Using Group Policy Preferences (GPP) to map user home drive

To map a drive based on user name by using group policy objects and preferences, you need to do the following:

  • Create a share to hold user’s home drives and set permissions (most network administrators are using share name such as Users$);
  • Create a security group to apply security filtering in GPO, so all users that are members of this group will be able to create home folder via GPO;
  • Create a new GPO and use GPP to create user’s folder (this is in addition to your existing GPO used to map home drives);
  • Add drive mappings for the user home drives in the existing GPO;
  • Assign link order for the two GPOs, with lower link order for home folder creation GPO and higher link order for home mapping GPO

In my example, I will use my existing GPO (named Login Script GPO) for mapping network drives as described in my blog where I was using GPPs to map network drives base on user’s group membership.

In addition to this GPO, I will create a new one and name it UserHomeDrive. By the end of the configuration process, the drive maps settings will be similar as shown in the picture below.

Note: user home drive is mapped to the letter Q:

Mapping a drive based on user name

To map a drive based on a user name your drive mapping location setting should look something like this: \\SERVER\SHARE\%LOGONUSER% and in my example the user’s home drive is mapped to \\TEST-DC-01\Users$\%Logonuser% as shown in the picture above.

When you use Active Directory Users and Computers (ADUC) to map a user drive, this tool will create the user’s directory and set permissions. Unlike ADUC, GPP will only map a drive to the share; it will not create the directory or set permissions. So, you will need to pre-create the user’s directories with appropriate ACLs. For this purpose you can use scrip such as PowerShell script or VBScript which could be shown in one of my next blogs.

Here we will use GPP to create user’s directory and set permissions. First we will need to create a new Group Policy Object and link it to the domain.

Create a new GPO and security group

  1. Create GPO, assign it to the FilstLocation OU and named it UserHomeDrive.
  2. Create a new Active Directory security group, something like ‘FirstLocationUsers’. Under Group Policy security filtering, remove Authenticated Users and add your new security group as shown in the picture below.

Create a share folder and set permissions

3.  Create a directory that will hold the home folders. In my example I named it ‘Users$’. Ensure that the Everyone is removed and that the Authenticated Users groups have Full Control share permission.

4.  To setup exclusive access, go to the directory location of your share. In the advanced NTFS security permissions, remove the inheritable permissions and clear the current ACL. You can then add the following ACL:

SYSTEM = Full Control
CREATOR OWNER = Full Control
LOCAL\Administrators = Full Control
For the Authenticated Users group the following has to be set up ONLY:
Traverse folder; Create folder; Write attributes; Write extended attributes; Read   permissions; Change permissions

These NTFS permissions will allow your users to create the folder via the GPO, but they will not be able to browse the share or view any folder other than their own.

5.  Then you can add a drive mapping preference item to your GPO, mapping the path \\TEST-DC-01\Users$\%Logonuser%.

6.   In the new GPO configure a new Folder under ‘User Configuration‘ –  ‘Preferences‘ –  ‘Windows Settings’ – ‘Folders’.

7.   On the General tab you should select under Action ‘Create’, and the Path should read \\TEST-DC-01\Users$\%Logonuser%. Do not enable any additional items under Attributes.

8.   In the Common tab, enable the ‘Run in logged-on user’s security context‘ option.

This will automatically create a folder for the user who are a member of your ‘FirstLocationUsers’ group with exclusive user access to this folder.

Map a drive to user’s folder

Now I will go back to my existing GPO (in my example this is Login Script GPO) for mapping network drives based on user’s group membership. I will repeat the steps as described in my previous blog, but this time I will map the drive letter Q to the following location \\TEST-DC-01\Users$\%Logonuser% .

For the Action you can select ‘Create’ or ‘Replace’, check the ‘Reconnect’ checkbox and click on the Common tab.

On the ‘Common’ tab check two check boxes: ‘Run in logged-on user’s security context (user policy option)’, then ‘Item-level targeting’. This will open Targeting Editor where you will make sure that the user is a member of the security group ‘FirstLocationUsers’.

