Microsoft released a great new set of tools for Active Directory with the release of Windows Server 2008 called Group Policy Preferences. Group Policy Preferences was introduced in the 2008 release of Microsoft Windows Server. It was the opinion of most members of the systems administration community that we should have seen these incorporated into Active Directory much sooner. They provide a simple GUI interface to manipulate and control almost any aspect of the Microsoft Windows operating system.
The following document will not only outline Group Policy Preferences and the powerful management tools available but also provide Microsoft best practice surrounding them. Simple examples will be provided but these examples can be combined to really harness the full power of Group Policy Preferences.
Probably one of the easiest and most useful tasks that Group Policy Preferences accomplishes is mapping network drives. The best way to accomplish this is to incorporate existing Microsoft best practice (which should already be in place in a standard environment) and mesh it together with the new Group Policy Preferences component for ease of administration and improved security.
This example will assume that an Accounting department exists and that a share for the Accounting department is required for collaboration. Per Microsoft recommend best practice, and found to work most efficiently across all types of environments is creating domain local security groups for access to shared resources and assigning NTFS permissions to these security groups. Next domain global groups are created and all the users required to access the resources are placed into these global groups. Finally, the global groups are associated to the local groups connected to the shared resources. This is actually a Microsoft recommend best practice but very few organization actually implement this strategy and even disagreed with Microsoft wholeheartedly. However, when leveraging this configuration it becomes very clear why this method is used and recommended by Microsoft.
The following will provide the details of an example of how this methodology works. The shared resource name will be simply “Accounting“. It is recommend to name the folder name identical to the shared name for simplicity, but isn’t necessary. It is also recommend to create a folder administration group for managing file and folder NTFS permissions. This will provide very granular control over who has access to all file and folder permissions. Potentially, user accounts would only be placed into this security group as permissions need to be changed or setup. A domain global security group is created called “user-file and folder admins” group. This is not necessarily an arbitrary name. Naming and naming conventions are also critically important when working with Active Directory. Any IT professional that feels differently has most likely had very little experience managing or administering an Active Directory domain. The naming convention used in this example will follow the format [type]-[description]-[optional details] where [type] is the type of objects that are associated with the group, [description] is a short description of the group like Accounting Department, and the [optional details] could be something like read OR write or manage OR standard detailing the access levels. For the Accounting department, in order to provide some examples of user security groups, we have 3 security groups; user-Accounting Department-general, user-Accounting Department-managers, and user-Accounting Department-controllers.
In a similar fashion the network resource will have various security groups associated with it. In order to keep this simple, the following will be used; file-Accounting Share-read and file-Accounting Share-write. We now have all the groups required to setup a solid environment and provide access controls through NTFS permissions.
We will make user-Accounting Department-managers and user-Accounting Department-controllers a part of the file-Accounting Share-write and the user-Accounting Department-general group a part of the file-Accounting Share-read security group. This will allow managers and controllers to manipulate the data in the share, but the general accounting users will only be allowed to read the data as we may want them to have access to the data, but we don’t want them to manipulate or change it. Users will then be placed in the appropriate user global security group.
NOTE: It is really important that users are never placed directly into the file security groups.
Mapping a network drive using Group Policy Preferences
After testing and verifying the access rights based on the new security groups, the next step involves actually setting up the configuration that will map the drives. First, a Group Policy Object is created which will contain the preferences. The reoccurring theme is back with naming of Group Policy Objects. When creating a Group Policy Object, the name will be important and a standard should be followed per Microsoft. For this example, the following template is used; [object it applies]-[Short description]-[type], where [object it applies] refers to user, computer, or both, [Short description] provides a quick description of the Group Policy Object‘s goals, and [type] would be policy, preference, or both indicating what methods of configuration are used.
Based on this template for Group Policy Objects the following Group Policy Object is created user-Drive Mapping-preferences. The name quickly identifies that the Group Policy Object will apply to user objects, it is for the purpose of drive mapping, and it uses preferences to accomplish this task.
Once the Group Policy Object has been created, right clicking the object and selecting the “edit” option will open the policy. Drilling down under the User Configuration section, then Preferences, then Windows Settings, Drive Maps will be listed. Right clicking this object will provide a menu, select “New -> Mapped Drive“. A new “Properties” window will be displayed allowing a configuration to be built for the drive mapping.
All preferences use the same 4 options; create, delete, update, and replace.
- Create will create the “configuration” if it doesn’t exist, but will not check for changes or update if anything is changed.
- Delete removes the “configuration” and can be used in conjunction with the other actions.
- Update will update the “configuration” by creating if needed or updating if required. A quick note, the update action does not remove an item if the object it is being applied to falls out of scope.
