Using group policy to map network drives.
Yesterday we had a brief introduction to what Group Policy is and what it can do for you. Today we are going to actually make it do our work for us. Back in the day if you had to map a drive on several machines you did it via the Autoexec.bat or as a login script from your domain controller.
Now I will show you how you can add a map network drive to a computers on your network depending on what OU they are in. An OU is an Organizational Unit in your Active Directory or simply put a container to hold similar stuff.
Why do we put things into OU’s? To make our lives as Admin’s that much easier.
By grouping all of your Accounting users into one OU you can then assign a Group Policy to that OU. Now if there are 5000 people in one department or 5 it is the same amount of work to add a mapped drive (or any of the other GP tasks we will do) to there machines. You can nest OU’s in OU’s like seen above here with the Accounting OU. It holds an AR and an AP department. You can apply policies to all three OU’s at once or individually. You control how GP trickles down like permissions.
By having OU’s and group policy on your network users can have their mapped drives and other resources no matter where they are logging into on your domain.
Are you frightened? Don’t be this is pretty simple! Log into your AD machine and open up your Active Directory Users and Computers Console. It is located in the control panel under administrative tools.
Get in there right click on your OU choose properties and then the group policy tab. Depending on how your AD machine is set up you might have to click on a a button that says open Group Policy Management.
Once you are there you can create and link your Group Policy by right clicking on the OU like seen here.
You will be prompted for a name for this policy
Go ahead and name her anything you want. But try to be descriptive so when you have 300 policies later on you can differentiate!
Now you see your policy appear on the right… Simply right click and edit it.
Navigate down to The User Configuration folder and choose Windows Settings and then Scripts and finally Log-on. Hit the add button. Now you will need to point your GP to a script to run. Create a .bat file with the following line in it. Obviously changing the drive letter and the share name to your own.
net use i: \\AskheAdmin\newaccounting$
Save this file to your domain name under the SysVol folder and into the Scripts folder.
So if your domain name is AskTheAdmin.com it would go into
\SYSVOL\ASKTHEADMIN\SCRIPTS\
Save it as logon.bat and simply type logon.bat in the box below:
Hit OK and OK again. Make sure to close out of any open Group Policy windows. Then log the user into any Domain machine and watch the drive mount for you. Of course if the user does not have the proper rights to the drive you specified it won’t work!
If you want to do this to a machine that is not on AD stay tuned for more in our GP series.
_TheGroupThisAdmiN_
June 18, 2008 - 8:11 am
Mapping drives got a whole lot easier with the release of Group Policy Preferences. I would definitely recommend using that over logon scripts these days
Click to Reply to This Comment.
June 18, 2008 - 8:30 am
Care to tell us a little bit more about it Darren?
Click to Reply to This Comment.
June 18, 2008 - 8:33 am
This is a new feature in Windows 2008 and does not work in earlier versions. Is anyone using 2008 yet?
Click to Reply to This Comment.
June 18, 2008 - 8:36 am
Although you don’t have to install any services to create GPOs (Group Policy Objects) that contain Group Policy Preferences, you must deploy the Group Policy Preferences client-side extension (CSE) to any client computer to which you want to deploy these preferences. The CSE will be available as a separate download from Microsoft and will support the following Windows versions:
* Windows XP with SP2
* Windows Vista
* Windows Server 2003 with SP1
* Windows Server 2008 already includes the CSE.
http://tinyurl.com/3pqj3x “>http://tinyurl.com/3pqj3x
It looks like it can work on 2003. What are the benefits?
Click to Reply to This Comment.
June 18, 2008 - 8:36 am
Although you don’t have to install any services to create GPOs (Group Policy Objects) that contain Group Policy Preferences, you must deploy the Group Policy Preferences client-side extension (CSE) to any client computer to which you want to deploy these preferences. The CSE will be available as a separate download from Microsoft and will support the following Windows versions:
* Windows XP with SP2
* Windows Vista
* Windows Server 2003 with SP1
* Windows Server 2008 already includes the CSE.
http://tinyurl.com/3pqj3x “>http://tinyurl.com/3pqj3x
It looks like it can work on 2003. What are the benefits?
Click to Reply to This Comment.
June 18, 2008 - 8:42 am
Right. Group Policy Preferences is technology Microsoft acquired when it bought DesktopStandard. It used to be called PolicyMaker. It is a set of new Client Side Extensions that extend the things you can do with Group Policy. The CSEs are available on the MS download site and do support all versions of Windows after Win2K. You do not need Server 2008 running in your environment to use them, however, you do need at least one workstation running Vista, SP1 with the RSAT tools in order to configure GP Preferences settings, because only that newer version has the GP Editor version that contains the GP Preference options. In terms of what GP Preferences provide, the list is long. You can, as I've mentioned, easily map drives using it, without writing scripts. You can set power options for XP, do basic USB device restrictions, modify local account passwords, set group memberships, modify registry values without having to create custom ADMs, and the list goes on. If you go to download.microsoft.com and search on "Group Policy Preferences" there is a good overview document out there.
Click to Reply to This Comment.
June 18, 2008 - 8:52 am
Thanks for clearing that up for us! This is something I need to look into further.
Click to Reply to This Comment.
June 18, 2008 - 11:04 am
Just what I was looking for
Click to Reply to This Comment.
September 22, 2008 - 10:27 am
“Back in the day if you had to map a drive on several machines you did it via the Autoexec.bat or as a login script from your domain controller.”
This method still requires a logon script. in fact, it would require one script for each group you wanted, essentially making the same as the old method.
Or am I missing something entirely?
Click to Reply to This Comment.
November 27, 2008 - 6:06 am
Group policy preferences that were mentioned above can only use item level targeting so you can’t apply targeting at the gpo level.
For example, if you want to filter all items within a group policy by users in a selected AD group, you have to set targeting manually on every item within that group policy.
I can recommend taking a look at http://www.logonscriptreplacement.com where you can find a desktop management solution called desktop authority.
With special technology called “validation logic” it can easily apply settings on profile level and all included items within the profile automatically.
In our company this way we not only map printers and drives but also configure outlook settings, deploy software, updates and patches.
Click to Reply to This Comment.
Karl L. Gechlik | AskTheAdmin.com Reply:
November 27th, 2008 at 6:09 am
Thanks Patrick – I would love to see a write up on it… Any interest?
Click to Reply to This Comment.