Anyone who has heard me talk about service delivery standards knows that I’m a big advocate for standardizing everything you can. One of my big pet peeves are SMB networks that are not using standard drive mappings – where each user has a different drive letter pointing to the same share on the server . . . I’ve been surprised by the number of administrators & consultants who don’t know about the IFMEMBER utility from the Windows Resource Kit. IFMEMBER has been a core building block of my login scripts for the past 10 years, allowing me to dynamically map network drives based on a user’s security group membership at login.
Well, with the dawn of Windows 2008 – IFMEMBER is effectively dead. I’ll admit that I’m probably a bit behind the curve here, but quite frankly – login scripts themselves are effectively dead in Windows / SBS 2008 and are replaced with Group Policy Preferences. I finally got a chance to play with Group Policy Preferences, and I have to say they work pretty slick.
Let’s take a fairly typical example: We have a site running SBS 2008, and each user has their own folder under the usershares share on the server, we also have a public share for common files, and we have an accounting share for our QuickBooks data and accounting specific spreadsheets & reports, etc. We want each user to have H: mapped to their user shared folder, P: mapped to the public share, and Q: mapped to the accounting share. We only want Q mapped for members of the Accounting Users security group we’ve created, and we want to force these mappings (so they replace any different drives users may have created using the same letters).
Previously, our login script to accomplish this would have looked like:
net use h: /delete
net use h: \\server\usershares\%username%
net use p: /delete
net use p: \\server\public
IFMEMBER “Accounting Users”
if not errorlevel 1 then goto quit_acct
net use q: /delete
net use q: \\server\accounting
With Group Policy Preferences, we start by opening the Group Policy Management Console on our SBS 2008. I decided to create a new GPO in the DOMAIN \ My Business \ Users \ SBS Users OU. When the GPO is opened in the editor, you can see a clear delineation between Group Policies and Group Preferences:
There is still a separation between Computer configuration and User configuration. Obviously, drive mappings will be a user configuration. Expand User Configuration | Preferences | Windows Settings and select Drive Maps. You can add a new drive mapping by either clicking the plus sign “+” icon in the toolbar, or right-click in the content pane and select New | Mapped Drive.
You will notice there are four different actions that the drive mapping group preference can take: Create, Delete, Replace or Update. Create and Delete are self-explanatory. In the example in the screenshot, I’m mapping H: to the user’s shared folder on the server. If the user was already using H: for a different drive, the Replace option will effectively remove the existing H: drive then create a new mapping based on the settings defined in this preference. If we used the Update action, the preference would only change the attributes of the existing H: drive to match the settings specified, thus retaining any locally applied settings for the drive mapping that are not defined in the preference. Both the Replace and Update actions will create a new mapped drive if it doesn’t exist when the preference is applied.
Most of the fields on this page are self-explanatory. Note that we can specify a given account to use to connect to the share, and we can specify a custom label for the mapped drive as well, and take advantage of variables such as %username% in the path & label.
If we take a look at the common tab, we have a few more options, including the ability to enable item-level targeting which unleashes the true power and flexibility of Group Preferences. Let’s take our basic example of wanting to map the Q: drive to the accounting share, but only for members of the Accounting Users security group. On the Common tab, we would check to enable the options to run the preference in the logged-on user’s security context, and to enable Item-level targeting. Then we click the Targeting button to specify the target:
In this case, we would click “New Item” and select the Security Group option. From here, we can browse to select our Accounting Users security group. Note that we can specify whether we are checking the user or computer’s membership, and using the Item Options, we can specify whether we want to check if the user/computer IS a member or IS NOT a member of the group. In our example, this is all we would need to do to have our Q: drive mapped for members of the Accounting Users security group.
But while you’re in the targeting editor, take a look at all of the items we can check for. Also note that we can add collections (groups of items) for nested targeting, and we can use AND or OR operators within our collections to specifically target exactly who or what we want to get this preference applied.
Another preference that will get a lot of use in the SMB space is the ability to add mapped printers (and set default printers) via the preferences as well. As an example of targeting, if we have a customer with multiple locations all on the same domain & linked via router-based VPNs, we can target based on the client PC’s IP address, so it only gets printers at its location installed.
Regardless – I encourage everyone to really play with the new Group Policy Preferences – they’re going to make it much easier to standardize our client environments