In this guide, I’ll show you step by step instructions on how to map network drives with Group Policy.
If you’re still using login scripts then it’s time to switch to Group Policy.
Mapping drives with group policy is very easy and requires no scripting experience.
Bonus: It can actually speed up the user logon process.
I’ll show you two examples, the first one is mapping a drive for a department, the second will map a drive for individual users.
In addition, I will use item level targeting to map drives based on specific conditions like group membership, OU, operating system, etc.
Logon Scripts VS Group Policy
The ability to map a network drive with Group Policy was introduced in Server 2008.
Logon scripts are a thing of the past.
Logon scripts can actually slow computers down. Yes, group policy is faster.
Unless you have some crazy complex script that does something that Group Policy cannot do then there is no reason not to use it.
Mapping Drives with Group Policy has the following advantages:
- It’s much easier than logon scripts. Checkboxes and drop down lists, no need to understand scripting
- It’s scalable. GPO mapped drives can handle very large Active Directory environments.
- It’s very flexible. With item level targeting you can target groups, users, OUs, operating systems, and so on.
- It’s easy
Now let’s move on to some examples of mapping drives with group policy.
Example 1: Map a Department Network Drive Using Group Policy
In this example, I’m going to map a network drive for the HR department. I’ll use item level targeting so it only maps this drive for users in the HR organizational unit.
You could also use a Security Group to target a specific group of users. This will map to a network share that only the HR department has access to.
Step 1: Create & Link a new GPO
1. Open the Group Policy Management Console
2. In the Group Policy Management Console, Right Click and Select “Create a GPO in this domain, and Link it here”
TIP: This will be a user based GPO so make sure you link the GPO to a location that will target the users. I have all of my users separated into an OU called ADPRO Users, I’ll create and link the GPO there.
3. Name the new GPO
You can name the new GPO whatever you like, I’ve named mine “Users – Mapped Drives
I can later add additional drive mappings to this GPO.
The new GPO is now created and linked, now it’s time to configure the settings.
Step 2: Configure GPO Settings
1. On the GPO right click and select edit
2. Navigate to User Configuration -> Preferences -> Windows Settings -> Drive Mappings
3. Right Click Drive Mappings, Select New – > Mapped Drive
4. Configure Drive Mapping Properties
General Tab Settings
- In location put the path to the share/folder you want to map a drive to.
- Select a drive letter
- Choose Update for action
- Label as: This is optional but may be beneficial for users.
Common Tab Settings
Select “Run in logged on users’s security context
Select Item-level Targeting
Click the Targeting Button
Select New Item
Select Organization Unit then select the OU you want to target
Click OK, Click OK again to close the new drive properties
This completes the GPO settings
Step 3: Reboot Computers to Process GPO
For the GPO to run I will need to reboot the users PC or run gpupdate /force. The next time a user from the HR department logs in they should see a mapped drive.
I’ve rebooted the computer, now I’ll log in with an account that is in the HR organizational unit.
Once logged I will go to file explorer and check for the mapped drive.
It works.
Now, any user I put in the HR folder will get this mapped drive. If you don’t want to use an OU you can also target a group of users by using a Security group.
Example 2: Using Group Policy to Map a Drive for Individual Users
This example will map a drive for individual users. This will give the users their own personal folder to save files.
You can create a new GPO or add to your existing one, I have all my drive mappings in one GPO.
This example requires a folder to be setup on a network share that matches the user’s logon name. You will want to modify the NTFS permissions so the individual user is the only one that has permissions to it.
I’ll be using Mark Foster as an example, the logon name is mfoster so I’ll need a folder setup on a network share called mfoster.
I’m not going to repeat every step, I’m basically starting at Step 3 from the first example.
Step 1: Create a New Drive Mapped drive
Here are the drive map settings for mapping a drive for an individual user
The %UserName% is a variable that will match the user’s logon name.
Just to be clear you must have folders setup on a network share that matches the location and users logon name.
My file server is file1, the share is users and in the user’s folder is a folder for each user. Screenshot below of users folder on file1 server.
That is it.
Just have the user log off and back on and it should map the M drive
Perfect! Now the user is mapping a department drive and a personal drive.
I hope you found this guide useful. If you have questions or comments post them below.
Great article!
Would it be possible to do the same but point to a OU for computers and attaching the drive to computers rather than users?
What I want to achieve, is I want a PC to have a drive available to all users that connect to it.
Are there any way to do that?
Thank you
The drive mapping is a user configuration only. You would need to enable loopback processing so it will process for all users that login to the computer.
