Can't get a mapped drive GPO to work?

andrewriddle3 · 2015-08-11T16:05:37.000Z

Hey all,

I am trying to get a GPO to map a drive for users of a security group using Windows Server 2008 R2 and windows 7.

I created a share, set the according remote and local permissions, created a global security group, added users to said group, created and linked a new GPO, configured this GPO (User Config - Preferences - Windows Settings - Drive Maps - Add new Mapped Drive) by adding the UNC path, selecting create drive, and choosing the drive letter that I want to be mapped. After this, I added the security group that I made to the security filtering.

For some reason, the drive will not map. I can access everything and map it manually though.

Not really sure what I am doing wrong.

EDIT: gpupdate /force says everything completed successfully.

justin1250 · 2015-08-11T16:09:46.000Z

Is the GPO linked to the users container in AD?

What do you get when you run gpresult /r

jonahzona · 2015-08-11T16:11:15.000Z

I would run a GPRESULT and check the GPO’s that are applying, to be sure it is loading. You may be able to track down the source of the problem from there.

Also, you may need to turn on your Loopback Processing.

Hope that at least gives you somewhere to look.

nathanielgill · 2015-08-11T16:16:45.000Z

What options (if any) have you ticked on the second tab of the drive map? You need to make sure “run this in logged-on users Security Complex” is ticked for it to work.

andrewriddle3 · 2015-08-11T17:34:58.000Z

The GPO is linked to the main OU in AD that all of the user accounts are under.

GPRESULT.exe /h also shows the GPO being loaded.

gpresult /r

COMPUTER SETTINGS

CN=ITD-RIDDLEAOLD,OU=Computers,OU=Network,OU=******,DC=,DC=local

Last time Group Policy was applied: 8/11/2015 at 12:46:57 PM

Group Policy was applied from: ******.local

Group Policy slow link threshold: 500 kbps

Domain Name: ****

Domain Type: Windows 2008 or later

Applied Group Policy Objects

Network Policy

The following GPOs were not applied because they were filtered out

Local Group Policy

Filtering: Not Applied (Empty)

The computer is a part of the following security groups

BUILTIN\Administrators

Everyone

BUILTIN\Users

NT AUTHORITY\NETWORK

NT AUTHORITY\Authenticated Users

This Organization

ITD-RIDDLEAOLD$

Domain Computers

System Mandatory Level

USER SETTINGS

CN=,OU=Users,OU=IT,OU=*****,DC=****,DC=local

Last time Group Policy was applied: 8/11/2015 at 12:46:59 PM

Group Policy was applied from: **********.local

Group Policy slow link threshold: 500 kbps

Domain Name: ****

Domain Type: Windows 2008 or later

Applied Group Policy Objects

Drive Map - Grants

The following GPOs were not applied because they were filtered out

Local Group Policy

Filtering: Not Applied (Empty)

The user is a part of the following security groups

Domain Users

Everyone

BUILTIN\Administrators

BUILTIN\Users

NT AUTHORITY\INTERACTIVE

CONSOLE LOGON

NT AUTHORITY\Authenticated Users

This Organization

LOCAL

Grants

IT

High Mandatory Level

cerbere · 2015-08-11T20:09:02.000Z

I prefer setting the action to ‘Replace’, rather than ‘Create’, especially during testing. That way, if there is already another device using the drive letter (e.g. card reader, manually mapped drive) you will still get the drive mapped.

You might also re-check the directory’s permissions on the server. I set the sharing permissions to ‘Full Control’ for Everyone, then limit the access with the NTFS security permissions. I’m guessing the list of steps you followed is not in order, because I’m not sure how you could set the permissions before creating the group.

NattNatt:

What options (if any) have you ticked on the second tab of the drive map? You need to make sure “run this in logged-on users Security Complex” is ticked for it to work.