Assign link order for the two GPOs

Finally, you have to make sure that GPOs precedence order is set up with lower link order for home folder creation GPO and higher link order for home mapping GPO. The link order regulates how policy object are being processed for the linked OU. Lower ranking policy object will be process before the higher ranking object. Here the ‘UserHomeDrive’ with the link order # 3 will be processed first, then the ‘Login Scrip GPO’ with the link order # 2 and so on. This order is necessary because we have to make sure that user’s home drive has to be created before the user’s home drive is mapped. ‘Default Domain Policy’ is processed last , so any policy settings in this policy object are final and will override those configured in policy objects with lower link order (unless inheritance blocking or enforcing is used).





Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.

42 thoughts on “Using Group Policy Preferences (GPP) to map user home drive

  1. tippet

    thank you.
    can i use this for users that already have home user directories? I’m looking to stop replace my old vbs file.

    thank again

    Reply
    1. admin Post author

      Yes you can, but since you already have users’ home folders created, you do not need to use GPP to have them created; you will just use GPO (as explained in the blog) for mapping users’ home drives, for example letter Q, to the following location \\TEST-DC-01\Users$\%LogOnUser%. %LogonUser% is available environment variable in Group Policy preference.

      Reply
  2. Cesare

    Thanks a ton! excellent guide!
    However, for some reason %LogonUser% isn’t working for me.
    So the folders gets created on the homefolder share but Q drive never mounts because GPO doesn’t understand what %Logonuser% is.
    I even tried going to \\server\homdrive$\%LogonUser% with no luck.

    Any ideas?

    Reply
    1. Cesare

      OK, so i tried using %username% variable instead and that did the trick. I am assuming this is because the server hosting homedrive is Windows Server 2003, time to upgrade … the quota management is needed!

      Reply
  3. NATASHA

    Hi, i have reading out and i will definitely bookmarrk your site, just wanted to say i liked this article.

    Reply
  4. Karen

    I can’t seem to get the NTFS permission correct. The home folders create, but when I have read attributes selected every user can see everyone else’s too and when i don’t have it checked, the user can’t seem their own hold.

    Reply
    1. admin Post author

      Check again the directory location of your share. In the advanced NTFS security permissions, remove the inheritable permissions and clear the current ACL. You can then add the following ACL:

      SYSTEM = Full Control
      CREATOR OWNER = Full Control
      LOCAL\Administrators = Full Control
      For the Authenticated Users group the following has to be set up ONLY:
      Traverse folder; Create folder; Write attributes; Write extended attributes; Read permissions; Change permissions

      These NTFS permissions will allow your users to create the folder via the GPO, but they will not be able to browse the share or view any folder other than their own.

      Reply
  5. VP

    Thanks for the article.
    Followed the procedure very carefully and triple checked everything.
    My issue is upon first login the folder is created but the drive mapping never occurs. I’ve confirmed that the link order is correct. Upon logging off and then back on maps the drive (so after 2nd login).

    My point is, is that it seems the GPO processing doesn’t happen in the time needed for the secondary(mapping) to occur. any ideas? I’ve tested this with multiple users same results.

    VP

    Reply
  6. Björn

    Hi, this procedure works fine in our WS2008R2 (DC and TS) enviroment. With a DC and TS based on WS2012R2 I get an error Group Policy Drive Maps 4098 (not found) with the first logon process.After the first logon the folder is created but not mapped. I already checked the priority and both GPO’s are running in the user-context. Any Ideas? Thanks in advance…
    Regards Björn

    Reply
  7. Josh

    The only issue I have run across so far is that it sets security at the users folder but not for sub-folders. The user will generally create sub items and folders and thus will be the owner so isn’t an issue in that scenario but if they CUT anything into the folder the permissions do not carry over. Any resolution for this?

    Reply
    1. admin Post author

      Have you checked and enabled on the Common tab ‘Run in logged-on user’s security context‘ option?

