Group Policy preferences is a feature that was included with Server 2008, and has been a part of Windows Server ever since. In this blog post, we will look at how to map drives through Group Policy Preferences and item-level targeting. The advantage of using Group Policy preferences is that you can target these drive maps to groups for example. Which means that only members of certain group(s) will get these drives mapped to a drive letter. You accomplish this by using item-level targeting.
Back in the day, pre GP preferences, if you wanted to map drives, based on group membership, you had to utilize logon scripts. With Server 2008 and newer, this has been changed. Now you can map drives through preference items, which can also apply to XP users, if you install GPO preferences extensions on the XP machines. But really, you should have migrated away from Windows XP by now. So let’s just concentrate on the most prevalent combination of server/client operating systems today, Server 2008 R2 and Windows 7.
1. CRUD – Create, Replace, Update, Delete
There are four type of actions that can be associated with a group policy preference item, these define how the preference item will be implemented. There are also different colors and icons associated with these four action types. So if you see a red triangle on your preference item, don’t be alarmed, its completely normal. 🙂
Create – If a drive mapping does not already exist, it is created. If it already exists, nothing occurs.
Replace – If a drive mapping does not already exist, it is created. If it already exists, it is replaced with the one you have defined in your preference item (settings are also replaced).
Update – If a drive mapping does not already exist, it is created. If it already exists, its conflicting settings will be replaced with the ones you have defined in your preference item. If there are non-conflicting settings, they will be kept.
Delete – If a drive mapping exists on the specified drive letter, remove it.
CRUD can only be applied on preference items that can be created or deleted on the client machine/user account. Such as Drive Maps, Local Users or Groups items for example. You can not apply CRUD to Folder options or Power options for example.
Help Text for CRUD in Windows Help and Support for Server 2008 R2
2. Creating Drive Maps through GP preferences
Drive maps is a user setting, so you will find the Drive maps setting in the User Configuration portion of a GPO. Complete path to the setting is as following
User Configuration → Preferences → Windows Settings → Drive Maps
2.1 Right Click Drive Maps → New → Mapped Drive
2.2 The New Drive Properties appear
Action – Choose among Create, Replace, Update or Delete
Location – The location of the network share, this field accepts preference processing variables. Press F3 to display the list of available variables. To modify the settings of an existing drive mapping (identified by drive letter), leave this field blank.
Reconnect – Equivalent to mapping a drive using the /PERSISTENT attribute.
Label as – Provide a descriptive label that will appear next to the drive letter.
Connect as – The drive map will use these credentials instead of the logged on user’s when you connect to it.
Hide/Show this drive – Choose to hide or show the drive in Windows Explorer.
2.3 Fill in the fields as you see appropriate, and then click on the Common tab
2.4 Choose Item-level targeting, and then click on Targeting
2.5 Click on New Item and select Security Group
2.6 Browse for the group, which members you want to map this drive to, if you like you can browse for more groups than one, in this screenshot, the drive will only be mapped if the user is member of both the Sales AND the Data group, otherwise it will not
2.7 By clicking Item options, you can change the AND to OR if you like
2.8 Now the drive will be mapped if the user is either a member of Sales OR Data
2.9 Click OK twice, and you are done.
2.10 You don’t have to use Groups for item-level targeting, you can, as you saw in step 2.5, select from a whole slew of items. Such as even computers or OUs. If you would like certain users to receive a drive map every time they log on to a specific computer, you can define it here, instead of using Group Policy loopback processing.
Technet: Group Policy Preferences Getting Started Guide
Technet: Configure a Mapped Drive Item
Technet: CRUD explained
Technet: Troubleshooting the Drive Maps Preference Extension in Group Policy