Avatar of hypercube
hypercubeFlag for United States of America

asked on 

Preference GPO for Drive Mapping - Sometimes is applied. Other times not.

I've written a simple User GPO to map a network Drive.
Here is the core of it:
User generated image
This seems to work for some users and on more than one computer for the same user.  However, it's not being applied at all for some users.  It doesn't show in gpresult /r at all!
(Of course, all Users of interest are in the NashvilleRayGroup as intended).  No other users are expected to be affected.
I've synced the DCs, rebooted the computers, ran gpupdate, etc.  Nothing seems to matter.
Some of the ones that work have another GPO applied that allows USB memory devices to NOT be blocked using Deny.  I don't see how that would matter for THIS GPO.

I might add that this is the only preference GPO that we have and I'm seeing it's not listed in gpresult /r for other users (not targeted for this) either.
Active Directory* policy

Avatar of undefined
Last Comment
arnold
Avatar of Hayes Jupe
Hayes Jupe
Flag of Australia image

gpresult /r will show the reason a GPO is not applying (if its not applied) - so if its not showing up at all - then you most likely have an issue with sysvol replication.

check the status of the GPO within GPMC.
Avatar of arnold
arnold
Flag of United States of America image

One thing to check, are your gpos process synchronously?
Often it takes time to process when asynchronous.
GPO require network setup prior to allowing login?
Avatar of hypercube
hypercube
Flag of United States of America image

ASKER

Hayes Jupe:  It appears as though it's not applied at all for some Users.  And, it's working fine for some Users.
The sysvol replication looks OK to me!
The status of the GPO was Enabled.  

arnold:The GPOs, as nearly as I can tell from: "Always wait for the network at computer startup and logon" being "Not Configured" means that the GPOs do NOT processs synchronously.  That's the default and that's what remains it appears.

Avatar of Hayes Jupe
Hayes Jupe
Flag of Australia image

well... something doesnt add up.... as if the GPO is applied to that OU and it doesn't show up in gpresult/r (as applied or filtered out) - either the user isnt a member of the OU - or GPO replication is busted.... that's the only two options there.
Avatar of hypercube
hypercube
Flag of United States of America image

ASKER

I'm beginning to wonder if the GPOs need to be set with "Always wait for the network at computer startup and logon" ENABLED.
AND
To have the timeout increased from 30 seconds (the default) to something greater?

Avatar of Hayes Jupe
Hayes Jupe
Flag of Australia image

in my opinion - no.... neither of these settings will stop a policy from showing up in gpresult /r

im assuming you have logged off/on - to refresh the user group membership token - just in case ? 
Avatar of arnold
arnold
Flag of United States of America image

You do not set it on all gpo's, you merely set it on one that applies to the computer.
The setting is a computer behavior ...
Avatar of hypercube
hypercube
Flag of United States of America image

ASKER

Just FYI:  I have a series of questions here on EE relating to one computer not responding to changes in Security Group membership for one User.  Why do I think these cases may be related....?
https://www.experts-exchange.com/questions/29216407/Which-Security-Group-for-a-User-is-in-effect-On-the-Domain-On-the-workstation-where-the-User-is-logged-on.html
https://www.experts-exchange.com/questions/29214503/Daily-Security-Group-Changes-of-One-User-Fail-on-one-of-3-DCs.html
One of the hypotheses offered was that the network wasn't responding fast enough (which I take to imply using cached credentials).

Hayes Jupe:  Well my thinking was that if the User is logged on using cached credentials then it won't get everything it needs from AD will it?  Drive mapping is one of those situations that seems to apply when I continue to research this.

Yes, I've certainly synced the DCs and logged off/on or rebooted and logged on before looking at the results.
arnold:  I understand that the setting is in the Computer section of settings.  And, one GPO should be enough for that.
But the Drive Mapping is user-specific.
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of hypercube
hypercube
Flag of United States of America image

ASKER

I've reviewed the responses and should check on a couple of things:

arnold said:
You do not set it on all gpo's, you merely set it on one that applies to the computer.
The setting is a computer behavior ...
I decided that I don't understand this comment.  It's likely that I'd be better off in appreciating the message.  
The Drive Maps are User Preference items and are applie to an OU of Users....
That said, I believe I've solved the problem re: the initial question here.




Avatar of hypercube
hypercube
Flag of United States of America image

ASKER

Thanks all!
Avatar of arnold
arnold
Flag of United States of America image

Good that you have it resolved.

To have GPOs processed prior to letting the user login.
i.e. everything has to be processed when the user is in a position to work.

Asynchronously, the GPOs might continue to be processed while the user is already in a position to perform work.

I.e. two users
Usera: on login has to access a web portal to address issues.
UserB on login has to access mapped drives to look at things to do/

UserA can have GPOs and GPPs applied Asynchronously as the initial task could provide enough time for the Asynchronous process to complete before the user has to access the network drives, etc.

UserB on the other hand, has to have all the mapped drives available as soon as the user has the session. This GPO/GPPs must be processed synchronously and on conclusion complete the user Session.

Setting the Processing Syncronously need only be done in ONE GPO that applies to all workstations/systems.

See if the following as it may explain in more detail and compeltely.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj573586(v=ws.11)
Avatar of hypercube
hypercube
Flag of United States of America image

ASKER

arnold:  Thank you!   I have certain cases of interest.  I think that deserves a new question.  I do that.
Avatar of arnold
arnold
Flag of United States of America image

Have not asked questions in a while, do not know whether you can still ask a related question, deals with notifying the people commenting on the original question that a new/related question has been opened and/.or the original is included as a referenec in the new question.

If you post back here the question/s you open. ...
Active Directory
Active Directory

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo