none
Group Policy Drive Mapping Item Level Targeting not working, drive maps without ILT

    Question

  • I have a GPO where on both Win7 and Win10 computers, it all of a sudden stopped mapping drives that had item level targeting saying where if a user was a member of that group to give them the drive.  I'm not sure how to determine why ILT isn't working, how do I troubleshoot why?
    Tuesday, January 17, 2017 5:06 PM

All replies

  • Also, in the policy with multiple drive mappings using ILT, if I undo ILT on one drive mapping, it does map that drive but it still does not do the other ones.  the other drives don't even show up in a gpresult, only the drive that's now without ILT shows under Preferences/Windows Settings/Drive Maps
    Tuesday, January 17, 2017 5:09 PM
  • Hi,
    Firstly, for the drive mapping to users which are targeted in ILT, the GPO must be linked to the OU that users are in. Otherwise, user doesn't even know that the GPO exists. Item Level Targeting allow you take many preferences and scope them down to certain subsets within the linked OU.
    In addition, please check preference settings in GPO and have a try the following configuration:
    Reconnect: unchecked
    Action: Replace
    Remove this item when it is no longer applied: Checked
    Also, please make sure that the system is fully updated with patches. For example:
    Group Policy preference item-level targeting does not work for 64-bit versions of Windows 7 https://support.microsoft.com/en-us/kb/2460922
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 18, 2017 3:43 AM
    Moderator
  • Hi Wendy.  The GPO is linked to the correct OU, and the machines are regularly patched.

    Action was already set to Replace.

    Currently i have Reconnect = Enabled and Remove this item when it is no longer applied.  why would those two affect ILT?  I will try it out and post back but just wondering what those two would do to it.

    Wednesday, January 18, 2017 4:13 PM
  • Still doesn't work with the settings you suggested with the item level targeting of group membership left on.

    Also, the problem happens on Win10 machines also, not just Win7.
    • Edited by RJO22 Wednesday, January 18, 2017 8:53 PM
    Wednesday, January 18, 2017 8:53 PM
  • Hi,
    Have you checked if there are any errors in the event logs related to this? And also, please verify the users group membership and if you have configured multiple groups in the ILT, you might need to check if “And” or “OR” option is correctly choose.
    In addition to use ILT, you could also have a try security filtering function in the GPO and see if it works.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, January 19, 2017 2:22 AM
    Moderator
  • I don't believe there were GPO related errors in the event log. Group membership is confirmed. Item level targeting did work fine for quite a while but suddenly it stopped and I'm trying to figure out why. There is only one group in the ILT.

    Also the users can manually map the drives so it is not a permissions issue.

    Also to reiterate what I stated earlier about the GPRESULT output, drive mappings do not show in there when they have ILT, so it's like they aren't even recognized when ILT is enabled for the mapping.

    How can I dig into this deeper?

    Thursday, January 19, 2017 2:38 AM
  • Hi,
    If neither of these help, the next step would probably be to activate debug logging on the drive map extension. See this article for instructions: http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 20, 2017 2:34 AM
    Moderator
  • > Also to reiterate what I stated earlier about the GPRESULT output, drive mappings do not show in there when they have ILT, so it's like they aren't even recognized when ILT is enabled for the mapping.
     
    That's expected. GPResult lists GPP items if they are applied, and it does not list them if they are filtered by ILT. It never lists the ILT itself.
     
    So it seems the Group membership evaluation returns "false". I have so far no idea of the reason why :-)
     
    Friday, January 20, 2017 10:35 AM