- Create a share to hold user’s home drives and set permissions (most network administrators are using share name such as Users$);
- Create a security group to apply security filtering in GPO, so all users that are members of this group will be able to create home folder via GPO;
- Create a new GPO and use GPP to create user’s folder (this is in addition to your existing GPO used to map home drives);
- Add drive mappings for the user home drives in the existing GPO;
- Assign link order for the two GPOs, with lower link order for home folder creation GPO and higher link order for home mapping GPO
In my example, I will use my existing GPO (named Login Script GPO) for mapping network drives as described in my blog where I was using GPPs to map network drives base on user’s group membership.
In addition to this GPO, I will create a new one and name it UserHomeDrive. By the end of theconfiguration process, the drive maps settings will be similar as shown in the picture below.
Note: user home drive is mapped to the letter Q:
Mapping a drive based on user name
To map a drive based on a user name your drive mapping location setting should look something like this: \\SERVER\SHARE\%LOGONUSER% and in my example the user’s home drive is mapped to \\TEST-DC-01\Users$\%Logonuser% as shown in the picture above.
When you use Active Directory Users and Computers (ADUC) to map a user drive, this tool will create the user’s directory and set permissions. Unlike ADUC, GPP will only map a drive to the share; it will not create the directory or set permissions. So, you will need to pre-create the user’s directories with appropriate ACLs. For this purpose you can use scrip such as PowerShell script or VBScript which could be shown in one of my next blogs.
Here we will use GPP to create user’s directory and set permissions. First we will need to create a new Group Policy Object and link it to the domain.
Create a new GPO and security group
- Create GPO, assign it to the FilstLocation OU and named it UserHomeDrive.
- Create a new Active Directory security group, something like ‘FirstLocationUsers’. Under Group Policy security filtering, remove Authenticated Users and add your new security group as shown in the picture below.
Create a share folder and set permissions
3. Create a directory that will hold the home folders. In my example I named it ‘Users$’. Ensure that the Everyone is removed and that the Authenticated Users groups have Full Control share permission.
4. To setup exclusive access, go to the directory location of your share. In the advanced NTFS security permissions, remove the inheritable permissions and clear the current ACL. You can then add the following ACL:
SYSTEM = Full Control
CREATOR OWNER = Full Control
LOCAL\Administrators = Full Control
For the Authenticated Users group the following has to be set up ONLY:
Traverse folder; Create folder; Write attributes; Write extended attributes; Read permissions; Change permissions
These NTFS permissions will allow your users to create the folder via the GPO, but they will not be able to browse the share or view any folder other than their own.
5. Then you can add a drive mapping preference item to your GPO, mapping the path \\TEST-DC-01\Users$\%Logonuser%.
6. In the new GPO configure a new Folder under ‘User Configuration‘ – ‘Preferences‘ – ‘Windows Settings’ – ‘Folders’.
7. On the General tab you should select under Action ‘Create’, and the Path should read \\TEST-DC-01\Users$\%Logonuser%. Do not enable any additional items under Attributes.
8. In the Common tab, enable the ‘Run in logged-on user’s security context‘ option.
This will automatically create a folder for the user who are a member of your ‘FirstLocationUsers’ group with exclusive user access to this folder.
Map a drive to user’s folder
Now I will go back to my existing GPO (in my example this is Login Script GPO) for mapping network drives based on user’s group membership. I will repeat the steps as described in my previous blog, but this time I will map the drive letter Q to the following location \\TEST-DC-01\Users$\%Logonuser% .
For the Action you can select ‘Create’ or ‘Replace’, check the ‘Reconnect’ checkbox and click on the Common tab.
On the ‘Common’ tab check two check boxes: ‘Run in logged-on user’s security context (user policy option)’, then ‘Item-level targeting’. This will open Targeting Editor where you will make sure that the user is a member of the security group ‘FirstLocationUsers’.
Assign link order for the two GPOs
Finally, you have to make sure that GPOs precedence order is set up with lower link order for home folder creation GPO and higher link order for home mapping GPO. The link order regulates how policy object are being processed for the linked OU. Lower ranking policy object will be process before the higher ranking object. Here the ‘UserHomeDrive’ with the link order # 3 will be processed first, then the ‘Login Scrip GPO’ with the link order # 2 and so on. This order is necessary because we have to make sure that user’s home drive has to be created before the user’s home drive is mapped. ‘Default Domain Policy’ is processed last , so any policy settings in this policy object are final and will override those configured in policy objects with lower link order (unless inheritance blocking or enforcing is used).