- Replace is similar to update, but it is the only action that can be used with the “remove when no longer applies” option. If the “replace” action is implemented and the object (user for example) is no longer in the scope of the preference, replace will remove the preference configuration.
For mapped drives, the most common action used is “replace” as it will add and remove mapped drives as needed. Once the action has been selected, the path to network resource in this case \\fileserver01\Accounting is provided in the “Location” entry box and the “reconnect” check box is selected if this functionality is needed. Preferences also allows for the network resource to be named. This is a great idea to prevent end-users from becoming confused or using the drive letter associated with the network resource. By placing a check in “Label as“, and in the space provided supply a meaningful name for your network resource (to remain consistent and to keep things simple, the actual shared resource name could be used here (Accounting). Next the drive letter is selected. Again, another great option with Group Policy Preferences is the ability to select “User first available, starting at:” which will attempt to map the drive to the drive letter indicated first, but if it is in use continues to attempt to map the drive to ascending letters until an open letter is found. This functionality displays why naming the shared resource is so important. If the end-user was calling the network resource the “G” drive for example, but today it is the “J” drive, they would be confused and likely contact the help desk believing they lost access to their network drive. Of course using “Existing” allows a single letter to be chosen for the mapping. There are several other options on this Properties page, but they will not be covered in detail here.
The next, and arguably the more impressive page / tab is the “Common” tab. This is the options that will be configured for how the drive mapping will be used. This tab contains features like “Run in logged-on user’s security context (user policy option)” which allows preferences to run as the user logging on with the user’s defined rights and permissions. The “Remove this item when it is no longer applied” option (used only when the “Replace” action is selected) removes the configuration if it no longer applies to the object (user or computer). “Apply once and do not reapply” is used when a configuration is only needed to be applied one time, similar to “run once” in Windows. The last option is “Item-level targeting” and is what really makes Group Policy Preferences worthwhile. It allows fine grain control over what configurations apply and how they apply using almost unlimited filtering.
For this example, we will be assuming that the organization has several sites / locations and the accounting department of each of these sites has individual drive mappings.
By leveraging the “Item-level targeting” the drive can be mapped to the users of the account security groups (created above) who have a IP address in the subnet of the specific location, or using the Active Directory Site.
First it should be understood that adding a single targeting item is completely acceptable, but several items can be used with either AND or OR statements and IS or IS NOT statements. Several items can be combined into a collection and collections can be evaluated the same way individual items are evaluated.
In order to better understand this, using the example above, a mapped drive definition will be setup that will map the network drive to any user who meets the following criteria:
- is a member of the user-Accounting Department-managers security group
- is a part of the “Location A” site in Active Directory Sites and Services
- has been assigned an IP address in the range of 192.168.0.40 – 192.168.0.99
To make this happen, a collection is created. In that collection 2 targeting items are created. The first item defines that the IP address is between 192.168.0.40 and 192.168.0.99 and the other item defines the object must be a part of the Location A site in Active Directory Sites and Services. Now, using the item options it can be specified that one of these conditions must be true, or both of these conditions must be true by toggling the And and Or options. Using “And” will define that both items must be true for the drive mapping to occur while using “Or” will allow for either of the conditions to be met. The same applies when looking at the “Is” and “Is Not” item options. These options perform just want you would expect. By using the “Is” option, the conditions must be true, and conversely by using the “Is Not” option, the conditions must be false.
Once the collection is created and configured to provide expected results, the last task is to provide a single item requiring membership in the user-Account Department-managers.
Again, the item options can be used to require is be true and the collection be true or require that one or the other is true. In the example, the goal is to have everything match, so the “and” modifier will be used for all items and since we want everything true, the “Is” modifier will also be used for each item.
Saving this new configuration and applying it to an OU that contains the users, the following will be the result of all the configurations made in this example from the security group selections to the item level targeting of the drive mapping preference.
- Managers of the Account department for the Location A site will receive a mapped drive
- These users will have read and write access to the drive
- If they move to another location, they will lose the mapped drive until they return to Location A
- If a manager is moved to a new role within the organization, simply removing them from the user-Accounting Department-managers will remove the drive mapping from their workstation, but also remove access rights to the network location so manually providing the UNC path to the resource will result in an “access denied” message.
The example above provides a simple and hopefully straight forward example of how Group Policy Preferences can be leveraged and how potentially powerful they can be in administration of rights and delegation of resources.
Known Issues / Troubleshooting
Problem: | The network resource does not get mapped to a drive even though all settings are correct and user is a member of required security groups.
Solution: | Due to Group Policy Preferences being relatively new, there are several prerequisites required in order for the instructions of the preferences to interact with older windows systems. The prerequisites will not be covered here, but a quick search should provide several Microsoft documents that define what each version of Windows require in order for successful use of Group Policy Preferences.
References / Additional Resources