Well, the answer is actually pretty straightforward, but I don't want to
assume anything, so I'll answer the question in two parts, just in case
there was a nugget of information you weren't aware of.
For the first part of the answer, I'm going to take group policies out of
the equation for a moment and just give a brief overview of how Windows
"sees" mapped drives. When you have a hard drive, a USB drive, floppy, or
other device, that is (I know, stating the obvious) real hardware and thus
has to be associated to the machine somehow. So drive letters are a machine
A mapped drive, however, is really just a handy way to reference a network
location. When you click on the M drive you've mapped, internally Windows
"knows" that this points to a share and opens an SMB connection to
\\server\share. It isn't a "real" drive. You can see this by using a
version of windows that allows user switching. Login as UserA, map a
drive...lets say to M, and then log "switch" and log in as User B (with user
A remaining logged in.) UserB does not have an M drive. So you map the
*same* share to UserB's O drive and switch back to UserA. UserA still has
an M drive but no O drive. This is by design. These are shortcuts and,
like your desktop or start bar, shortcuts are for your convenience and
customizeable. You probably don't want the same wallpaper and shortcuts
that Bob does from accounting. He's a slob after all and has all sorts of
excel links littering his desktop and you, of course, are a neat freak.
So mapped drives are *STRICTLY* user settings. They are stored in the
user's profile and loaded on login and unloaded on logout. The system
accounts, such as LocalSystem, NetworkService, and others do NOT see those
drive letters. They'd just access the network natively. After all, they
don't have a fear of keystrokes like us humans do.
So, with that established (or reaffirmed as the case may be) we can move
onto the second part of the answer. Reintroducing group policies. When you
open a group policy in the GPEditor, there are two distinct sections.
Machine settings and user settings. Now I'm not just talking about
preferences here....the following applies to all group policy settings.
Lets say you expand the machine group policy settings and set a power
management setting. If that policy is linked to an OU that only has users
then that policy will *never* get applied. It is a machine setting and thus
*must* be applied to a machine. Not a machine that a user logs into, but a
machine in the domain that the DC can control.
It may seem to make sense to say "I assigned the policy to a user so that it
gets applied to any machine they log in to." But in practice, does that
actually make sense. If you later set up VPN access for a boss so he can
work from his home machine, he might be a little ticked logging into the
VPN, causes the domain controller to suddenly apply a bunch of machine
settings such as changing his screen saver, making his laptop power down
after 2 minutes, and so on. No. Machine settings are only applied to
machines that exist in AD and are in an OU that the policy is linked to.
So the reverse is also true. User settings are only applied to users, never
machines. To again use an example, you can set a user policy to force IE to
have a specific homepage. Now it won't matter which machine the user logs
into, that setting will apply because it is a user setting. If you assigned
the policy to an OU that only has machines...well...there are no users so
that user setting never gets applied. And again, you may be thinking "I
want the homepage to be http://our-finance-server/sharepoint-homepage
user logs into a computer in the finance OU." But again, you are thinking
about it a little wrong. The point is you want to change a *user's*
homepage so you still need to assign the policy to a user. Machines don't
have homepages (what does LocalSystem need a homepage for!)
You can get the desired effect for *both* examples above by using filters.
Group Policy filters were invented for this reason (long before preferences
existed!) You can filter by security group or write some very fancy WMI
filters to get all sorts of esoteric configurations.
But it still boils down to this single question: Does this setting affect a
machine or just a user ON the machine? And link appropriately. Of course
it is easy to answer THAT question (you don't have to guess) because the
setting you are changing is going to be hierarchically under one of those
two main groups in the GPEditor.
So...to come full circle...where is the mapped drive preference found?
Per-machine preferences have no mapped drive section...so it is under
per-user. And using my rule above, any setting under per-user must be
linked to an OU that contains users.
For the record, your linked policy would've been applied to any USER you
added to the SBSComputers group. An OU can hold a user, a computer, a
security group, etc etc. BUT BUT BUT, by default you should not *have* any
users in that OU because the golden rule in SBS is "use the wizards!" And
the wizard would never put a user in that particular OU. So there you have
"Simon Thomson" <simon@newsgroup> wrote in message
> I also had problems when first trying to Map Drives through group
> I found that if I linked the GPO to the
> MyBusiness\Computers\SBSComputers OU it would not apply but if I
> linked the same GPO to MyBusiness\Users\SBSUsers it worked.
> I was filtering this GPO to apply to certain MACHINES only by creating
> a security group and adding the machines I wanted the GPO to apply to,
> then using Item Level Tageting on each preference to apply the GPO to
> machines in the group only.
> I still don't know why thiswould only work when linked to the SBSUsers
> OU and would love to be enlightened.
> On Tue, 25 Aug 2009 19:08:54 +0530, DerekJ
> <DerekJ.3xha7b@newsgroup> wrote:
>>I'm trying to get drive mappings to work in SBS 2008 via GPO Prefs.
>>In SBS User Poilicy\User Config\Prefs\Windows Settings, I've set the
>>location to \\<server>\Public, Set show this drive and show all drives,
>>NO common options set. However, when any user (all Vista clients) logs
>>on the drive is not shown.
>>I've used GPUpdate /force on both the server and client.
>>I've got UAC turned off on my PC
>>I'm logged on as a domain admin
>>Running GPResult on the client PC (seems) to show that the GPO was
>>I've tried the registry setting for EnableLinkedDrives without any
>>Can't see any errors in the event logs
>>Event Logs show that policy was applied
>>Can anyone point me in the right direction?
>>Thanks in advance