read so that it can be applied.This is default and configured with Authenticated user read and does not apply if OP follows my process
ASKER
Ok I am having no luck getting the drive mapped for the 2 users..
They do have security to the drive because if I do it from start run \\server\folder, it works fine for the user.
But when I run gpresult /r I don't see the GPO getting applied to the 2 users.
What am I missing here?
They do have security to the drive because if I do it from start run \\server\folder, it works fine for the user.
But when I run gpresult /r I don't see the GPO getting applied to the 2 users.
What am I missing here?
If you use groups, users need to logoff first
What users/computers/groups have READ and apply access to the GPO? Where is the GPO linked to?
ASKER
well I ran gpresult /r on one of the computers were one of the users is logged in and for the gpo I created it is under following gpo was not applied and the reason says denied security.
ASKER
Now I don't have authenticated users in the security filtering for the gpo but I added computer domains in the delegation. Do I need something else added here
Add authenticated users with read and apply policy permissions. The GPP ITT will do the filtering
ASKER
Ok I did I added it to the delegation with read permissions and now it is mapping.
That is the correct way right Shaun
That is the correct way right Shaun
ASKER
Then where do I apply the GPO so that all users don't get the new drive letter just the 2 in the new security group?