Questions

How to map network share using group policy based on AD group? - SOLVED

+
0 Votes
Locked

How to map network share using group policy based on AD group? - SOLVED

mkoskenk
What I'd like to do here is to map certain network shares based on whether user is a member of certain AD group. On Group policy management editor there is a setting in "User Configuration\Preferences\Windows Settings\Drive Maps" to drive maps. However, even though the group policy is applied the network share is not connected.

The above setting is available only when checking from GP editor on Server 2008R2, but not when checking from Server 2003. We have mixed environment of 2k3's and 2k8R2's. Our primary DC is 2k8R2 and secondary DC is 2k3. Domain functional level is Server 2003. Does this restrict the usage of this certain GP setting?

If not, here's an explanation what I have done so far:

I've created the AD security groups and assigned people in them.

I've created the group policy object and created new drive map in User Configuration\Preferences\Windows Settings\Drive Maps. I have used the following settings:
Action: Create (I've tried also replace and update with no luck)
Location: \\server\share
Reconnect: Not checked
Label as: Share name
Drive letter: Use: G
Connect as: Not defined
Hide/Show this drive: Show this drive
Hide/Show all drives: No change (tried also Show all drives)

In common tab I checked the Item level targeting and in Targeting Editor window gave the condition: The user is member of the security group OU-NAME\Share-name. In details the radio button is in "User in group" selection and Primary group is unchecked.

I tried removing the item level targeting so the GP should be applied regardless of the AD security group us is in but this didn't help either.

I have also tried connecting to the network share as well as mapping it manually with the user I'm trying to create the AD map for and both of these work all right.

I have also tried shouting at the computer but that only made the person I share the office with scared :) Any other ideas are welcome...
  • +
    0 Votes
    . Avi

    for some reason it blocks comments if they contain urls
    Hey,
    GPP (group policy preferences) will work as long as you have one machine you can view/add/edit GPPs from, so no problem there.

    The machines (XP, Vista and 2003) need to have the following patches to "understand" GPP:
    XMLLite - KB915865
    CSE (Client Side Extensions for GPP) -
    KB943729
    KB974266

    Then you need to make sure you're applying the GPP correctly, the GPO that holds the GPP needs to be linked to an OU that holds users (in your case) or to a parent OU that isn't "Block Inheritenc"ed by the child OUs

    then perform re-login for user GPP or restart for machine GPP
    after that view in event viewer for any error or warning related to GPP processing:
    url removed search google for "group policy event id" it will lead you to a technet article

    you can also output group policy report from those machines by doing:
    XP and 2003 - gpresult /z > gpresult.log
    7 - gpresult /h gp.htm

    as for drive mapping in particular, you should check the "process as user" check box (don't remember exact phrase).

    Let me know how that worked out for you, good luck

    +
    0 Votes
    HAL 9000 Moderator

    That is to prevent Spammers from plying their trade and filling the site with junk.

    You can not post URL's or things like tiny URL so what I do is post the URL with a space between the Domain Name and the .com bit and tell the Poster to remove the space.

    Col

    +
    0 Votes
    mkoskenk

    Hi Avi and thanks for detailed answer. However the problem still remains. The gpresult shows that the GPO is applied correctly, but the network drive is still not mapped. It doesn't show up in command prompt with "net use" command either. The event viewer doesn't show up any errors or warnings (none related to this issue, that is :)). I believe there is something in the actual prefernce itself than the whole GPO object, as the GPO is applied but the drive maps do not work, even if I disable the item level targeting.

    I checked the "Run in logged-on user's security context, I believe this is the option that you meant (and going through the help file it was actually recommended to have this checked especially for drive maps), but this didn't help either. I'm testing this on Win7 so installing the patches shouldn't be required.

    +
    0 Votes
    . Avi

    Does it show this preference as being applied?
    Also, in that report you have a section called "component status"
    Are all components succeeded to initialize?
    Can you attach the report?

    +
    0 Votes
    mkoskenk

    Hi Avi, here are som exctracts from the report:

    Group Policy Objects
    Applied GPOs
    Drive Mapping

    Component status
    Group policy drive maps: Success

    Preferences

    Action: Replace
    Letter: P
    Location: \\servername\shared\wiki
    Reconnect: Disabled
    Label as: Wiki
    Use first available: Disabled
    Hide/Show this drive: Show
    Hide/Show all drives: No change

    +
    0 Votes
    . Avi

    Seems like it's successful, if it's not, there has to be event logged,
    the events are logged under:
    Application and Services logs \ Microsoft \ Windows \ GroupPolicy \ Operational
    also there is a much verbose logging option, read about it here:
    http://www.windows7library .com/blog/problems/troubleshooting-group-policy/
    http://social.technet.microsoft .com/Forums/en-US/winserverGP/thread/66be60b9-aa02-40f7-94b6-90f09c4d229a/

    (remove the space before .com in the links)

    +
    0 Votes
    mkoskenk

    For the all I can tell, the policy is successfull and checking the GPP log, it shows also successful mapping! For more info about this, please read the thread I've opened at Microsoft's Technet: http://social.technet.microsoft .com/Forums/en-US/winserverGP/thread/8bdf1811-b36c-48b9-bd8d-56fb3ca3199d (remove the space before the .com)

    I tried changing the logging level with the instructions at the page you gave the link for, but unfortunately the registry entry GPEditDebugLevel is not there (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPEditDebugLevel). Should I tweak something to display this key?

