Preference GPO for Drive Mapping - Sometimes is applied. Other times not.
I've written a simple User GPO to map a network Drive.
Here is the core of it:
This seems to work for some users and on more than one computer for the same user. However, it's not being applied at all for some users. It doesn't show in gpresult /r at all!
(Of course, all Users of interest are in the NashvilleRayGroup as intended). No other users are expected to be affected.
I've synced the DCs, rebooted the computers, ran gpupdate, etc. Nothing seems to matter.
Some of the ones that work have another GPO applied that allows USB memory devices to NOT be blocked using Deny. I don't see how that would matter for THIS GPO.
I might add that this is the only preference GPO that we have and I'm seeing it's not listed in gpresult /r for other users (not targeted for this) either.
Here is the core of it:
This seems to work for some users and on more than one computer for the same user. However, it's not being applied at all for some users. It doesn't show in gpresult /r at all!
(Of course, all Users of interest are in the NashvilleRayGroup as intended). No other users are expected to be affected.
I've synced the DCs, rebooted the computers, ran gpupdate, etc. Nothing seems to matter.
Some of the ones that work have another GPO applied that allows USB memory devices to NOT be blocked using Deny. I don't see how that would matter for THIS GPO.
I might add that this is the only preference GPO that we have and I'm seeing it's not listed in gpresult /r for other users (not targeted for this) either.
Last Comment
One thing to check, are your gpos process synchronously?
Often it takes time to process when asynchronous.
GPO require network setup prior to allowing login?
Often it takes time to process when asynchronous.
GPO require network setup prior to allowing login?
ASKER
Hayes Jupe: It appears as though it's not applied at all for some Users. And, it's working fine for some Users.
The sysvol replication looks OK to me!
The status of the GPO was Enabled.
arnold:The GPOs, as nearly as I can tell from: "Always wait for the network at computer startup and logon" being "Not Configured" means that the GPOs do NOT processs synchronously. That's the default and that's what remains it appears.
The sysvol replication looks OK to me!
The status of the GPO was Enabled.
arnold:The GPOs, as nearly as I can tell from: "Always wait for the network at computer startup and logon" being "Not Configured" means that the GPOs do NOT processs synchronously. That's the default and that's what remains it appears.
well... something doesnt add up.... as if the GPO is applied to that OU and it doesn't show up in gpresult/r (as applied or filtered out) - either the user isnt a member of the OU - or GPO replication is busted.... that's the only two options there.
ASKER
I'm beginning to wonder if the GPOs need to be set with "Always wait for the network at computer startup and logon" ENABLED.
AND
To have the timeout increased from 30 seconds (the default) to something greater?
AND
To have the timeout increased from 30 seconds (the default) to something greater?
in my opinion - no.... neither of these settings will stop a policy from showing up in gpresult /r
im assuming you have logged off/on - to refresh the user group membership token - just in case ?
im assuming you have logged off/on - to refresh the user group membership token - just in case ?
You do not set it on all gpo's, you merely set it on one that applies to the computer.
The setting is a computer behavior ...
The setting is a computer behavior ...
ASKER
Just FYI: I have a series of questions here on EE relating to one computer not responding to changes in Security Group membership for one User. Why do I think these cases may be related....?
https://www.experts-exchange.com/questions/29216407/Which-Security-Group-for-a-User-is-in-effect-On-the-Domain-On-the-workstation-where-the-User-is-logged-on.html
https://www.experts-exchange.com/questions/29214503/Daily-Security-Group-Changes-of-One-User-Fail-on-one-of-3-DCs.html
One of the hypotheses offered was that the network wasn't responding fast enough (which I take to imply using cached credentials).
Hayes Jupe: Well my thinking was that if the User is logged on using cached credentials then it won't get everything it needs from AD will it? Drive mapping is one of those situations that seems to apply when I continue to research this.
Yes, I've certainly synced the DCs and logged off/on or rebooted and logged on before looking at the results.
arnold: I understand that the setting is in the Computer section of settings. And, one GPO should be enough for that.
But the Drive Mapping is user-specific.
https://www.experts-exchange.com/questions/29216407/Which-Security-Group-for-a-User-is-in-effect-On-the-Domain-On-the-workstation-where-the-User-is-logged-on.html
https://www.experts-exchange.com/questions/29214503/Daily-Security-Group-Changes-of-One-User-Fail-on-one-of-3-DCs.html
One of the hypotheses offered was that the network wasn't responding fast enough (which I take to imply using cached credentials).
Hayes Jupe: Well my thinking was that if the User is logged on using cached credentials then it won't get everything it needs from AD will it? Drive mapping is one of those situations that seems to apply when I continue to research this.
Yes, I've certainly synced the DCs and logged off/on or rebooted and logged on before looking at the results.
arnold: I understand that the setting is in the Computer section of settings. And, one GPO should be enough for that.
But the Drive Mapping is user-specific.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I've reviewed the responses and should check on a couple of things:
arnold said:
The Drive Maps are User Preference items and are applie to an OU of Users....
That said, I believe I've solved the problem re: the initial question here.
arnold said:
You do not set it on all gpo's, you merely set it on one that applies to the computer.I decided that I don't understand this comment. It's likely that I'd be better off in appreciating the message.
The setting is a computer behavior ...
The Drive Maps are User Preference items and are applie to an OU of Users....
That said, I believe I've solved the problem re: the initial question here.
ASKER
Thanks all!
Good that you have it resolved.
To have GPOs processed prior to letting the user login.
i.e. everything has to be processed when the user is in a position to work.
Asynchronously, the GPOs might continue to be processed while the user is already in a position to perform work.
I.e. two users
Usera: on login has to access a web portal to address issues.
UserB on login has to access mapped drives to look at things to do/
UserA can have GPOs and GPPs applied Asynchronously as the initial task could provide enough time for the Asynchronous process to complete before the user has to access the network drives, etc.
UserB on the other hand, has to have all the mapped drives available as soon as the user has the session. This GPO/GPPs must be processed synchronously and on conclusion complete the user Session.
Setting the Processing Syncronously need only be done in ONE GPO that applies to all workstations/systems.
See if the following as it may explain in more detail and compeltely.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj573586(v=ws.11)
To have GPOs processed prior to letting the user login.
i.e. everything has to be processed when the user is in a position to work.
Asynchronously, the GPOs might continue to be processed while the user is already in a position to perform work.
I.e. two users
Usera: on login has to access a web portal to address issues.
UserB on login has to access mapped drives to look at things to do/
UserA can have GPOs and GPPs applied Asynchronously as the initial task could provide enough time for the Asynchronous process to complete before the user has to access the network drives, etc.
UserB on the other hand, has to have all the mapped drives available as soon as the user has the session. This GPO/GPPs must be processed synchronously and on conclusion complete the user Session.
Setting the Processing Syncronously need only be done in ONE GPO that applies to all workstations/systems.
See if the following as it may explain in more detail and compeltely.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj573586(v=ws.11)
ASKER
arnold: Thank you! I have certain cases of interest. I think that deserves a new question. I do that.
Have not asked questions in a while, do not know whether you can still ask a related question, deals with notifying the people commenting on the original question that a new/related question has been opened and/.or the original is included as a referenec in the new question.
If you post back here the question/s you open. ...
If you post back here the question/s you open. ...
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
check the status of the GPO within GPMC.