GPO drive mapping of DFS path not working with Windows 7 using Cisco VPN.


  • All users are using Windows 7 Enterprise SP1 64bit

    All domain controllers are server 2012 Datacenter 64bit

    The DFS server is server 2012 Datacenter 64bit.

    All laptops have the Cisco AnyConnect VPN software installed for use with an RSA token for authentication.

    All laptops are configured to use both IPv4 and IPv6.

    All login scripts have been converted to GPOs.

    All drive mappings look like this


    The user would have to be a member of the Corp-Home security group and have a folder named using their AD username, and the DFS namespace would equate to something like \\server1\E\corp-home

    The drive mappings within the GPOs work fine when workstations are connected to the corporate network without the need to utilize VPN.

    While using the VPN, the drive mapping portion of teh GPO does not work.  Running gpupdate /force says it reran all of the policies but the drive letter still does not get created.  gpresult /r confirms that the appropriate GPO was run, but yet no drive letter is mapped or created.

    While using the VPN, the shortcut creation portion of the GPO DOES work.  It creates a shortcut 1 min and 20 sec after the user logs in to the VPN.  The shortcut works.  The user has the appropriate rights.  The user has the ability to create a manual mapping using the NET USE command or Map Network Drive within File Explorer.

    I dont want to show users how to map manually because any mapping they create manually will override what I am trying to do within the GPO.

    I have already checked with Microsoft and received a list of the TCP and UDP ports that have to be open for the GPO to work through VPN.  Network Infrastructure group assures me that all of the needed ports are open.

    The only way I can see to make this work is to force the users to bring in their laptop to a corporate office once a month and log in without VPN so that their laptop will create all of the drive mappings and cache all of that information automatically.  If more than one user profile is used on the same laptop then all users must log into the same laptop while connected to the corporate network since all of the mapping information is cached separately for each user.

    This means that I can only make drive mapping changes during the last Saturday of the month, and then notify every laptop user that they need to revisit a corporate office on the 1st of the month.  This is a huge undertaking in order to get drive mappings to work.  Not really a sensible solution.

    My suspicion is that some type of data is being blocked and therefore not passing when connected via the VPN.

    It is curious that the portion of the GPO that creates shortcuts works while on the corporate LAN, and on the VPN.  The portion of the same GPO that deals with drive mapping works on corporate LAN but NOT on VPN.

    I did create a duplicate drive mapping and on the 2nd mapping added the targeting that I was connecting via VPN.  That did not help.

    Im not sure what else to try.  Is this a Windows 7 problem? a Cisco VPN problem? a timing issue?

    I have tested with a Microsoft Surface tablet running Windows 10, and connected it to the VPN, and the drive mapping are being created on Windows 10.

    The problem occurs with Windows 7 and not Windows 10.  It is not reasonable that I am going to be able to migrate from Windows 7 to Windows 10 any time soon.  I buy 1000 laptops a year and I have 5000 users.  So this problem needs to be fixed within Windows 7.

    Is there some place that I can turn on debug and create a log file where I watch every step of every GPO being executed?

    Is there a limit as to how many GPOs a single login can perform?

    Is there a limit as to how far down into AD you can go before the FQ context name is too long, and therefore does not run?


    Friday, March 17, 2017 4:34 PM

All replies

  • Hi Brent Seizer,

    Please first install all the hotfix on your client Windows 7.

    And have also seen the similar  scenario about drive map in windows 7 with CISCO VPN. One possible cause is that GPOs apply at login. If we log in before connecting to the domain so there's no way for the GPO to run correctly.

    For now, I could find one feasible workaround is that the VPN clients are forced to run a script after connecting that maps the drives. 

    And in addition, please also confirm with CISCO forum to check if there's any other configuration need to change

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Monday, March 20, 2017 6:57 AM