Way to setup new drive mapping for just 2 users who belong to different OUs via drive Preferences

vmich
vmich used Ask the Experts™
on
we use drive preferences via GPO for all of our users drives.
I need to setup a new drive for just 2 users who belong to different OUs.
How can I set this up via the preferences in the GPO for just the 2 users to have access to this one drive since they both are in different GPOs?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Infrastructure Analyst
Commented:
Actually they are in the same GPO, what you want to do is setup a group policy, change the security scope to an AD group with just these 2 people in and then set it on a higher OU which will contain both, alternatively you can apply the same GPO to different OU's and then filter it by scope.

Author

Commented:
So if I put them both into a security group and then create the GPO, do I just add the new security group to the item level targeting?
Then where do I apply the GPO so that all users don't get the new drive letter just the 2 in the new security group?
Thomas KlineIT Support Analyst

Commented:
I would create a security group in AD, add the GPO to this security group and then have both users be a member of the newly created  security group with the GPO assigned to it. this takes out the problem of OU
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

AlexSenior Infrastructure Analyst

Commented:
Not really since you'll still have to apply the GPO to both OU's

Either that or one higher in the domain

Author

Commented:
Thomas,
So what I did was create a new security group. Then I created a new GPO, then I added the 2 users to the new security group.
So next I should link the new GPO to the new security group?
kevinhsiehNetwork Engineer

Commented:
See this link for how to use security filtering. As the article states, you also need to allow the compuer READ access to the GPO, or it will not apply. I usually just allow the group "Domain Computers" read access to the GPO.
http://www.rebeladmin.com/2018/04/group-policy-security-filtering/
ChrisLead Infrastructure Architect

Commented:
If you use Group Policy preferences you don't need to separate out the GPO

Follow this technet article and you can set the drive mapping up in a granular way using item level targeting

https://blogs.technet.microsoft.com/askds/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership/
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
I always have a single policy linked to the root of the domain that contains all my preference settings. From there you can use an item-level filter to apply to these two computers based on hostname

Author

Commented:
So just so I am sure that I have this correct...
I will create a new GPO and then create a new security group.
I will add the 2 users that I want the new drive mapping to the security group membership.
Then I will remove authenticated users from the gpo and add the security group in place of that.
Now is it ok to link the new GPO to one of our existing OUs like AllUsers but only the 2 users that I added to the security group will get the new drive letter?
AlexSenior Infrastructure Analyst

Commented:
That's exactly what I said at the start of this thread!
kevinhsiehNetwork Engineer

Commented:
...and make sure that the computer accounts have READ access to the GPO, or it will never apply.

Author

Commented:
well under security filtering I add the security group which has the 2 users in it. Isnt that all I need?
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
So just so I am sure that I have this correct...
I will create a new GPO and then create a new security group.
I will add the 2 users that I want the new drive mapping to the security group membership.
Then I will remove authenticated users from the gpo and add the security group in place of that.
Now is it ok to link the new GPO to one of our existing OUs like AllUsers but only the 2 users that I added to the security group will get the new drive letter?
No, that is far more complicated than required.

  1. Create one GPO (all future GPP will be in here)
  2. In this GPO create drive mapping preferences and set item level filtering to these computer name

No groups required, no extra GPOs, no links required to different OUs, no worries if computers move to another OU, no restart required (adding a computer account into the group requires a restart or Kerberos ticket expiration)

Author

Commented:
Shaun,
I added the users accounts to the item targeting will not that work also instead of the computer name
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Sure

Author

Commented:
Actually I setup a security group and added the users into this group
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Then they need to log in and back on before it will work. I would not create a group for 2 users
kevinhsiehNetwork Engineer

Commented:
You need to give READ access to the GPO by the computers (you can use individual machine names or use Domain Computers), and you need to assign APPLY (and maybe READ) permission to the users. The reason is that there was a change to the security model several years ago, and it is the GPO is read via the machine account, and then gets applied via the user account. If you just assign the users to the GPO, they will never be ab;e to get the GPO read so that it can be applied.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
You need to give READ access to the GPO by the computers (you can use individual machine names or use Domain Computers), and you need to assign APPLY (and maybe READ) permission to the users. The reason is that there was a change to the security model several years ago, and it is the GPO is read via the machine account, and then gets applied via the user account. If you just assign the users to the GPO, they will never be ab;e to get the GPO read so that it can be applied.
This is default and configured with Authenticated user read and does not apply if OP follows my process

Author

Commented:
Ok I am having no luck getting the drive mapped for the 2 users..
They do have security to the drive because if I do it from start run \\server\folder, it works fine for the user.
But when I run gpresult /r I don't see the GPO getting applied to the 2 users.
What am I missing here?
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
If you use groups, users need to logoff first
kevinhsiehNetwork Engineer

Commented:
What users/computers/groups have READ and apply access to the GPO? Where is the GPO linked to?

Author

Commented:
well I ran gpresult /r on one of the computers were one of the users is logged in and for the gpo I created it is under following gpo was not applied and the reason says denied security.

Author

Commented:
Now I don't have authenticated users in the security filtering for the gpo but I added computer domains in the delegation. Do I need something else added here
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Add authenticated users with read and apply policy permissions. The GPP ITT will do the filtering

Author

Commented:
Ok I did I added it to the delegation with read permissions and now it is mapping.
That is the correct way right Shaun

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial