How to map network share using group policy based on AD group? - SOLVED

By mkoskenk ·
What I'd like to do here is to map certain network shares based on whether user is a member of certain AD group. On Group policy management editor there is a setting in "User Configuration\Preferences\Windows Settings\Drive Maps" to drive maps. However, even though the group policy is applied the network share is not connected.

The above setting is available only when checking from GP editor on Server 2008R2, but not when checking from Server 2003. We have mixed environment of 2k3's and 2k8R2's. Our primary DC is 2k8R2 and secondary DC is 2k3. Domain functional level is Server 2003. Does this restrict the usage of this certain GP setting?

If not, here's an explanation what I have done so far:

I've created the AD security groups and assigned people in them.

I've created the group policy object and created new drive map in User Configuration\Preferences\Windows Settings\Drive Maps. I have used the following settings:
Action: Create (I've tried also replace and update with no luck)
Location: \\server\share
Reconnect: Not checked
Label as: Share name
Drive letter: Use: G
Connect as: Not defined
Hide/Show this drive: Show this drive
Hide/Show all drives: No change (tried also Show all drives)

In common tab I checked the Item level targeting and in Targeting Editor window gave the condition: The user is member of the security group OU-NAME\Share-name. In details the radio button is in "User in group" selection and Primary group is unchecked.

I tried removing the item level targeting so the GP should be applied regardless of the AD security group us is in but this didn't help either.

I have also tried connecting to the network share as well as mapping it manually with the user I'm trying to create the AD map for and both of these work all right.

I have also tried shouting at the computer but that only made the person I share the office with scared :) Any other ideas are welcome...

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

Comment without urls

by . Avi In reply to How to map network share ...

for some reason it blocks comments if they contain urls
GPP (group policy preferences) will work as long as you have one machine you can view/add/edit GPPs from, so no problem there.

The machines (XP, Vista and 2003) need to have the following patches to "understand" GPP:
XMLLite - KB915865
CSE (Client Side Extensions for GPP) -

Then you need to make sure you're applying the GPP correctly, the GPO that holds the GPP needs to be linked to an OU that holds users (in your case) or to a parent OU that isn't "Block Inheritenc"ed by the child OUs

then perform re-login for user GPP or restart for machine GPP
after that view in event viewer for any error or warning related to GPP processing:
url removed search google for "group policy event id" it will lead you to a technet article

you can also output group policy report from those machines by doing:
XP and 2003 - gpresult /z > gpresult.log
7 - gpresult /h gp.htm

as for drive mapping in particular, you should check the "process as user" check box (don't remember exact phrase).

Let me know how that worked out for you, good luck

Collapse -

Reponse To Answer

by HAL 9000 Moderator In reply to Comment without urls

That is to prevent Spammers from plying their trade and filling the site with junk.

You can not post URL's or things like tiny URL so what I do is post the URL with a space between the Domain Name and the .com bit and tell the Poster to remove the space.


Collapse -

GPO is applied, no drives mapped

by mkoskenk In reply to How to map network share ...

Hi Avi and thanks for detailed answer. However the problem still remains. The gpresult shows that the GPO is applied correctly, but the network drive is still not mapped. It doesn't show up in command prompt with "net use" command either. The event viewer doesn't show up any errors or warnings (none related to this issue, that is :)). I believe there is something in the actual prefernce itself than the whole GPO object, as the GPO is applied but the drive maps do not work, even if I disable the item level targeting.

I checked the "Run in logged-on user's security context, I believe this is the option that you meant (and going through the help file it was actually recommended to have this checked especially for drive maps), but this didn't help either. I'm testing this on Win7 so installing the patches shouldn't be required.

Collapse -

In the gpresult report

by . Avi In reply to How to map network share ...

Does it show this preference as being applied?
Also, in that report you have a section called "component status"
Are all components succeeded to initialize?
Can you attach the report?

Collapse -

Exctracts from the report

by mkoskenk In reply to How to map network share ...

Hi Avi, here are som exctracts from the report:

Group Policy Objects
Applied GPOs
Drive Mapping

Component status
Group policy drive maps: Success


Action: Replace
Letter: P
Location: \\servername\shared\wiki
Reconnect: Disabled
Label as: Wiki
Use first available: Disabled
Hide/Show this drive: Show
Hide/Show all drives: No change

Collapse -

Reponse To Answer

by . Avi In reply to Exctracts from the report

Seems like it's successful, if it's not, there has to be event logged,
the events are logged under:
Application and Services logs \ Microsoft \ Windows \ GroupPolicy \ Operational
also there is a much verbose logging option, read about it here:
http://www.windows7library .com/blog/problems/troubleshooting-group-policy/ .com/Forums/en-US/winserverGP/thread/66be60b9-aa02-40f7-94b6-90f09c4d229a/

(remove the space before .com in the links)

Collapse -

About logging

by mkoskenk In reply to How to map network share ...

For the all I can tell, the policy is successfull and checking the GPP log, it shows also successful mapping! For more info about this, please read the thread I've opened at Microsoft's Technet: .com/Forums/en-US/winserverGP/thread/8bdf1811-b36c-48b9-bd8d-56fb3ca3199d (remove the space before the .com)

I tried changing the logging level with the instructions at the page you gave the link for, but unfortunately the registry entry GPEditDebugLevel is not there (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPEditDebugLevel). Should I tweak something to display this key?

Collapse -

Issue solved!

by mkoskenk In reply to How to map network share ...

Issue has been solved now. As usual, the solution was both stupid and obvious but easy to everlook. The reason I was investigating the network drive mapping with GPO's in the first place was to get rid of doing it via logon script that sometimes failed. So, I still had the script in place while I was testing the GPO. Now, what was the first thing the logon script did? That's right, it deleted the existing drive mappings to prevent any conflicts. So, apparently GPO processing took place before the logon script and the GPO drive mapping worked all the way but then the mapping was whacked by the logon script! Item level targeting works as well, so all that's left is to create the GPP's for all required shares. MAN that sounds sweet :)

Thanks for everyone involved anyway, picked up few things along the way :)

Collapse -

what is the variable to use CN from AD when mapping user home with GPO

by paul.logan In reply to How to map network share ...

I am using GPO to map drives for my users. Works great.
I have user directories grouped by year an use \\server_name\students\2015\%username% to map their home directory. In the Label as I have used Personal File and %username% which both work. I would like to use the users CN in this line so it displays their full name. What would the variable be to allow it to pull it from AD? I need it more for k-4 students so they can find their files easily.

Related Discussions

Related Forums