Hi there Robert,
I am struggled to understand the difference between the Replace and Update action.
If Replace is used, does it mean that every time when the GPO get applied to users in an OU, it removes the drive and map it again?
Through some research, some says that the Replace action causes user’s file explorer to quit randomly and changing it to Update fixes the issue.
If Update is used, does it mean that every time when the GPO get applied to users in an OU, it don’t remove the drive but only update settings defined within the preference item. What happens if there is no changes made to the settings?
Cheers,
Chris
Replace means the GPO setting will delete and recreate the object every time it is applied, regardless if anything is changed or not.
Update means the GPO setting will only modify the object if there is a change made to the settings.
Hope that helps.
Assume in the latter part of this sentence: “It’s scalable, as big as your Active Directory will grow logon scripts will scale no problem.”
You meant GPO.
Either way thanks for the article.
Yes. Thanks for pointing that out. I have updated it.
Hello,
My drives map only to users who are domain administrators, on regular domain users, after logging in, the drive does not map, after gpupdate the drive appears. After re-login it disappears, only maps after using gpupdate.
Any idea?
Enable “Reconnect” on the general tab.
HI Robert,
I have same issue as Sebastian. “My drives map only to users who are domain administrators, on regular domain users, after logging in, the drive does not map, after gpupdate the drive appears. After re-login it disappears, only maps after using gpupdate.”
I have Reconnect enable in general tab but issue still there. Any suggestion what my causing this issue?
Thanks.
Can the account browse to the UNC share? This would be to verify the user account (without domain admin rights) has permissions to the folder path.
Can the account browse to the UNC share? — Yes
This would be to verify the user account (without domain admin rights) has permissions to the folder path. — User does not have admin rights.
Thank you,
1. Reboot and login with the user account (without admin rights).
2. Run the rsop command and review the results. Are the GPO policy settings applying?
If yes then the GPO is working and you most likely have a permissions issue.
I have created shortcut for the map drives which works fine.
It just the Map drives and it drive letter not showing.
We had Logon script which we used to map drives before – I am not sure if that is causing the issues.
any suggestions would be appreciated.
1. Reboot and login with the user account (without admin rights). – Done
2. Run the rsop command and review the results. Are the GPO policy settings applying? – GPO Policy is applying
If yes then the GPO is working and you most likely have a permissions issue.
Network drives are slow to load on my laptop device. It takes around 30 sec to get the list of all drives. How can fix this issue? Thanks
1. How many GPO’s do you have?
2. Are you using logon scripts?
3. Do you have fast connectivity to the DC and file server?
Thank you for your replying.
1. How many GPO’s do you have? -> I have 28 GPOs but if I connect Laptop through RJ45, it’s working fine without problem.
2. Are you using logon scripts? -> I have disabled login scripts
3. Do you have fast connectivity to the DC and file server? -> Yes, after load the network drivers list, I can access to the DC and file server and open documents normally.
Our network drives have a username and password to get into them. I an not afforded the opportunity to add them during the setup process, as they are grayed out. Any ideas to enter that data?
This does not work for me
Have you tested if you can access the shared folder?
Using Group Policy to Map a Drive for Individual Users:
Is it possible to map personal folders without manually creating a folder on a network share that matches the user’s logon name?
You can use F3 button in GPP drive map path field for view allowed variables ^)
For Usrebane you must use %LogonUser% variable…
“Just to be clear you must have folders setup on a network share that matches the location and users logon name.”
And how to I create the individual folders automatically? It isn’t very efficient to create them one by one, specially when you decide to implement that in a domain with potentially thousands of users already, and creating them manually for each new user is also not a viable solution, that is just inviting problems.
You are correct you need a folder that matches the users logon name.
To bulk create these folder you could use PowerShell. You could loop through a csv that has all the logon names to quickly create the folders.
How do you handle switches at the end of the drive map?
For example; Net Use G: \\server\share /writethrough
Would you add the /writethrough switch in the location box?
What happens when a user moves to a new department?
Example:
HR has access to the H drive only.
Finance has access to the M drive only.
John starts his career in HR, so he gets the H drive. A few months later John moves to Finance. So IT moves John to the correct group in Active Directory.
Now John has shows both mapped drives, but can really only access the M drive due to security restrictions on the shared folder for HR.
What’s the easiest way to setup drive mapping so that as John moves from department to department his old drives don’t still show?
Thank you so much! Exactly what I was looking for. You made my day!!
How do you get remote users (road warriors) updated with gpupdate? You can’t if they’re not logged in, right? What if, as a security measure , updating policies remotely is disabled on the client machine? Not too far fetched in this day and age of sophisticated hacking.
