I hope everyone is enjoying Thanksgiving if that is your thing, as while I already had my Thanksgiving, I am in fact enjoying the quiet and getting things done in the lab. This is one of those articles that are as much for me as anyone who reads it. I will have a few in the next while that some (most) of you will be already familiar with. But I need to get my lab completed and updated. So this article will be Home Folders and Shared Folders. It is interesting to me as there have been several key differences in this area since I last did this for customers.
This used to be more commonly referred to as H: but no matter as what really counts is that it is a private or almost private location for the end user that owns it. So how do we get this done? We have a share (mount point) – called Home in my case, and it has Full Control for Domain Admins and System. Due to me using the DataGravity Storage Appliance (and this is true for many storage appliances), I need to add to the share Traverse right for the Domain Users.
Now we work in Activity Directory Users and Computers. In the old days you did this one person at a time, or used a script. But now you can highlight a bunch of users and [right + click] and select Properties. Very handy.
But I do like to do this one by one at first until it tests good.
So access the Profile tab for a user.
You can use any letter you like but after a zillion customers H: is a habit for me. But notice the field when you have selected H:? I originally entered:
But now you see something different.
Once you hit OK the %username% is changed to the user name, and a folder is created to match and it is given the appropriate rights. One thing important that is different now then in the past is that the user is not the owner of the folder. That was done in the past so there may be a way to change it but not sure now.
I did this for my own admin account, and for my normal account. In both cases I had H: after I logged in and so I was happy. If it did not work, I would check the permissions on the main share. I should note that this is not done by GPO so it is fast and should be done at the time of login.
At this point a script is required or perhaps the new highlight of a bunch of accounts and right click and create a profile and do all the users.
This is the folder that all users can access, and also team shared folders. Very important in companies but also a dumping ground often too. If you use data-aware storage you will actually know what accumulates and by whom.
In my case, I had a few to do.
S:\All Users (\\bosarray01.dglabs.com\shared\all users)
All users would get S: and depending on which group you are in will determine what your T would point too. And yes, they are all enforced with ACL.
What was exciting for me is how this is done now as compared to the past. In the past it was a login script and a tool, or a fancy VB script, to do the group to folder mapping. But now it is something called Drive Mappings. They are better in many ways, and a little bit worse. They sometimes take one or two times log in to get all of your drive mappings complete.
So what you do now is create a new Group Policy Object – mine is called DGDriveMappings. You link it to the OU that contains your users. Mine is called DG Users. In User Configuration, Windows Settings, and Drive Mappings you will find the mapping. Here is what mine looks like when it is done.
What the drive mapping says is to delete all network drive letters starting at L: (and down to Z:) and create what is necessary. For something simple like S: you would see – after you created it (right + click in the white space and create and fill in a drive mapping) – it as seen below.
Some important things here to help you avoid frustration. Use Create as the action – or as needed Delete. Select Reconnect, and in Hide / Show this drive select Show. I also like the Label feature so I use it.
Now what is really handy here is how you can provide a drive mapping to a subset of people. In the screenshot above there is a tab called Common. If you were to select it you have a number of options. This is where you can do something called Item-level targeting and select a group.
In the screen above we have configured this drive mapping so that only users in the group IT will get the drive mapping. We need to do a drive mapping like this for each group. So T: will mean something different for each group.
With drive folders there are several things to remember.
- It seems that it takes two log in / log off events or one restart to get all of the drive mappings implemented. When I did not do this I would sometimes see only a few of the mappings done.
- I also had more success by doing a delete of all network drive mappings before the actual creation of drive mappings.
- It also seemed that the Create action worked better initially then Update.
Further info on Drive Mappings
- Background – https://technet.microsoft.com/en-us/library/dn581924.aspx
- Usage – http://blogs.technet.com/b/askds/archive/2009/01/07/using-group-policy-preferences-to-map-drives-based-on-group-membership.aspx
You should now have a H:, along with some shared folders too.
I should mention that if I was doing this work at a client, and it was greenfield, I would maybe not do home folders like H: but rather just leave things as My Documents, or Documents but do redirected folders. But in my lab I am making this look like a theme based on our customers so drive letters are here.
=== END ===