1

Hi All

I’m having a bit of trouble with a Group Policy Preference and I’m hoping you can help.

I have a GPO that maps network drives based on the security group(s) the user belongs to using item level targeting. (E.G. Drive M: will only map if the user is a member of the “Staff” group.) The GPO is applied to the Users OU, and works perfectly.

I want to be a bit more restrictive and only allow certain drives to map if the user logs onto certain machines. I have added the machines I want to allow to their own security group, “Office_Computers”, and changed the item level targeting rules. (E.G. Drive M will only map if the user is a member of the “Staff” group AND the computer is a member of the “Office_Computers” group.

Using my test account I have found that the drive still maps even when I log onto a computer NOT in the “Office_Computers” group.

I have tried switching the order of the rules and of course using gpupdate /force and restarting the computer every time I make a change to the GPO.

Is there something I am missing?

Mark

11 Spice ups
2

You could try a WMI filter to do the same (just another way of doing the same thing) or you could change the security on the GPO so only the specific computers have access to read the GPO

1 Spice up
3

Did you use the reconnect option, if you had already the drive map on that computer,

you can try with the “remove if not applied”

or you go the other way around, do a deny on the other computer groups, ( I use that on a few gpo)

1 Spice up
4

you need to create an OU if you want it that way. this OU must be out of the way of other mappings you don’t want.

1 Spice up
(GDaddy) 5

or use Security Filtering on the GPO to apply it only to those computers in the group

2 Spice ups
6

Group Policy Preferences and Item Level Targeting. Configure it to map only if the computer is in the ‘Office_Computers’ group AND if the user is a member of the ‘Staff’ group.

3 Spice ups
7

I’m trying to avoid WMI filtering as it increases the logon time quite a bit.

Will changing the security settings as you describe work? The only settings in this specific GPO are the preferences for mapping the drives, which are user focused settings.

8

I already have “Remove if not applied” enabled.

I have tried going the other way around. That doesn’t work either.

9

Yes, applying security settings to the GPO does work and works well. I used to do it a lot in complicated GPO environments.

One gotcha though, once you remove the “Authenticated Users” from the GPO security filtering, and add in an AD group, you need to re-add the “Authenticated Users” or “Domain Computers” back in to the delegation tab with read permissions. Otherwise, nothing can actually read the GPO to apply it.

https://www.itprotoday.com/strategy/update-kb3163622-breaks-group-policy-it-s-not-me-it-s-you

10

What type of OU, computer or user?

11

This is exactly what I’ve already tried, but it doesn’t work.

12

Not a best practice, but if you really don’t want to try too hard on this using a login script will do it until you decide on a final solution.

13

You may actually need to enable loopback processing of GPO for this

3 Spice ups
14

Can you share your query with us? I’ve done this many times, and it works great.

15

You said earlier you had remove if not applied, but was that option checked when you initially created it? If you manually remove the drive, does it come back. If it does, what does gpresult.exe show on the client computer. It should give you a good idea of why that policy is still applying. Use the /h flag to output to html file.

1 Spice up
16

if you use Computer OU, instead of a computer group, it does works pretty fine, and it’s easier to manage,

17

If this is a user setting instead of a computer setting you will have to:

  • Move those machines to a different OU. A sub OU works fine, so you don’t have to apply any existing GPOs again.

  • Enable “GPO Loopback processing” in merge mode. This allows you to use user settings as if they were computer settings.

  • Apply your drive mappings to the OU, removing the “Apply” permission from Authenticated users in the security delegation tab (you must have “Read”) and then adding your user group with both “Read” and “Apply” permissions.

18

This will work, but it really is overkill for what OP is trying to do.

ILT is made for exact situations like this, so I’m hoping he will post his query so we can see what is going on.

19

GPO loopBACK processing

20

For those wanting to see the ILT query…

Untitled.jpg
Untitled.jpg687×515 69.6 KB

CremoAcanthis - I have tried basing the query on the computer OU. That doesn’t work either.