none
Create GPO Map drive over Windows PowerShell Script

    Question

  • Hi,

    I'm using a powershell script running on the active directory, in order to map drive to a security group when a new security group is added on the active directory.

    I've noticed that when I create a group policy which map drives, it creates an .xml file in this path:

    "\\test.local\SYSVOL\test.local\Policies\{<SSID of the GPO>}\User\Preferences\Drives\Drives.xml"

    Here is an example when the GPO is created manually :

    <?xml version="1.0" encoding="utf-8"?>
    <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}">

    <Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="U:" status="U:" image="2" changed="2016-04-26 12:48:12" uid="{84C18D69-0123-4C9E-B940-B68D535189AD}" bypassErrors="1">

    <Properties action="U" thisDrive="SHOW" allDrives="HIDE" userName="" path="\\test.local\Qloudwise\Entity2\Common\Share" label="Entity2" persistent="1" useLetter="1" letter="U"/>

    <Filters>

    <FilterGroup bool="AND" not="0" name="LOCAL\Entity2" sid="S-1-5-21-1769619743-4051896648-2154897795-1156" userContext="1" primaryGroup="0" localGroup="0"/>

    </Filters>

    </Drive>
    </Drives>

    I have written a PS script that can create such an XML file :

    <?xml version="1.0" encoding="utf-8" ?>
    <Drives clsid="{91A7A098-B78F-44BE-BEEB-05632A68C485}">
      <Drive clsid="{7F59AE92-E551-4DFF-9982-7AE1D9DC4F0E}" name="U:" status="U:" image="2" changed="2016-05-11 12:32:14" uid="{963235BA-FC36-4E83-9256-39391DF1E848}" bypassErrors="1">
        <Properties action="U" thisDrive="SHOW" allDrives="HIDE" userName="" path="\\test.local\Qloudwise\lol\Common\Share" label="lol" persistent="1" useLetter="1" letter="U" />
        <Filters>
          <FilterGroup bool="AND" not="0" name="LOCAL\lol" sid="S-1-5-21-1769619743-4051896648-2154897795-1195" userContext="1" primaryGroup="0" localGroup="0" />
        </Filters>
      </Drive>
    </Drives>

    The problem is that the XML file is not recognize (when I go to the group policy and edit it manually, the category "User Settings\Preferences\Windows Settings\Drive Maps" has disappeared) : it seems that my XML file is not correct.

    The only doubt I have is regarding the bold IDs. In the PS Script I use the function "(New-Guid).Guid.ToUpper()" in order to generate an unique IDs. The problem is that I don't know where this bold IDs are coming from, maybe they are written somewhere else?

    Or maybe the mistake comes from something else?

    Note: all paths, User, Users SSID are corrects and exist in the active directory..

    Thank for your answer

    Thursday, May 12, 2016 12:30 PM

Answers

All replies

  • So it seems that the clsid should not be generated randomly... Where does the clsid value come from?
    Thursday, May 12, 2016 12:32 PM
  • > <Drives clsid="{*8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C*}">
    > <Drive clsid="{*935D1B74-9CB8-4e3c-9914-7DD559B7A417*}" name="U:"
     
    Those two clsids are static - they belong to "Drives" and "Drive".
     
    > uid="{*84C18D69-0123-4C9E-B940-B68D535189AD*}" bypassErrors="1">
     
    This one is a random one which identifies the drive mapping item.
     
    > I have written a PS script that can create such an XML file :
     
    You should extend your script to add the Drive mapping CSE and SnapIn
    GUID to gPCUserExtensionNames for your GPO in question :-)
     
    If google translates well enough:
     
    The GUID pair you need to add should be
    [{5794DAFD-BE60-433f-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]
    (Drive Maps CSE and GPO_Drives SnapIn Extension)
     
    And don't forget to increase the user version number both in AD and in
    gpt.ini (the Version attribute is a 32 Bit dword where the upper 16 Bits
    designate the user version, the lower 16 bits are the computer version.
    Odd, but true :-))
     
    > group policy and edit it manually, the category "User
    > Settings\Preferences\Windows Settings\Drive Maps" has disappeared)
     
    Yes because GPEdit does not know about the file - it will only look for
    it if you edit as above.
     
     
    Thursday, May 12, 2016 1:44 PM
  • Thank you for your answer,

    I didn't expect to have an answer so fast. I have investigated by my own and I have found - as you say - that the 2 clsid are always the same.