Logon scripts still have a place, and may very well always be needed when the logon controls, for whatever reason, have to be kept on the server.
A lot of remote works use VPN to connect to their network, this would allow accessing the domain controller and gpupdate.
To my observations here, VPN sessions are established past the Windows logon. Not sure DC/AD would work in that setting.
We have a shared drive i have permissions to, but i log in to multiple pcs to troubleshoot and regularly need access to this drive, can this be used to map to my username to an already shared drive so i dont have to type it out every time i log in to a new PC or map it? Thank you so much!
Yes. If you configure this group policy it will map the drive on every computer you log into.
I’ve been using Group Policy to map drives for a while without issue. All of a sudden the drive mappings aren’t working. I’ve tried with different computers to no avail. I’ve added a user to the group and logged with that user and it maps correctly. However all of the current users that were in that group won’t map the drive now. I’ve looked at gpresult -r and it shows that executed the GPO but yet it doesn’t show. I can manually map the drive so I don’t think it’s a permissions issue? How do you troubleshoot something like this? Thoughts? Thank you in advance.
About the time you were reporting, I have observed issues that Win 10 would have against SMB1 shares wherever “reconnect” option would be active. Happened at several locations in the same manner. Removing “reconnect” and mapping the drives did work clean. Must be a bug.
This article and the instructions are a life-saver. Thank you, Robert!
This is a really great article. We have a server that is not part of the AD Domain. I need to map a drive for users based on their AD group membership, that’s easy, but I need to connect as a specific user on the destination server along with that AD security group choice. Since Microsoft deprecated the ability to connect as when setting up a mapped drive, what are my options?
I’m not sure what to write in the location section. should i write the path of any folder in the server that i want to share? like: D:\PM\projects ?
The path to the UNC share. If you haven’t shared a folder you will need to create a share on your server first. UNC share looks like this \\server1\folder
I have followed each step but the drive didn’t appear!
also im not sure what to write in the location section. should i write the path of any folder in the server that i want to share? like: D:\PM\projects ?
Local is the path to the shared folder. Make sure you have the path shared and your users can access the UNC path.
Hi,
Is it possible to integrate the UAC before adding map drive?
In Microsoft, adding map drive which not including activities to trigger the UAC.
Thanks,
-Anthony
You could apply a separate GPO to set the UAC settings, wait a while for all computers to get this policy then apply the map drive GPO.
I have my UAC settings set to always “always notify” and have not experienced any issues with mapping drives using this method.
In our company location where three departments (IT, Accounting, HR) are located, the departments are different IP
blocks but in the same “subnet” (192.168.0.0/22). To IP blocks where departments are located
There will be an automatic map with the startup-script for the specially opened “File Share” and “Printer Share”. One
the IP address will automatically change when the user switches to the other department, so the new
The department’s “file shares” and “printer shares” must be “maps”.
How can I do with script?
Don’t use a script, use the method I show in this tutorial. You can easily map file shares to specific users using the item-level targeting.
We have a need to assign drives by department, so we use AD security groups to accomplish that. In addition, some of the people in the department need access to an additional drive (the other users should not have access to the drive). I can secure the drive and show to all but deny to some, but would prefer to run a subsequent GPO for the second drive. I have set this up but the second GPO that maps drives doesn’t work. I have been through the syntax and that doesn’t appear to be the problem. Is running multiple GPO’s like this not allowed?
Hi Paul,
Multiple GPOs should work fine. Try running the commands gpresult /r to see if the GPO is getting applied.
I put all my drive mappings into a single GPO and use item-level targeting -> “Security groups” to map drives for a specific group of users.
For example, say I have 100 users in the sales department. I configure the GPO to map a department drive to all of these users. I could target the sales OU or a security group for the sales department. Then I have 20 users in this department that need a separate drive mapped. I would put these 20 users in a separate security group (sales_vip_sg) then configure a new mapped drive in the same GPO, choose item-level targeting -> Security group and select the group “sales_vip_sg”. This will map a separate drive to the 20 people that are in the “sales_vip_sg” group.
Hello, this is excellent as I am taking on an issue with mapping Home drives that we’ve been having, well I should say not mapping! We mainly use ADUC to map the Home drive but it doesn’t always work. So for backup we want to also have a GPO.