      Reply
  8. Emi

    Great link, it works fantastic and it really helped me. The only mention is to use \\servername\sharefoldername\%username% to the GPO that maps the drive instead of %Logonuser%. Also make sure to check in Group Policy Inheritance tab the Precedence order. To have the GPP that creates the home folder policy, first you need to have it as link 1 fallowed 2nd by Mapping gpo.

    Cheers!!!

    Reply
  9. Danny

    Question, once the users folder is created for the first time do they need to be removed from the GPP that creates the folder?

    Great site.

    Reply
  10. Jacmel

    Hi. Some users in my domain (with local administrative access on their workstations) disable the special shares c$ , d$ , etc. Can i regain access thru Active Directory GPO to that shares? Thanks a lot

    Reply
    1. admin Post author

      Requirements: User with administrator rights
      Step by step process: GPO = Computer Configuration – Preferences – Registry Browse to HKLM > System > CurrentControlSet > Services > lanmanserver > parameters

      To enable administrative shares :
      •Change the value of AutoShareServer to 1
      •Change the value of AutoShareWks to 1

      To disable administrative shares :
      •Change the value of AutoShareServer to 0

      Reply
  11. Thomas

    Question, have followed your guidance and it works great 🙂
    But I have an problem, users logon and folder is created and mounted without any problems.

    User then access the homefolder and tries to add a file, the file is added but the user doesn’t see the fil.
    If I change the authenticated user rights to also include list folder/data then I can see the folder there and then, but not the next folder /file I create.

    If I add this change directly to the first line of authenticated users (This folder and subfolders and files.)
    then they see everyones folders.

    I need to add new line for subfolders and files only just with list contents.
    But this doesn’t automatically replicate to all files and folders when they are created, I need to apply on NTFS permission so that it replicates the user rights but I can’t do this everytime anyone is adding a file 🙂

    The environment consists of 2012 R2 DC, 2008 R2 fileserver and application servers.

    Thanks.

    Reply
  12. Paul

    Great article and it has been very useful, but I have come across the same issue as Bjorn from 2014.

    The GPO create the user home folders but refuses to map it on the first logon. I’ve tried swapping the order of the policies but it makes no difference. Logging on a second time initialtes the mapping of the the drive correctly.

    This is Windows 2012R2 and the error message is similar :
    “Group Policy Object did not apply because it failed with error code ‘0x80070037 The specified network resource or device is no longer available.

    Any thoughts ?

    Reply
  13. Nalin

    Hi,

    Great Article. We had to create a username based drive mappings in addition to the normal home drive users have. I was scratching my self trying to figure this out when I came across your article. Great piece. Thanks ever so much for sharing the knowledge.

    Nalin.

    Reply
    1. Dmitri

      I am doing work for a company right now where they have a group policy preference set for drive maps, and Mapped Drives defined as home drives under the user. Both of these are enabled and both doing the same thing, so which one wins? We are moving away from assigning drives to the user and finding that we have many users now working in different regions, but their home drives still pointing to our head office. Before I spend way too much time investigating each user, anyone know what wins in a conflict? Does GP win or does user assigned home folder win? It’s hard to test since each site is it’s own cloud and it would take forever to try to figure it out, so trying not to do that if someone knows for sure.

      Reply
  14. Zack Jordan

    This worked great for me when I followed it to a T and applied these GPOs to my company’s Payroll OU. Each person in payroll had their folder mapped as the U drive with the label “My Home Drive” and they couldn’t get into the main Users$ folder, they could ONLY get into their own which is the goal here.

    I do have a question though. I want to apply these to the highest OU in my server so EVERY user on the domain has their own U drive and can’t get into anyone else’s but their own the way it does it for one OU. On the item level targeting section of the drive mapping GPO, can I just change that from the particular file share group (\\servername\payroll) to (\\servername\Domain Users) so this can be applied to everyone on the domain? Or do I have to do both GPOs in every single OU with their corresponding file share security group? If it’s possible to do that without doing it in each OU separately I will be so ecstatic! 🙂

    Reply
    1. admin Post author

      If I understand your question, you want all users in a domain to have their Home Drive mapped to the same drive letter. Yes you can use the item level targeting section of the drive mapping GPO to point to different security group, in this case “Domain Users” group. My understanding is that The Domain Users group can be added to other domain groups, and can be given permissions directly to objects, as well as placed in Local computer groups. Note that Domain Users is the group in which we can add or remove members that we cannot do in Authenticated Users group. In addition, the Administrator account and all new user accounts are automatically included as members of this group. This group is also a member of the Users local group for the domain and for every Windows computer in the domain.

