best way to map various combinations of mapped drives to AD users?
-
I could probably use group policy to make a mapping for each drive, then assign each GPO to the necessary user.. but I feel like that would still be a little numerous or something.
Also, I know usually this sort of things is group based access, but we have a small company and many people wear multiple hats and essentially we end up with multiple combinations of access for every employee which makes group based permissions and things challenging.
-
While this is a very legacy approach it still works. If everyone is on premise (or VPN) based this should work fine.
-
Iyou need to find something you can test against to know what drive letters to grant someone.
You could use an AD group membership as an option, the your logon script can test for a given group and if they are a member, you map the drive.You can also do the same through GPO assigned mappings.
-
@dave247 said in best way to map various combinations of mapped drives to AD users?:
Problem: we have about 10 different shared folders as mapped drives and a handful of simple bat scripts used as AD logon scripts for users. Most users have the same exact list of drives so they all have the same login script referenced in their AD account settings. However, I have a number of users that maybe need just one more or one less of those drives mapped. So my question is is there a more common or simple method to easily map any combination of folders as mapped drives to any combination of users without having to use a separate logon bat script for each? Like I don't want to have a specific bat script for each user's individual combination of mapped drives because then I'd eventually end up with 20+ of them. I also don't want to have some users that get a drive map error because of permissions.
Example of what my logon bat scripts look like:
@ECHO OFF net use g: /delete /y net use k: /delete /y net use l: /delete /y net use o: /delete /y net use t: /delete /y net use g: \\fs1\GeneralShare net use k: \\fs1\Accounting net use l: \\fs1\Finance net use o: \\fs1\Marketing net use t: \\fs1\IT
Also I understand that its been said not to use mapped drives anymore and instead use UNC share, but I'm not doing that right now. Maybe down the road though.
You can use to delete all network shares in a single line.
net use * /delete /y
Additionally, you can use the 'next available drive' using the same syntax (I understand)
net use * \\fs1\GeneralShare net use * \\fs1\Accounting net use * \\fs1\Finance net use * \\fs1\Marketing net use * \\fs1\IT
Though, I have never used that method as I myself or the (state) agency wanted to use a specified drive letter for the share.
-
@dave247 said in best way to map various combinations of mapped drives to AD users?:
I could probably use group policy to make a mapping for each drive, then assign each GPO to the necessary user.. but I feel like that would still be a little numerous or something.
Also, I know usually this sort of things is group based access, but we have a small company and many people wear multiple hats and essentially we end up with multiple combinations of access for every employee which makes group based permissions and things challenging.
I think you're halfway there. Yes, use GPO, but instead of assigning users to each GPO, create a group and assign the group to the GPO. Once everything is created, all you have to do for who gets what is add/remove users from the group for the drive mapping.
-
This post is deleted! -
@dustinb3403 said in best way to map various combinations of mapped drives to AD users?:
While this is a very legacy approach it still works. If everyone is on premise (or VPN) based this should work fine.
We have remote users (using VDI) too and mapped drives work just fine regardless.
-
This post is deleted! -
@travisdh1 said in best way to map various combinations of mapped drives to AD users?:
@dave247 said in best way to map various combinations of mapped drives to AD users?:
I could probably use group policy to make a mapping for each drive, then assign each GPO to the necessary user.. but I feel like that would still be a little numerous or something.
Also, I know usually this sort of things is group based access, but we have a small company and many people wear multiple hats and essentially we end up with multiple combinations of access for every employee which makes group based permissions and things challenging.
I think you're halfway there. Yes, use GPO, but instead of assigning users to each GPO, create a group and assign the group to the GPO. Once everything is created, all you have to do for who gets what is add/remove users from the group for the drive mapping.
You mean make a group and apply each GPO for each drive to it, then add users? That makes sense.
-
@dave247 said in best way to map various combinations of mapped drives to AD users?:
@travisdh1 said in best way to map various combinations of mapped drives to AD users?:
@dave247 said in best way to map various combinations of mapped drives to AD users?:
I could probably use group policy to make a mapping for each drive, then assign each GPO to the necessary user.. but I feel like that would still be a little numerous or something.
