Tag Archives: GPO

Using Group Policy Preferences (GPP) to map user home drive

To map a drive based on user name by using group policy objects and preferences, you need to do the following:

  • Create a share to hold user’s home drives and set permissions (most network administrators are using share name such as Users$);
  • Create a security group to apply security filtering in GPO, so all users that are members of this group will be able to create home folder via GPO;
  • Create a new GPO and use GPP to create user’s folder (this is in addition to your existing GPO used to map home drives);
  • Add drive mappings for the user home drives in the existing GPO;
  • Assign link order for the two GPOs, with lower link order for home folder creation GPO and higher link order for home mapping GPO

In my example, I will use my existing GPO (named Login Script GPO) for mapping network drives as described in my blog where I was using GPPs to map network drives base on user’s group membership.

In addition to this GPO, I will create a new one and name it UserHomeDrive. By the end of the configuration process, the drive maps settings will be similar as shown in the picture below.

Note: user home drive is mapped to the letter Q:

Mapping a drive based on user name

To map a drive based on a user name your drive mapping location setting should look something like this: \\SERVER\SHARE\%LOGONUSER% and in my example the user’s home drive is mapped to \\TEST-DC-01\Users$\%Logonuser% as shown in the picture above.

When you use Active Directory Users and Computers (ADUC) to map a user drive, this tool will create the user’s directory and set permissions. Unlike ADUC, GPP will only map a drive to the share; it will not create the directory or set permissions. So, you will need to pre-create the user’s directories with appropriate ACLs. For this purpose you can use scrip such as PowerShell script or VBScript which could be shown in one of my next blogs.

Here we will use GPP to create user’s directory and set permissions. First we will need to create a new Group Policy Object and link it to the domain.

Create a new GPO and security group

  1. Create GPO, assign it to the FilstLocation OU and named it UserHomeDrive.
  2. Create a new Active Directory security group, something like ‘FirstLocationUsers’. Under Group Policy security filtering, remove Authenticated Users and add your new security group as shown in the picture below.

Create a share folder and set permissions

3.  Create a directory that will hold the home folders. In my example I named it ‘Users$’. Ensure that the Everyone is removed and that the Authenticated Users groups have Full Control share permission.

4.  To setup exclusive access, go to the directory location of your share. In the advanced NTFS security permissions, remove the inheritable permissions and clear the current ACL. You can then add the following ACL:

SYSTEM = Full Control
CREATOR OWNER = Full Control
LOCAL\Administrators = Full Control
For the Authenticated Users group the following has to be set up ONLY:
Traverse folder; Create folder; Write attributes; Write extended attributes; Read   permissions; Change permissions

These NTFS permissions will allow your users to create the folder via the GPO, but they will not be able to browse the share or view any folder other than their own.

5.  Then you can add a drive mapping preference item to your GPO, mapping the path \\TEST-DC-01\Users$\%Logonuser%.

6.   In the new GPO configure a new Folder under ‘User Configuration‘ –  ‘Preferences‘ –  ‘Windows Settings’ – ‘Folders’.

7.   On the General tab you should select under Action ‘Create’, and the Path should read \\TEST-DC-01\Users$\%Logonuser%. Do not enable any additional items under Attributes.

8.   In the Common tab, enable the ‘Run in logged-on user’s security context‘ option.

This will automatically create a folder for the user who are a member of your ‘FirstLocationUsers’ group with exclusive user access to this folder.

Map a drive to user’s folder

Now I will go back to my existing GPO (in my example this is Login Script GPO) for mapping network drives based on user’s group membership. I will repeat the steps as described in my previous blog, but this time I will map the drive letter Q to the following location \\TEST-DC-01\Users$\%Logonuser% .

For the Action you can select ‘Create’ or ‘Replace’, check the ‘Reconnect’ checkbox and click on the Common tab.

On the ‘Common’ tab check two check boxes: ‘Run in logged-on user’s security context (user policy option)’, then ‘Item-level targeting’. This will open Targeting Editor where you will make sure that the user is a member of the security group ‘FirstLocationUsers’.

Assign link order for the two GPOs

Finally, you have to make sure that GPOs precedence order is set up with lower link order for home folder creation GPO and higher link order for home mapping GPO. The link order regulates how policy object are being processed for the linked OU. Lower ranking policy object will be process before the higher ranking object. Here the ‘UserHomeDrive’ with the link order # 3 will be processed first, then the ‘Login Scrip GPO’ with the link order # 2 and so on. This order is necessary because we have to make sure that user’s home drive has to be created before the user’s home drive is mapped. ‘Default Domain Policy’ is processed last , so any policy settings in this policy object are final and will override those configured in policy objects with lower link order (unless inheritance blocking or enforcing is used).





Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.

Using Group Policy Preferences to map network drives based on Group Membership

In one of the previous blogs I showed you how to use Group Policy Objects and PowerShell script as a logon script to map network drive. With arrival of Server 2008 R2 it becomes much easier to use GPOs and the newer Group Policy Preferences (GPP) extensions to replace most of the duties of a logon script such as to map network drives. Here I will show you how to use GPP to map a local drive letter to a specific network share based on the user’s group membership.
In my example, AlexTest.Local domain has three OUs where users have data organized and aligned with the need of their business units such as accounting, sales, and warehouse. I will use Inclusive Group Drive mappings (drive mapped to a user who is included in a specific security group) to map network share based on the user being a member of a particular security group. This ensures that the members of the accounting unit receive the drive letters mapped for accounting department, members of sales receive the drive letters mapped for sales, and so on. In contrast to the inclusive drive mappings, the exclusive drive mappings prevent a user from mapping a particular drive letter to a network share if he/she is not a member of a specific group.
For example: John works for the Accounting, Stephen works in the other department and he is a member of Sales, Kate is a member of Warehouse. So when John logs in, the drive I: should point to “\\Test-DC-01\Common\Accounting”, Stephen logs in, and his drive I: points to “\\Test-DC-01\Common\Sales” and for Kate the drive I: points to “\\Test-DC-01\Common\Warehouse”.
To start mapping network drives, please open Group Policy Management Console from the Administrative Tools folder.
1. I’ve decided to assign a GPO to the FilstLocation OU, and in order to so expand the domain tree to locate the FistLocation OU.
2. Right-click the OU and select Create and Link a GPO Here.
3. Give your policy a name and click OK.

Note: In the case that a GPO already exists and it is linked to the OU you need, you don’t need to create a new GPO, you can use the existing one.
4. I already have one named Login Script GPO, so I just need to Right-click the existing one and select ‘Edit’.
Add a new drive mapping
5. Expand ‘User Configuration’ ‘Preferences’
6. Right-click ‘Drive Maps‘ – ‘New‘ – ‘Mapped Drive
7. In my example, for ‘Action‘, select ‘Replace‘ (see the picture below)

8. In the ‘Location‘ field, type the UNC to accounting shared folder
9. Select ‘Reconnect‘ to make sure the drive is persistent
10. Under ‘Drive Letter‘, select the letter (in this case the letter I) for the user to use as the mapped network drive
11. Click the ‘Common‘ tab

NOTE: In addition to the features listed above, each policy item in GPP supports some general behaviors to help future control how the settings are applied to users and computers.
These are:
• Stop Processing items in this extension if an error occurs: prevents further GP processing for   a given extension if an error is encountered.
• Run in logged-on user’s security context (user policy option): per-user GPP settings will normally run in the context of the system account unless this option is specified.
• Remove this item when it is no longer applied: Let’s you forcibly remove the policy setting when the policy falls out of scope of the user or computer (otherwise the policy setting is left in place).
• Apply once and do not reapply: Normally, preferences apply based on the action you choose (e.g. Create, Delete, Update, and Replace) or in the case of a change to the underlying setting (e.g. the user un-does a setting that has been delivered by GPP. If this option is checked, then the setting is applied once but then never again. This option is useful for making one-time “suggestions” for a given setting that the user can override.
• Item-level targeting: Provides the granular targeting that we have already discussed.

12. Fill the checkbox for ‘Run in logged-on user’s security context (user policy option)
13. Enter a comment in the ‘Description‘ field (it is optional)
Target your drives to your user group
14. Check the ‘Item-level targeting‘ checkbox, and then click the ‘Targeting…’ button.
15. Click on ‘New Item‘, and then select ‘Security Group
16. Click on the browse button to browse for your security group in your domain. Type ‘Accounting’ in the ‘Enter the object name to select‘ field and click ‘OK’.
17. Now in the Targeting Editor screen you should see the domain name\group name of the security group and the SID for the group as shown in the picture below.

18. Click ‘OK’ to close the window.
19. Repeat steps from number 6 – 18 for the rest of the groups (sales and warehouse) to map drive I: to “\\Test-DC-01\Common\Sales” and \\Test-DC-01\Common\Warehouse. Once you are done, you will have the result as shown below.

20. I mapped drives for the rest of the security groups and our final setting is shown below.

And there you have it, all drives have been mapped based on group membership.





Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.