Server 2012 / 2008R2 Policies / Shared Drives / Mapped folders

[zeta_immersion]

I have a Standard 2012, but the server version not that important. 

 

Basically what I would like to do is this.

 

\\serverName\ (I get prompted for a Username/Password). Now!!!! .. based on that Username I would like to have certain folders with specific read/write access and nothing else visible. (The user can have the computer added to the domain but since it is a local network, I can chose to leave it on WORKGROUP and have it access the server on a per map basis.

 

I have read I need a GPO ... which I believe I created one (with 2 mapped drives and nothing else changed) but not sure how to link a GP to a folder and give it specific rights (read/write). 

Is there a tutorial? or something to look at as a reference? 

[xendrome]

Create your shared folders as "username" then use GPO to map with "\\server\%username%" is that what you are trying to do?

[zeta_immersion]

Create your shared folders as "username" then use GPO to map with "\\server\%username%" is that what you are trying to do?

 

So lets have the following scenario:

 

Username1 and Username2 are 2 different distinct users 

Folder1, Folder2, Folder3 are 3 distinct folders (not shared)

 

I would like Username1 to have read/write access to folder1(2,3)

I would like Username2 to have read access to folder1 and read/write access to folder2 (no access and not shown folder3)

[sc302 Veteran]

It doesn't matter if it is 1 user, 2 users, 5 users, 1000 users, or a billion users.  This is the point of Active Directory, to be able to assign permissions based on who logs in and/or what groups they belong into. 

 

Set it up right and you will be able to do exactly how you want it.  It takes all of 15 minutes, if you know how to do it.

 

I could remote in and have this done in no time for you.

 

 

Otherwise you will have to have local policies or scripts that run that maps to the folders to make life simple.  Cant run a domain gpo to map a drive when they aren't on the domain unless you are using a local gpo to run a logon script which you could also put in the startup folder, negating the need for a logon script gpo entry.

 

something like this in a logon script would work

 

net use o: \\servername\username /user:servername\username password

 

or

 

net use o: \\servername\username /user:domainname\username password

[zeta_immersion]

although I can use scripts, for home use I have other options. however, I wold like to explore others to learn more:

 

At the moment I have the following.

 

In AD I have a group Called Home Users, in chich I have placed Computers and users (both populated with 2 of each).

In GPM (Group Policy management) I Have created an OU Home users with Computers and users in it. Under users I have created a Policy Everyone where I have mapped it to one folder for testing with  only one user in AD.

 

That guy is not getting the map, not sure why.

[sc302 Veteran]

First you need to have all computers joined to the domain and make sure that you are logging in with a domain user not a local user.

 

It will be easier to keep the users and the computers separate, you will never see them co-mingle in a corp environment even in a sbs environment you will not see this. 

 

When you assign a group policy to an OU, only those under that OU will be effected.   It is much better practice to use a top level OU and apply policies based on groups (taking out authenticated users).  Groups can include computers or users, I would not recommend using both in the same group.  Separate the policies out based on computers or based on users.  The Computer Configuration portion of group policies only get applied to computers, regardless if you are trying to apply the policy to users, the User Configuration  portion of group policy only gets applied to users regardless if you are trying to apply the policy to computers.

 

Basically, the user section will only ever get applied to users, the computer policy will only get applied to computers and servers.

 

Keep it simple, keep the tree simple and you will not have problems.  It looks like you are starting to over complicate things without knowing the ramifications of doing so.  The defaults are plenty simple enough.  Everything in AD trickles down not up.  As you start in the tree and start drilling down, anything that is getting applied to the top level will trickle down to the levels you are opening....if you are opening things below and are trying to get them to apply above, it will not work...and it will not cross over to other OU's, it needs to be above the ou you are in to trickle down to it.

[sc302 Veteran]

also, if you are using the map drives gpo it will not get applied to windows xp computers/users.  It is for Vista or above.

 

You are much better doing it with a kix script or a vbs script if you have that old of a computer.

[sc302 Veteran]

One thing that I forgot to mention and it is every novice admins #1 mistake...the DNS on the network can only be that of the AD server. There should be no other Dns entry in the tcp/ip properties of any computer including the server. The server should only point to itself. All Dns requests are handled by the DNS server which is the AD server, including Internet DNS requests. This is handled out of the box without any other config, just point Dns to the AD server and have no other DNS servers listed, not even as a secondary Dns.

[zeta_immersion]

was able to get it going through the script net use. so far so good, will get back to the GPOs later when I'll have more time to experiment.

 

I do have 2 DNS's, though the server DNS so far deals with the same subnet as the router one but have placed it 1 octet above

[sc302 Veteran]

Anything that is on the domain must have the server as its only Dns. Internet name servers do not know anything about your internal network and will not be able to resolve computer names. The domain controller knows about the Internet root servers and will redirect any requests to them if it cannot resolve internally.

If you want a show and tell session we can setup a http://join.me session and I can walk you through/help troubleshoot anything that doesn't work or make sense.