      Reply
  15. doodleman

    I have a bit of twist on this.
    what you have outlined above is all great, but how would you go about creating a folder with restrictive permissions that resides within a non-restrictive share?

    Ideally – i’d want a Users share which is open for all to access. use group policy to create \\Server\Users\%Username%\Public which inherits the non-restrictive permissions and also create \\Server\Users\%Username%\Private which applies permissions similar to what you have demonstrated above.

    the easy option would be to create a UsersPublic Share and a UsersPrivate Share. but it’s just not a tidy 🙂

    What are your thoughts?

    Reply
  16. Paul Hammer

    I am not able to get this to work on first logon. The user’s folder gets created but does not map until the next logon. This is the error I see in the event viewer on initial login:
    0x800704d0. The network location cannot be reached.
    Subsequent logons are fine and everything works as it should.

    I am on Windows 2008 R2/Windows 7 environment. How can I fix it? It’s driving me nuts!

    Reply
      1. Paul Hammer

        I tried the suggestions listed there namely: adding an A record for the domain NETBIOS name and setting a computer policy to set “Startup policy processing wait time” to 120 seconds. Neither of these changes made any difference. I even tried changing the paths to point to the IP instead of host-names but it still does not work.

        Any other ideas? This really is bugging me especially that I know others are successfully using these policies.

        Reply
        1. Jov

          Hi Paul,

          I have been facing a very similar issue. Not exactly the same but quite similar. Not related to SSD, not having exactly the same error ID, but like I said, quite similar: 0x80070037 (the description is in french so I’ll not post it here but it basically means that the network resource isn’t available anymore).

          I haven’t tried any workaround yet but you might want to have a look to this. It gives workarounds but also explains the issue. My best guess is the “Always wait for the network at computer startup and logon” policy. This should fix the issue as it’s all about booting asynchronously or synchronously and this GPO change that behavior. I might not be able to change this in our environment. So up to you to try it or not to validate the thing.

          Reply
  17. DanMan32

    I see one big problem with using this method as opposed to the ADUC setting of user home folder:
    Environment variable.
    With the “normal” way of defining a home folder in a user’s account, the logon process creates the following environment variable that some applications use, I believe Office being one of them:
    HOMEDRIVE
    HOMEPATH
    HOMESHARE

    Reply
  18. Robert

    hello there ..
    this is a great article … helped me a lot … i dont know if this thread is still running … but i have one little problem with this ..
    when i copy a file into someone’s homefolder … i have to give them security rights so they can use it …
    how do i set it so that they can use files i copy to them automatically
    thank you

    Reply
      1. Robert

        hey … sorry for the late reply i just didnt get an email … i thought no one replied … anyway …
        i setup the permissions exactly as mentioned above in this article … and i have this issue … i hope theres a solution for this … its actually annoying and time consuming …
        thank you

        Reply
  19. Scottyb

    I have the same issue as Robert (Oct 17, 2016). Permissions were setup as mentioned, but when we copy files into the users folder, they have no rights to it. The user’s permissions apply to “This folder only”. Permissions are being inherited from the parent directory. Anyone else having this issue? Is this something new to Server 2012? I’ve tried tweaking the permissions, but cannot make it work, there must be a solution out there…somewhere!

    Reply
    1. withanHdammit

      I am noticing the same issue. Permissions are “This folder only” and when an admin copies files into the folder, they permissions do not inherit.

      Would like the auto-created folder to have “This folder, subfolders and files”

      Reply
  20. flippeers.com

    Even better, GPPs can be discretely targeted to specific users and computers, ensuring desired preferences make their way to the right people.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *