Way to setup new drive mapping for just 2 users who belong to different OUs via drive Preferences

we use drive preferences via GPO for all of our users drives.
I need to setup a new drive for just 2 users who belong to different OUs.
How can I set this up via the preferences in the GPO for just the 2 users to have access to this one drive since they both are in different GPOs?
LVL 1
vmichAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex GreenProject Systems EngineerCommented:
Actually they are in the same GPO, what you want to do is setup a group policy, change the security scope to an AD group with just these 2 people in and then set it on a higher OU which will contain both, alternatively you can apply the same GPO to different OU's and then filter it by scope.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
vmichAuthor Commented:
So if I put them both into a security group and then create the GPO, do I just add the new security group to the item level targeting?
Then where do I apply the GPO so that all users don't get the new drive letter just the 2 in the new security group?
0
Thomas KlineIT Support AnalystCommented:
I would create a security group in AD, add the GPO to this security group and then have both users be a member of the newly created  security group with the GPO assigned to it. this takes out the problem of OU
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Alex GreenProject Systems EngineerCommented:
Not really since you'll still have to apply the GPO to both OU's

Either that or one higher in the domain
0
vmichAuthor Commented:
Thomas,
So what I did was create a new security group. Then I created a new GPO, then I added the 2 users to the new security group.
So next I should link the new GPO to the new security group?
0
kevinhsiehCommented:
See this link for how to use security filtering. As the article states, you also need to allow the compuer READ access to the GPO, or it will not apply. I usually just allow the group "Domain Computers" read access to the GPO.
http://www.rebeladmin.com/2018/04/group-policy-security-filtering/
0
ChrisSenior Technical ArchitectCommented:
If you use Group Policy preferences you don't need to separate out the GPO

Follow this technet article and you can set the drive mapping up in a granular way using item level targeting

https://blogs.technet.microsoft.com/askds/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership/
0
Shaun VermaakTechnical Specialist IVCommented:
I always have a single policy linked to the root of the domain that contains all my preference settings. From there you can use an item-level filter to apply to these two computers based on hostname
0
vmichAuthor Commented:
So just so I am sure that I have this correct...
I will create a new GPO and then create a new security group.
I will add the 2 users that I want the new drive mapping to the security group membership.
Then I will remove authenticated users from the gpo and add the security group in place of that.
Now is it ok to link the new GPO to one of our existing OUs like AllUsers but only the 2 users that I added to the security group will get the new drive letter?
0
Alex GreenProject Systems EngineerCommented:
That's exactly what I said at the start of this thread!
0
kevinhsiehCommented:
...and make sure that the computer accounts have READ access to the GPO, or it will never apply.
0
vmichAuthor Commented:
well under security filtering I add the security group which has the 2 users in it. Isnt that all I need?
0
Shaun VermaakTechnical Specialist IVCommented:
So just so I am sure that I have this correct...
I will create a new GPO and then create a new security group.
I will add the 2 users that I want the new drive mapping to the security group membership.
Then I will remove authenticated users from the gpo and add the security group in place of that.
Now is it ok to link the new GPO to one of our existing OUs like AllUsers but only the 2 users that I added to the security group will get the new drive letter?
No, that is far more complicated than required.

  1. Create one GPO (all future GPP will be in here)
  2. In this GPO create drive mapping preferences and set item level filtering to these computer name

No groups required, no extra GPOs, no links required to different OUs, no worries if computers move to another OU, no restart required (adding a computer account into the group requires a restart or Kerberos ticket expiration)
1
vmichAuthor Commented:
Shaun,
I added the users accounts to the item targeting will not that work also instead of the computer name
0
Shaun VermaakTechnical Specialist IVCommented:
Sure
0
vmichAuthor Commented:
Actually I setup a security group and added the users into this group
0
Shaun VermaakTechnical Specialist IVCommented:
Then they need to log in and back on before it will work. I would not create a group for 2 users
0
kevinhsiehCommented:
You need to give READ access to the GPO by the computers (you can use individual machine names or use Domain Computers), and you need to assign APPLY (and maybe READ) permission to the users. The reason is that there was a change to the security model several years ago, and it is the GPO is read via the machine account, and then gets applied via the user account. If you just assign the users to the GPO, they will never be ab;e to get the GPO read so that it can be applied.
0
Shaun VermaakTechnical Specialist IVCommented:
You need to give READ access to the GPO by the computers (you can use individual machine names or use Domain Computers), and you need to assign APPLY (and maybe READ) permission to the users. The reason is that there was a change to the security model several years ago, and it is the GPO is read via the machine account, and then gets applied via the user account. If you just assign the users to the GPO, they will never be ab;e to get the GPO read so that it can be applied.
This is default and configured with Authenticated user read and does not apply if OP follows my process
0
vmichAuthor Commented:
Ok I am having no luck getting the drive mapped for the 2 users..
They do have security to the drive because if I do it from start run \\server\folder, it works fine for the user.
But when I run gpresult /r I don't see the GPO getting applied to the 2 users.
What am I missing here?
0
Shaun VermaakTechnical Specialist IVCommented:
If you use groups, users need to logoff first
0
kevinhsiehCommented:
What users/computers/groups have READ and apply access to the GPO? Where is the GPO linked to?
0
vmichAuthor Commented:
well I ran gpresult /r on one of the computers were one of the users is logged in and for the gpo I created it is under following gpo was not applied and the reason says denied security.
0
vmichAuthor Commented:
Now I don't have authenticated users in the security filtering for the gpo but I added computer domains in the delegation. Do I need something else added here
0
Shaun VermaakTechnical Specialist IVCommented:
Add authenticated users with read and apply policy permissions. The GPP ITT will do the filtering
0
vmichAuthor Commented:
Ok I did I added it to the delegation with read permissions and now it is mapping.
That is the correct way right Shaun
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.