We have about 70 locations with over 2000 employees. Every employee gets a Home drive but not all Home drives are in the same folder, and some may not even be on the same server, but they are all on the same domain. Example
John Smith Home drive path: \\domain\serverA\Home\Site1\Jsmith
Jane Smith Home drive path: \\domain\serverA\Home\Site3\janesmith
Billy Smith Home drive path: \\domain\serverC\Home\Site12\bsmith
I only want to create one GPO for all users which will cover all these differences, is it possible?
Thank you
Does everyone in a department or same location go to a specific server? You can use the item-level targeting to get very specific with the mapping.
Robert,
I just wanted to say that dude… you are a freaking lifesaver and tip my cap to you, good sir.
Thanks Matt.
Thank you so very much for making document so easy to follow and everything worked great during my migration. Thanks Again.
Hello.
This is a great tutorial 😉
I mapped drive using this GPO. (e.g. N: )
But I need to add a path for this mapped drive (setx path N:\Apps).
How to do it?
Thanks a lot for your advice!
Do you mean to add a path to what is displayed? If so you can use the “label as” field to put a custom label for the user.
We use “G” drives for departmental drives and are using “Update”. What if a user changes departments and the G drive has a new path, using Update shouldn’t it change the drive path?
Hi Tom, that is correct. It should update to the new path.
Here is a good MS article that explains the GPO actions.
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581924(v%3Dws.11)#attributes-2
This article is exactly what I was looking for to get info about doing this.
I did have a question regarding scalability. My enterprise has about 2000 shares that I will eventually be managing. I currently have about 1000. We have had other misc issues with group policy mainly due to mismatched AD configurations since we had mergers and acquisitions going on but no one dedicated to figuring it out until now.
I wanted to know if there was any threshold concerns with how many shortcuts one GPO manages. My thought was to create a separate policy for each of our locations that have around 10-15 departmental shares to be managed and use item level targeting as we use their computer names to help identify departments for support.
I was also thinking about that from a troubleshooting perspective. If I have one policy with 1000 shortcuts in it and there’s a typo, it’ll be a bear to find.
That is an insane amount of shares and a security nightmare. I’ve never done a GPO with that many shares, I would expect that to cause issues or really slow down computers. If it was me I would try to reduce the number of shares, I typically setup only one share per department, then use security permissions to lock it down further if needed. Make sure your not using the everyone group to apply share or security permissions.
Each department can have different subfolders but the only shared folder is the root department folder.
HR <-- shared folder -Users -User1 -User2 -Dept -Subfolder1 -Subfolder2 -Training -Policy -Vacation Sales <-- shared folder -Users -Users1 -Dept -subfolder1 -Videos -Training
We have thousands of project shares across multiple sites. We use shortcuts for each share. The security ACL on each shortcut is the same as the security ACL on each NTFS folder system. We place ALL shortcuts on a network share in each site. At user logon (user security context) the process just copies ALL shortcuts *.* to the users home drive H:\My Project Shares. The user only get’s the shortcuts depending on their AD Group Membership. Some users only have 2-3 shortcuts whilst others have more. No one ever gets above 20 shortcuts but there is no limit. The folder H:\My Project Shares only has 1 shortcut placed on the users desktop to keep it visually tidy & efficient.
It was very useful to me. Thank you!
OK, what am I missing? I followed the steps to the letter and when I run gpupdate /force on my computer the drive gets mounted for me. BUT I am not in the Local Security Group I used/wanted to get the drive?
If the user is in the OU that was used for item level targeting then it will get mapped. If you set the shared and NTFS permissions up the user should not have access but would still map the drive.
If you don’t want the drive to map for a user then change the settings in the item level targeting.
A twist – the Client Side Extension (CSE) for GPP drive mapping (as well as the CSEs for Software Installation, Folder Redirection and Disk Quota) will not run asynchronously and background refresh doesn’t apply. At least, I have not found a way to make any of them run asynchronously or at VPN logon. I tried some reg tweaks to set the GPP mapping CSE to run asynchronously but that doesn’t seem to help.
This means that people who always work remotely and connect via VPN after local login is complete will not process those four Client Side Extensions when they connect to VPN – because the local logon event has already occurred. Because these CSEs are by default set to run synchronously, they can cause logins with cached credentials off the network to be very slow, until the logon processes eventually time out, and the GPP’s will not refresh later when a connection to the network is made.
I am currently looking for a way to force mapping GPP’s to work for remote users who connect using VPN when they need to. It may require a separate method just for computers that connect via client-to-site (sometimes referred to as “dialup”) VPN. I really don’t want to revert anyone to using logon scripts.
This also causes issues with many if not all computer policies – because the connect to VPN event is not seen as a computer logon event, synchronous computer policies will not apply, even with a gpupdate /force – and they don’t cache and apply later when the computer starts up off the network.