I have never had to apply this setting. But then again, I put all my drive mappings in one policy applied to all users, then use Item-Level Targeting to apply each mapping only to the intended group(s).

nathanielgill · 2015-08-12T10:22:57.000Z

Blindspot01:

Drive Map - Grants

The following GPOs were not applied because they were filtered out

Local Group Policy

Filtering: Not Applied (Empty)

The user is a part of the following security groups

Are the important lines - they are not showing as having any content - I’ve seen this a few times, and it is strange when it does happen. The last time it happened with me, I deleted the GPO and made a new one with the same settings, and then (weirdly) it worked…Does the user have permissions on the actual folder that you are trying to map?

Rob-Dunn · 2015-08-12T10:36:06.000Z

Did you adjust the security filtering (i.e. scope tab) in your group policy? This is usually the first mistake with any policy that seemingly looks good on paper but still does not apply.

bahnjee · 2015-08-12T12:28:35.000Z

NattNatt makes a good suggestion…recreate the GPO.

But first, maybe try for more detail. instead of gpresult /r, run gpresult /h c:\somefilename.htm at an admin cmd prompt. . Here’s the relevant portion of my report for a similar GPO:

mappeddrive.jpg721×631 92.1 KB

Maybe you just edited out details for brevity…?

andrewriddle3 · 2015-08-12T16:00:27.000Z

I tried to recreate the GPO, watched it replicate, the did a gpupdate /force. This still didn’t work, and it also caused my server’s CPU to max out at 100% usage (svchost). Once I unlinked the GPO, the high CPU usage stopped… I feel like there is something more to this; I am going to recreate our domain anyways, so hopefully it will be fixed when I do that… I appreciate all the help!

rs51901 · 2015-08-12T16:17:32.000Z

Blindspot:

In the results you posted, it specifically states this:

Drive Map - Grants

The following GPOs were not applied because they were filtered out

Is that the drive map policy? If so, it’s being filtered.

@andrewriddle3

bahnjee · 2015-08-12T16:20:09.000Z

RS-CP:

Blindspot:

In the results you posted, it specifically states this:

Drive Map - Grants

The following GPOs were not applied because they were filtered out

Is that the drive map policy? If so, it’s being filtered.

Not to put words in OP’s mouth, but the filtering message applies to what comes after…not before. Run a gpreslut /r yourself and you’ll see.

EDIT: ummmm…maybe you want to run gpresult /r instead…unless your GPOs sleep around a lot…

warlordbonn · 2015-08-12T16:51:45.000Z

Is the logged on use an administrator on the computer?

I’ve had issues with mapped drives on Win 7 and higher myself, but drives mapped fine for standard users. We use logon script still for mapped drives though, so it might be a different issue with GPP.

I’d added the following registry key to the computers so that my (statically) mapped drives would be accessible from an admin command prompt, This seems to have gotten my drives mapping again on logon (again via script, not GPP)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]

“EnableLinkedConnections”=dword:00000001

jkhigg · 2015-08-12T17:29:33.000Z

Cerbere:

I prefer setting the action to ‘Replace’, rather than ‘Create’

Yes, use replace rather than create in the production environment.

On “item-level targeting,” verify:

The user is a member of the security group DOMAIN\GroupName
On bottom area, the group listed is the same (DOMAIN\GroupName)
The SID is resolved
“Primary Group” is NOT selected
“User in group” IS selected

jkhigg · 2015-08-12T17:31:02.000Z

Also, verify the GPO’s link is enabled

Rob-Dunn · 2015-08-12T17:33:00.000Z

To be honest, IMHO, ‘Update’ is a preferred solution over ‘Create’ or ‘Replace’ for mapped drives.

Replace will disconnect the drive and reconnect it.
Create will connect to the drive if nothing is there.
Update will connect to the drive if nothing is there, but will leave it as-is as long as the mapped drive matches the GPO Preference parameters.

Also, I’ve made a how-to that can step you through it from scratch:

http://community.spiceworks.com/how_to/17039-mapping-drives-with-group-policy-preferences-and-item-level-targeting