Also, I know usually this sort of things is group based access, but we have a small company and many people wear multiple hats and essentially we end up with multiple combinations of access for every employee which makes group based permissions and things challenging.
I think you're halfway there. Yes, use GPO, but instead of assigning users to each GPO, create a group and assign the group to the GPO. Once everything is created, all you have to do for who gets what is add/remove users from the group for the drive mapping.
You mean make a group and apply each GPO for each drive to it, then add users? That makes sense.
Yep
-
@travisdh1 said in best way to map various combinations of mapped drives to AD users?:
@dave247 said in best way to map various combinations of mapped drives to AD users?:
@travisdh1 said in best way to map various combinations of mapped drives to AD users?:
@dave247 said in best way to map various combinations of mapped drives to AD users?:
I could probably use group policy to make a mapping for each drive, then assign each GPO to the necessary user.. but I feel like that would still be a little numerous or something.
Also, I know usually this sort of things is group based access, but we have a small company and many people wear multiple hats and essentially we end up with multiple combinations of access for every employee which makes group based permissions and things challenging.
I think you're halfway there. Yes, use GPO, but instead of assigning users to each GPO, create a group and assign the group to the GPO. Once everything is created, all you have to do for who gets what is add/remove users from the group for the drive mapping.
You mean make a group and apply each GPO for each drive to it, then add users? That makes sense.
Yep
I'll give that a try, thanks for the idea
-
@dave247 said in best way to map various combinations of mapped drives to AD users?:
Problem: we have about 10 different shared folders as mapped drives and a handful of simple bat scripts used as AD logon scripts for users...
I think it would make more sense to just have one mapped drive and use sub directories for each department. That's probably how the files are organized anyway - at least judging from the looks of it.
The users that have permissions to a particular directory can use it and the other can't. That way you don't have to mess with the different drive mappings because everyone get the same one drive.
This also also how I have seen organizations with many departments do it. They basically use one drive mapping per entire file server. Everyone has gets the same shared drive(s) but permissions determine what directories they can access. It's more flexible to do it like that.
-
@pete-s said in best way to map various combinations of mapped drives to AD users?:
@dave247 said in best way to map various combinations of mapped drives to AD users?:
Problem: we have about 10 different shared folders as mapped drives and a handful of simple bat scripts used as AD logon scripts for users...
I think it would make more sense to just have one mapped drive and use sub directories for each department. That's probably how the files are organized anyway - at least judging from the looks of it.
The users that have permissions to a particular directory can use it and the other can't. That way you don't have to mess with the different drive mappings because everyone get the same one drive.
This also also how I have seen organizations with many departments do it. They basically use one drive mapping per entire file server. Everyone has gets the same shared drive(s) but permissions determine what directories they can access. It's more flexible to do it like that.
Yes actually that's one plan I've had for a long time, just haven't gotten around to doing it mainly since it will disrupt everyone's workflow for a bit.
-
@dave247 said in best way to map various combinations of mapped drives to AD users?:
@pete-s said in best way to map various combinations of mapped drives to AD users?:
@dave247 said in best way to map various combinations of mapped drives to AD users?:
Problem: we have about 10 different shared folders as mapped drives and a handful of simple bat scripts used as AD logon scripts for users...
I think it would make more sense to just have one mapped drive and use sub directories for each department. That's probably how the files are organized anyway - at least judging from the looks of it.
The users that have permissions to a particular directory can use it and the other can't. That way you don't have to mess with the different drive mappings because everyone get the same one drive.
This also also how I have seen organizations with many departments do it. They basically use one drive mapping per entire file server. Everyone has gets the same shared drive(s) but permissions determine what directories they can access. It's more flexible to do it like that.
Yes actually that's one plan I've had for a long time, just haven't gotten around to doing it mainly since it will disrupt everyone's workflow for a bit.
If you have the directory structure in place, you could do it by adding the new drive share for all departments. Give people a couple of weeks to start using it and then slowly start to remove the older shares one by one. That will force everyone to migrate to using the new share - but not everyone at the same time.