The previous article has already covered about creating Group Policy to map network drive. As result of default behavior of Group Policy, drive mapping will appear for all users under the OU where the policy is linked. A more strict control is required in such case where each users must receive different drive mappings based on conditions like group membership, operating system, IP address range, etc. This can be achieved by creating Group Policy to map network drive using item level targeting. With item level targeting, administrator can apply drive mappings only for selected users that fulfill the defined conditions.
How to map network drive using item level targeting
In this scenario, Asaputra Corp wants to give different drive mapping for their staff based on their team. Security groups has been created as the team identifier, asaputra\G_OPS_RED for the Red team and asaputra\G_OPS_BLUE for the Blue team. All staffs are using Windows 10 computer that is joined to the corporate domain, where the domain controller is installed on Windows Server 2012 R2. The shared folder for each team has been created, \\asaputra-dc1\RED for Red team and \\asaputra-dc1\BLUE for Blue team.
This step by step below will explain how to map network drive using item level targeting:
1. Create the policy object to map network drive
Follow the guidance to map network drive using Group Policy. Add two new mappings to the shared folders as pointed by arrows in the screenshot below:
2. Enable item level targeting
Open the properties for Red teams drive mapping, and click on Common tab. Tick on Item-level targeting option, then click on Targeting button.
3. Set the conditions
On the targeting editor window, click on New Item and select Security Group
Specify the security group name for Red team in the available field. Make sure to select User in group on the options. Click OK to save the configuration.
Repeat from Step 2 to Step 3 for Blue team network drive and using the appropriate security group.
4. Apply policy and verify the result
Once the policy has been applied, Red team users will receive this mapping:
While users from Blue team will receive this mapping:
Best practices to map network drive with item level targeting
As can be seen on the screenshot above, in the Targeting Editor there are also other properties that can be used such as free disk space, operating system version, registry, and query to other properties as well. These properties can be combined with either AND / OR logic. If we want the inverse of the specified condition (for example: user is not part of the specified groups, user is not running Windows 10, etc) we can also create a negation of it by using NOT expression. It is not very hard to understand once it is practiced.
Also, there are other options available on the Common tab that may be useful when implemented together with the item level targeting on mapping network drive. These options are listed below:
- Remove this item when it is no longer applied: This is a very useful option that when enabled, it will remove drive mapping when the user is no longer fulfilling the condition specified in the Targeting Editor, or when the policy link is removed.
- Apply once and do not reapply: By default Group Policy preference action is repeated every time the policy refreshes. This behavior will be stopped when this options is enabled. This is useful on some case if the policy intended to be applied only once, for example when Delete and Create a new mapping.
Item level targeting and all other options that available in the Common tab are options that available on many Group Policy preferences, including Drive Maps. In this case, we have successfully leverage the usage of this option to map network drive to specific target using Group Policy.