    +
    0 Votes
    mkoskenk

    Issue has been solved now. As usual, the solution was both stupid and obvious but easy to everlook. The reason I was investigating the network drive mapping with GPO's in the first place was to get rid of doing it via logon script that sometimes failed. So, I still had the script in place while I was testing the GPO. Now, what was the first thing the logon script did? That's right, it deleted the existing drive mappings to prevent any conflicts. So, apparently GPO processing took place before the logon script and the GPO drive mapping worked all the way but then the mapping was whacked by the logon script! Item level targeting works as well, so all that's left is to create the GPP's for all required shares. MAN that sounds sweet :)

    Thanks for everyone involved anyway, picked up few things along the way :)

    +
    0 Votes
    paul.logan

    I am using GPO to map drives for my users. Works great.
    I have user directories grouped by year an use \\server_name\students\2015\%username% to map their home directory. In the Label as I have used Personal File and %username% which both work. I would like to use the users CN in this line so it displays their full name. What would the variable be to allow it to pull it from AD? I need it more for k-4 students so they can find their files easily.

  • +
    0 Votes
    . Avi

    for some reason it blocks comments if they contain urls
    Hey,
    GPP (group policy preferences) will work as long as you have one machine you can view/add/edit GPPs from, so no problem there.

    The machines (XP, Vista and 2003) need to have the following patches to "understand" GPP:
    XMLLite - KB915865
    CSE (Client Side Extensions for GPP) -
    KB943729
    KB974266

    Then you need to make sure you're applying the GPP correctly, the GPO that holds the GPP needs to be linked to an OU that holds users (in your case) or to a parent OU that isn't "Block Inheritenc"ed by the child OUs

    then perform re-login for user GPP or restart for machine GPP
    after that view in event viewer for any error or warning related to GPP processing:
    url removed search google for "group policy event id" it will lead you to a technet article

    you can also output group policy report from those machines by doing:
    XP and 2003 - gpresult /z > gpresult.log
    7 - gpresult /h gp.htm

    as for drive mapping in particular, you should check the "process as user" check box (don't remember exact phrase).

    Let me know how that worked out for you, good luck

    +
    0 Votes
    HAL 9000 Moderator

    That is to prevent Spammers from plying their trade and filling the site with junk.

    You can not post URL's or things like tiny URL so what I do is post the URL with a space between the Domain Name and the .com bit and tell the Poster to remove the space.

    Col

    +
    0 Votes
    mkoskenk

    Hi Avi and thanks for detailed answer. However the problem still remains. The gpresult shows that the GPO is applied correctly, but the network drive is still not mapped. It doesn't show up in command prompt with "net use" command either. The event viewer doesn't show up any errors or warnings (none related to this issue, that is :)). I believe there is something in the actual prefernce itself than the whole GPO object, as the GPO is applied but the drive maps do not work, even if I disable the item level targeting.

    I checked the "Run in logged-on user's security context, I believe this is the option that you meant (and going through the help file it was actually recommended to have this checked especially for drive maps), but this didn't help either. I'm testing this on Win7 so installing the patches shouldn't be required.

    +
    0 Votes
    . Avi

    Does it show this preference as being applied?
    Also, in that report you have a section called "component status"
    Are all components succeeded to initialize?
    Can you attach the report?

    +
    0 Votes
    mkoskenk

    Hi Avi, here are som exctracts from the report:

    Group Policy Objects
    Applied GPOs
    Drive Mapping

    Component status
    Group policy drive maps: Success

    Preferences

    Action: Replace
    Letter: P
    Location: \\servername\shared\wiki
    Reconnect: Disabled
    Label as: Wiki
    Use first available: Disabled
    Hide/Show this drive: Show
    Hide/Show all drives: No change

    +
    0 Votes
    . Avi

    Seems like it's successful, if it's not, there has to be event logged,
    the events are logged under:
    Application and Services logs \ Microsoft \ Windows \ GroupPolicy \ Operational
    also there is a much verbose logging option, read about it here:
    http://www.windows7library .com/blog/problems/troubleshooting-group-policy/
    http://social.technet.microsoft .com/Forums/en-US/winserverGP/thread/66be60b9-aa02-40f7-94b6-90f09c4d229a/

    (remove the space before .com in the links)

    +
    0 Votes
    mkoskenk

    For the all I can tell, the policy is successfull and checking the GPP log, it shows also successful mapping! For more info about this, please read the thread I've opened at Microsoft's Technet: http://social.technet.microsoft .com/Forums/en-US/winserverGP/thread/8bdf1811-b36c-48b9-bd8d-56fb3ca3199d (remove the space before the .com)

    I tried changing the logging level with the instructions at the page you gave the link for, but unfortunately the registry entry GPEditDebugLevel is not there (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPEditDebugLevel). Should I tweak something to display this key?

    +
    0 Votes
    mkoskenk

    Issue has been solved now. As usual, the solution was both stupid and obvious but easy to everlook. The reason I was investigating the network drive mapping with GPO's in the first place was to get rid of doing it via logon script that sometimes failed. So, I still had the script in place while I was testing the GPO. Now, what was the first thing the logon script did? That's right, it deleted the existing drive mappings to prevent any conflicts. So, apparently GPO processing took place before the logon script and the GPO drive mapping worked all the way but then the mapping was whacked by the logon script! Item level targeting works as well, so all that's left is to create the GPP's for all required shares. MAN that sounds sweet :)

    Thanks for everyone involved anyway, picked up few things along the way :)

    +
    0 Votes
    paul.logan

    I am using GPO to map drives for my users. Works great.
    I have user directories grouped by year an use \\server_name\students\2015\%username% to map their home directory. In the Label as I have used Personal File and %username% which both work. I would like to use the users CN in this line so it displays their full name. What would the variable be to allow it to pull it from AD? I need it more for k-4 students so they can find their files easily.