    So I have updated my ps script, and now I can see that the category "User Settings\Preferences\Windows Settings\Drive Maps" is appearing in the GPO editor. There is still a problem in the group policy management console: when I select the group policy, no settings appear on the main pane "No settings defined' for user and computer. But after going manually to the GPO, editing it, opening the map drive property window, changing nothing and just clicking "ok", then the gpo is working.


    I follow your link and I don't know how you get the GPO property window with the attribute editor tab. Anyway, I tried your dsquery command, but in my case, it only convert the gpo name to gpo Unique ID - that I ever had with powershell -.

    So I don't understand what to add then in order to get this working?

    -> Version number GPT : I can get the version number from the GPT.INI file, convert it to a binary number, split it into 2 parts of 16bits, increment the first part related to user settings only, convert it back to decimal and update the value in the GPT.INI file? I have done this manually and the GPO summary is still not appearing!
    -> Version number AD : Where is it located?
    -> Otherwise, is the uid really random?

    -------------

    PS: I am trying some stuff, and I have found something interesting:

    When a GPO is created by my script by the way of the ps command $gpoOuObj=new-gpo -name "myOrganisationUnit", the following command returns:

    Get-ADObject -Filter * | Where-Object {$_.DistinguishedName -match "{0B0B244D-FFB5-4590-8306-A8BA767CDE92}"} | Select-Object objectGUID, DistinguishedName | Format-List

    objectGUID        : 60be6116-0f3c-4bc8-8c4a-1ec49fc7a964
    DistinguishedName : CN={0B0B244D-FFB5-4590-8306-A8BA767CDE92},CN=Policies,CN=System,DC=test,DC=local

    objectGUID        : 8f6b06d2-3002-41a8-a345-71a6fd7bb0ca
    DistinguishedName : CN=Machine,CN={0B0B244D-FFB5-4590-8306-A8BA767CDE92},CN=Policies,CN=System,DC=test,DC=local

    objectGUID        : aef141a2-a47a-4919-805c-90d877a8854e
    DistinguishedName : CN=User,CN={0B0B244D-FFB5-4590-8306-A8BA767CDE92},CN=Policies,CN=System,DC=test,DC=local


    (0B0B244D-FFB5-4590-8306-A8BA767CDE92 is the UID of the GPO you can get by $gpoOuObj.Id.Guid or directly in the group management console)

    What are these GUID?

    Thursday, May 12, 2016 4:34 PM
  • Am 12.05.2016 um 15:44 schrieb Martin Binder [MVP]:
    >> group policy and edit it manually, the category "User
    >> Settings\Preferences\Windows Settings\Drive Maps" has disappeared)
    > Yes because GPEdit does not know about the file - it will only look for
    > it if you edit as above.
     
    Just as an addon:
    If the CSE/GpEditor can not recognize the valid XML syntax, the item
    will be deleted.
     
    Mark
    --
    Mark Heitbrink - MVP Group Policy - Cloud and Datacenter Management
     
    Homepage:  http://www.gruppenrichtlinien.de - deutsch
     
    Thursday, May 12, 2016 6:11 PM
  • Hi,
    Regarding objectGUID, I would suggest you take a look the following website and you could follow it to search for the object represented by the objectGUID attribute.
    http://www.open-a-socket.com/index.php/2011/09/23/powershell-script-to-find-objects-using-objectguid-value/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards,
    Wendy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 13, 2016 3:08 AM
    Moderator
  • Many thanks for your answer, I will take a look to your link Wendy Jiang: it will feed my curiosity.

    Otherwise, I'm still stuck in my project, I don't know what to to in order to get the GPO working.

    Here is a summary of what I'm doing now step by step:

    1. I create a gpo and link it to a specific location (working)

    $gpoOuObj=new-gpo -name $OU.Name
    new-gplink -Guid $gpoOuObj.Id.Guid -target "ou=$($OU.Name),ou=$($global:Or),dc=test,dc=local"

    2. I create the folder:

    $path="\\$($global:domain)\SYSVOL\$($global:domain)\Policies\$($gpoOuObj.Id.Guid)}\User\Preferences\Drives"
    New-Item -Path $path -type Directory | Out-Null

    3. I generate the XML document and save it to the correct location: the 2 clsid are fixed values, and the uuid is generated randomly with $((New-Guid).Guid.ToUpper()):

    ---

    <?xml version="1.0" encoding="utf-8"?>
    <Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}">

