Re: GPO not working (yes, another post)

---

• From: "Ace Fekay [MCT]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 26 Aug 2009 12:35:34 -0400

---

"Cliff Galiher" <cgaliher@xxxxxxxxx> wrote in message news:%23XmzxllJKHA.4168@xxxxxxxxxxxxxxxxxxxxxxx

Well, the answer is actually pretty straightforward, but I don't want to assume anything, so I'll answer the question in two parts, just in case there was a nugget of information you weren't aware of.

For the first part of the answer, I'm going to take group policies out of the equation for a moment and just give a brief overview of how Windows "sees" mapped drives. When you have a hard drive, a USB drive, floppy, or other device, that is (I know, stating the obvious) real hardware and thus has to be associated to the machine somehow. So drive letters are a machine setting.

A mapped drive, however, is really just a handy way to reference a network location. When you click on the M drive you've mapped, internally Windows "knows" that this points to a share and opens an SMB connection to \\server\share. It isn't a "real" drive. You can see this by using a version of windows that allows user switching. Login as UserA, map a drive...lets say to M, and then log "switch" and log in as User B (with user A remaining logged in.) UserB does not have an M drive. So you map the *same* share to UserB's O drive and switch back to UserA. UserA still has an M drive but no O drive. This is by design. These are shortcuts and, like your desktop or start bar, shortcuts are for your convenience and customizeable. You probably don't want the same wallpaper and shortcuts that Bob does from accounting. He's a slob after all and has all sorts of excel links littering his desktop and you, of course, are a neat freak.

So mapped drives are *STRICTLY* user settings. They are stored in the user's profile and loaded on login and unloaded on logout. The system accounts, such as LocalSystem, NetworkService, and others do NOT see those drive letters. They'd just access the network natively. After all, they don't have a fear of keystrokes like us humans do.

--

So, with that established (or reaffirmed as the case may be) we can move onto the second part of the answer. Reintroducing group policies. When you open a group policy in the GPEditor, there are two distinct sections. Machine settings and user settings. Now I'm not just talking about preferences here....the following applies to all group policy settings. Lets say you expand the machine group policy settings and set a power management setting. If that policy is linked to an OU that only has users then that policy will *never* get applied. It is a machine setting and thus *must* be applied to a machine. Not a machine that a user logs into, but a machine in the domain that the DC can control.

It may seem to make sense to say "I assigned the policy to a user so that it gets applied to any machine they log in to." But in practice, does that actually make sense. If you later set up VPN access for a boss so he can work from his home machine, he might be a little ticked logging into the VPN, causes the domain controller to suddenly apply a bunch of machine settings such as changing his screen saver, making his laptop power down after 2 minutes, and so on. No. Machine settings are only applied to machines that exist in AD and are in an OU that the policy is linked to.

So the reverse is also true. User settings are only applied to users, never machines. To again use an example, you can set a user policy to force IE to have a specific homepage. Now it won't matter which machine the user logs into, that setting will apply because it is a user setting. If you assigned the policy to an OU that only has machines...well...there are no users so that user setting never gets applied. And again, you may be thinking "I want the homepage to be http://our-finance-server/sharepoint-homepage if a user logs into a computer in the finance OU." But again, you are thinking about it a little wrong. The point is you want to change a *user's* homepage so you still need to assign the policy to a user. Machines don't have homepages (what does LocalSystem need a homepage for!)

You can get the desired effect for *both* examples above by using filters. Group Policy filters were invented for this reason (long before preferences existed!) You can filter by security group or write some very fancy WMI filters to get all sorts of esoteric configurations.

But it still boils down to this single question: Does this setting affect a machine or just a user ON the machine? And link appropriately. Of course it is easy to answer THAT question (you don't have to guess) because the setting you are changing is going to be hierarchically under one of those two main groups in the GPEditor.

So...to come full circle...where is the mapped drive preference found? Per-machine preferences have no mapped drive section...so it is under per-user. And using my rule above, any setting under per-user must be linked to an OU that contains users.

--

For the record, your linked policy would've been applied to any USER you added to the SBSComputers group. An OU can hold a user, a computer, a security group, etc etc. BUT BUT BUT, by default you should not *have* any users in that OU because the golden rule in SBS is "use the wizards!" And the wizard would never put a user in that particular OU. So there you have it.

Make sense?

-Cliff

Excellent explanation. :-)

It's something that many don't realize, that if you set a user setting on a computer OU GPO where no users exist, it doesn't work, and they pull their hair trying to figure out why. :-)

Ace

.

---

• Follow-Ups:
  • Re: GPO not working (yes, another post)
    • From: DerekJ

• References:
  • Re: GPO not working (yes, another post)
    • From: Simon Thomson
  • Re: GPO not working (yes, another post)
    • From: Cliff Galiher

• Prev by Date: Re: SBS 2008 Best Practices/Questions
• Next by Date: Re: Smart Host Send Connector Problems
• Previous by thread: Re: GPO not working (yes, another post)
• Next by thread: Re: GPO not working (yes, another post)
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: mapped drives and desktop shortcut all a group of users ... I added the logon script in the user config area of the default domain GPO ... I updated group policy on the DC and the workstation I was working on ... As mapped drives are generally profile specific, ... (microsoft.public.windows.server.active_directory) Local Group Policy - Novell mapped drives problem ... file name length of Novell mapped drives. ... Policy, all drive mappings done via server- ... (microsoft.public.windowsxp.security_admin) Re: GPO not working (yes, another post) ... For the first part of the answer, I'm going to take group policies out of the equation for a moment and just give a brief overview of how Windows "sees" mapped drives. ... Now I'm not just talking about preferences here....the following applies to all group policy settings. ... Now it won't matter which machine the user logs into, that setting will apply because it is a user setting. ... I found that if I linked the GPO to the ... (microsoft.public.windows.server.sbs) RE: How to disable all floppy drives on the network ... How to disable all floppy drives on the network ... If you can disable the "Floppy Disk" driver through a policy, ... Note that disabling the floppy driver doesn't prevent people from sticking ... (Focus-Microsoft) Re: Mapped F Drive - group policy update problem ... again the drives maps correctly. ... users save work locally(not our policy) and on the network. ... If this setting is disabled or not configured (Windows 2000 Server Family ... set to map in the user properties of ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2009-08