none
Mapped network drive issues

    Question

  • Hello All,

    I'm trying to get mapped drives working for people who meet the follow criteria

    1. Is a member of a security group "TS Access"

    2. Is logging in to my terminal server as i don't want the mapped drives to follow on laptops and desktops etc..

    I have tried creating a policy under the Users OU then removing "Authenticated Users" and adding the TS Access group, but that doesn't even work and that's without limiting it to the terminal server.

    Can anyone help me out with this?

    Regards,

    Nathan

    Saturday, January 7, 2017 10:57 AM

Answers

  • I would set the group policy scope to only run on the terminal server.

    Then create the drive map in group policy preferences and set it to the group to TS Access

    Then once the policy is created check the security settings and add DOMAIN computers to the policy with read access, ensure apply policy is not ticked

    This will apply the drive maps only to that server if you are a member of the group.  The security permission is required due to an update from Microsoft.  The permission requires the computers to be able to read the policy to avoid a man in the middle attack.

    Authenticated users must be removed from the scope as it applies to Users and computers.

    • Marked as answer by NathanAdamson Monday, January 9, 2017 10:56 AM
    Saturday, January 7, 2017 2:11 PM

All replies

  • I have tried creating a policy under the Users OU then removing "Authenticated Users" and adding the TS Access group, but that doesn't even work and that's without limiting it to the terminal server.

    Authenticated Users still must have Read right access to the GPO, otherwise it will not take any effect. When removing Auth Users, re-add it to delegation with read right only.
    • Proposed as answer by yannara Saturday, January 7, 2017 1:57 PM
    Saturday, January 7, 2017 1:57 PM
  • I would set the group policy scope to only run on the terminal server.

    Then create the drive map in group policy preferences and set it to the group to TS Access

    Then once the policy is created check the security settings and add DOMAIN computers to the policy with read access, ensure apply policy is not ticked

    This will apply the drive maps only to that server if you are a member of the group.  The security permission is required due to an update from Microsoft.  The permission requires the computers to be able to read the policy to avoid a man in the middle attack.

    Authenticated users must be removed from the scope as it applies to Users and computers.

    • Marked as answer by NathanAdamson Monday, January 9, 2017 10:56 AM
    Saturday, January 7, 2017 2:11 PM
  • Hi Nathan,
    Alternatively, you could have a try Group policy loopback mode: This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this policy. It is intended for special-use computers. By default, the user's Group Policy objects determine which user policies apply. If this policy is enabled, then, when a user logs on to this computer, the computer's Group Policy objects determine which set of Group Policy objects applies. Please see details from: https://blogs.technet.microsoft.com/askds/2013/02/08/circle-back-to-loopback/
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 9, 2017 9:06 AM
    Moderator
  • GPP Drive Maps with Item Level targeting:
     
    > 1. Is a member of a security group "TS Access"
     
    Target "Security Group - User is a member of".
     
    > 2. Is logging in to my terminal server as i don't want the mapped drives to follow on laptops and desktops etc..
     
    Target "Security Group - computer is a member of" if all RD servers are in a group. Otherwise, if you probably already use Loopback Replace for your RD servers, simply link to the RD servers OU.
     
    > I have tried creating a policy under the Users OU then removing "Authenticated Users" and adding the TS Access group, but that doesn't even work and that's without limiting it to the terminal server.
     
    Leave auth users in place - or have a look at MS16-072 and its known issues.
     
    Monday, January 9, 2017 10:36 AM
  • Thank you all for your help, I have got it working thanks to answer from Simon-Taylor
    Monday, January 9, 2017 10:59 AM