Using Group Policy Preferences to map network drives based on Group Membership

In one of the previous blogs I showed you how to use Group Policy Objects and PowerShell script as a logon script to map network drive. With arrival of Server 2008 R2 it becomes much easier to use GPOs and the newer Group Policy Preferences (GPP) extensions to replace most of the duties of a logon script such as to map network drives. Here I will show you how to use GPP to map a local drive letter to a specific network share based on the user’s group membership.
In my example, AlexTest.Local domain has three OUs where users have data organized and aligned with the need of their business units such as accounting, sales, and warehouse. I will use Inclusive Group Drive mappings (drive mapped to a user who is included in a specific security group) to map network share based on the user being a member of a particular security group. This ensures that the members of the accounting unit receive the drive letters mapped for accounting department, members of sales receive the drive letters mapped for sales, and so on. In contrast to the inclusive drive mappings, the exclusive drive mappings prevent a user from mapping a particular drive letter to a network share if he/she is not a member of a specific group.
For example: John works for the Accounting, Stephen works in the other department and he is a member of Sales, Kate is a member of Warehouse. So when John logs in, the drive I: should point to “\\Test-DC-01\Common\Accounting”, Stephen logs in, and his drive I: points to “\\Test-DC-01\Common\Sales” and for Kate the drive I: points to “\\Test-DC-01\Common\Warehouse”.
To start mapping network drives, please open Group Policy Management Console from the Administrative Tools folder.
1. I’ve decided to assign a GPO to the FilstLocation OU, and in order to so expand the domain tree to locate the FistLocation OU.
2. Right-click the OU and select Create and Link a GPO Here.
3. Give your policy a name and click OK.

Note: In the case that a GPO already exists and it is linked to the OU you need, you don’t need to create a new GPO, you can use the existing one.
4. I already have one named Login Script GPO, so I just need to Right-click the existing one and select ‘Edit’.
Add a new drive mapping
5. Expand ‘User Configuration’ ‘Preferences’
6. Right-click ‘Drive Maps‘ – ‘New‘ – ‘Mapped Drive
7. In my example, for ‘Action‘, select ‘Replace‘ (see the picture below)

8. In the ‘Location‘ field, type the UNC to accounting shared folder
9. Select ‘Reconnect‘ to make sure the drive is persistent
10. Under ‘Drive Letter‘, select the letter (in this case the letter I) for the user to use as the mapped network drive
11. Click the ‘Common‘ tab

NOTE: In addition to the features listed above, each policy item in GPP supports some general behaviors to help future control how the settings are applied to users and computers.
These are:
• Stop Processing items in this extension if an error occurs: prevents further GP processing for   a given extension if an error is encountered.
• Run in logged-on user’s security context (user policy option): per-user GPP settings will normally run in the context of the system account unless this option is specified.
• Remove this item when it is no longer applied: Let’s you forcibly remove the policy setting when the policy falls out of scope of the user or computer (otherwise the policy setting is left in place).
• Apply once and do not reapply: Normally, preferences apply based on the action you choose (e.g. Create, Delete, Update, and Replace) or in the case of a change to the underlying setting (e.g. the user un-does a setting that has been delivered by GPP. If this option is checked, then the setting is applied once but then never again. This option is useful for making one-time “suggestions” for a given setting that the user can override.
• Item-level targeting: Provides the granular targeting that we have already discussed.

12. Fill the checkbox for ‘Run in logged-on user’s security context (user policy option)
13. Enter a comment in the ‘Description‘ field (it is optional)
Target your drives to your user group
14. Check the ‘Item-level targeting‘ checkbox, and then click the ‘Targeting…’ button.
15. Click on ‘New Item‘, and then select ‘Security Group
16. Click on the browse button to browse for your security group in your domain. Type ‘Accounting’ in the ‘Enter the object name to select‘ field and click ‘OK’.
17. Now in the Targeting Editor screen you should see the domain name\group name of the security group and the SID for the group as shown in the picture below.

18. Click ‘OK’ to close the window.
19. Repeat steps from number 6 – 18 for the rest of the groups (sales and warehouse) to map drive I: to “\\Test-DC-01\Common\Sales” and \\Test-DC-01\Common\Warehouse. Once you are done, you will have the result as shown below.

20. I mapped drives for the rest of the security groups and our final setting is shown below.

And there you have it, all drives have been mapped based on group membership.

Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.

2 thoughts on “Using Group Policy Preferences to map network drives based on Group Membership

Leave a Reply

Your email address will not be published. Required fields are marked *