    <Drive clsid="{935D1B74-9CB8-4e3c-9914-7DD559B7A417}" name="U:" status="U:" image="2" changed="2016-04-26 12:48:12" uid="{84C18D69-0123-4C9E-B940-B68D535189AD}" bypassErrors="1">

    <Properties action="U" thisDrive="SHOW" allDrives="HIDE" userName="" path="\\test.local\Qloudwise\Entity2\Common\Share" label="Entity2" persistent="1" useLetter="1" letter="U"/>

    <Filters>

    <FilterGroup bool="AND" not="0" name="LOCAL\Entity2" sid="S-1-5-21-1769619743-4051896648-2154897795-1156" userContext="1" primaryGroup="0" localGroup="0"/>

    </Filters>

    </Drive>
    </Drives>

    ---

    $XMLDocument.Save("$($path)\Drives.xml")

    4. I increment the version value as explained before in the GPT.INI file located in the group policy SYSVOL path

    Then? I don't really understand what I should do? I heard about also upgrading the version number in the AD...but I don't know what I should do....



    Friday, May 13, 2016 10:08 AM
  • > I didn't expect to have an answer so fast.
     
    This is super fast service here :)
     
    > console: when I select the group policy, no settings appear on the main
    > pane "No settings defined' for user and computer.
     
    Yes, because the AD attribute gPCUserExtensionNames is not populated. So
    GPMC does not know that your GPO contains settings for Drive Maps.
     
    > manually to the GPO, editing it, opening the map drive property window,
     
    Yes, because
     
    a) Opening drive maps loads the already existing XML file and then
    b) GPEdit populates the gPCUserExtensionNames attribute so GPMC knows
    that drive maps are present.
     
    > I follow your link and I don't know how you get the GPO property window
    > with the attribute editor tab.
     
    dsa.msc - View/Advanced Features, then navigate to System - Policies -
    GUID of your GPO. Check attributes tab (visible only if advanced
    features is enabled) :)
     
    > -> Otherwise, is the uid really random?
     
    Yes.
     
    > objectGUID        : 60be6116-0f3c-4bc8-8c4a-1ec49fc7a964
    > DistinguishedName :
    > CN={0B0B244D-FFB5-4590-8306-A8BA767CDE92},CN=Policies,CN=System,DC=test,DC=local
    >
    > objectGUID        : 8f6b06d2-3002-41a8-a345-71a6fd7bb0ca
    > DistinguishedName :
    > CN=Machine,CN={0B0B244D-FFB5-4590-8306-A8BA767CDE92},CN=Policies,CN=System,DC=test,DC=local
    >
    > objectGUID        : aef141a2-a47a-4919-805c-90d877a8854e
    > DistinguishedName :
    > CN=User,CN={0B0B244D-FFB5-4590-8306-A8BA767CDE92},CN=Policies,CN=System,DC=test,DC=local
     
    A GPO in AD is a container object which contains other containers
    (CN=User and CN=Machine), so you get 3 results for your query.
     
    > (0B0B244D-FFB5-4590-8306-A8BA767CDE92 is the UID of the GPO you can get
    > by $gpoOuObj.Id.Guid or directly in the group management console)
     
    Exactly. This is the GPO ID. The "objectGUID" attributes are AD internal
    GUIDs which are assigned to each and every object that exists in AD.
    AFAIK they are not used anywhere else.
     
    Friday, May 13, 2016 10:14 AM
  • Thanks Martin for your help!

    In fact dsa.msc - View/Advanced Features, doesn't work in the mmc console.

    So it seems that the answer is just adding the value

    [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}]

    to the attribute gPCUserExtensionNames of the gpo object.

    So this works of course only for map drive policy, due to the {2EA1A81B-48E5-45E9-8BB7-A6E3AC170006} value.

    And so where are {00000000-0000-0000-0000-000000000000} and {5794DAFD-BE60-433F-88A2-1A31939AC01F} coming from?

    Friday, May 13, 2016 11:13 AM
  • > *{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}* value.
     
    This is the MMC SnapIn Extension GUID for Drive Maps - the UI thing you
    use in GPEdit.
     
    > /And so where are {00000000-0000-0000-0000-000000000000}
     
    Zero is the GP Core engine:
     
    > and {5794DAFD-BE60-433F-88A2-1A31939AC01F} coming from?/
     
    This is the CSE for Drive maps - the GPO processing piece of software
    that applies your drive maps to the user.
     
     
    Friday, May 13, 2016 12:34 PM
  • I have forgotten to thank you for everything Martin, so thank you !
    Thursday, June 16, 2016 8:39 AM