If anyone has a solution that does not entail kludgey workarounds which in my opinion include use of Logon Scripts, I am all ears.
If these GPPs can be pushed to local policies, and local policy processing not disabled, would that work – or would the initial logon sit there for hours waiting for all the mapping GPPs to fail before letting the user log into their computer?
Hello Jim,
I have resolved this problem by enabling the specific option to the VPN client ( I have used it with Cisco anyconnect, checkpoint and fortigate) so the user can login with VPN before logon on windows 10 & 11 .This option will enable at boot, an extra network icon( VPN), so once you connect to WiFi or lan, first connect with VPN and then login. The group policy will then apply.
Due to security constraints, our VPN is not allowed to connect until after user authenticates with multifactor sign on, so this solution does not resolve the issue.
How to map drives after logon is completed?
Logon scripts could do this with either timed delays or with event monitoring, but GPO drive mapping has no such options.
You would need to run a script after authentication. Years ago cisco anyconnect had an option to run a script after connecting via VPN, not sure if other VPN clients have this option.
I use scripts to map network drives but now since we added another location, I’m looking into mapping drives based on the domain site location. Is this possible?
for example, if I’m in location 1, I would have the A drive. then if I travel to location 2, the A drive would be gone and I only see drive B.
Thanks.
Assuming location a and location b are on different networks you could use item level targeting and map a drive based on IP address?
Why not always map them?
I love to use the %UserName% method. However my mapped drives was shown all over in my server directory when user run “\\servername” . Is there anyway that we can stop it listing in the directory? As we have over 200 users, and its listing alot of folders in a sense
You will need to modify the ntfs permissions for each folder and only give the individual user access to it.
\\servername\%UserName%$ may work
Adding $ to shared folder name will make it hidden
How can this be leveraged to handle individuals with different mappings within an office?
We’re moving away from login scripts to GPO mappings, but over the decades many staff have been given individual login scripts to sub-folders on their own or other office’s home drives. Say someone in Budget needs a mapping to Research’s home drive or a sub-folder therein. They currently have scripts for each office, then those scripts were copied and renamed for individuals with extra and specific mappings. Frustrating that it was permitted in the first place.
Thanks
You can use targeting for this. You could map a drive to a group of users based on OU, security group, site, operating system and so on. For example all users in marketing map an N drive but say you have 5 people in marketing that need to map another drive to another location. You can create a security group put these 5 users in it and create a new drive mapping policy that targets the security group. Then only members of this group will get this drive. Hope that helps.
IT is not working with me. I’ve Security Group with 10 users and try to map a drive that targets the security group but no luck 🙁
Try these troubleshooting steps
https://activedirectorypro.com/group-policy-guide/#troubleshooting-group-policy
Make sure the policy is linked to the correct user OU that contains the users that belong to the security group you are targeting as mentioned under EXAMPLE 1>STEP 1>Bullet 2 “TIP: This will be a user based GPO so make sure you link the GPO to a location that will target the users. I have all of my users separated into an OU called ADPRO Users, I’ll create and link the GPO there.” It won’t work if you do the Item-level targeting without linking it to an OU in GPME.
I would assume that if I already used logon scripts for the user home drives that I should remove those and then apply the GPO’s and that the user permissions on the home drives (previously created by logon scripts) would not change ?
Great Article. Helped a lot
Can I re-use a drive letter if I am targeting a different OU or Security group? For instance, I use “S:” to map one shared folder to users in one OU and use the same letter “S” to assign to another resource targeting a Security group.
Ben, yes you can do that. I use the same drive letter for each department and target the OU.
Hi, How I create share folder client desktop using GPO.
Can you explain why you chose the update option, instead of Create?
Update will create the object if it doesn’t exist, it also allows the object to be updated later if I change it. So it works like create plus allows updates. Using the create option does not allow updating the same object.
When using group policy preferences I almost always use the update option.
The variable that you can use in GP Preferences is %LogonUser%. There’s a great shortcut that you may want to use while editing GP Preferences: press F3 to show a list of all usable variables.
Sam, thanks for info. I did not know about the f3 option.
Just wanted to say thank you SO much for posting this – I spent many hours racking my brain wondering why %username% didn’t map my drive and then, boom, pressed F3 after seeing this! Awesome! 🙂
some user have not personal drive , how to set ?
my login script:-
if exist \\server1\%username% NET USE P: \\server1\%username% /Y
my %username% varaible is not working on the server maping drive . like you did in the screenshot you send to me .
What OS version is the server running? Can you log into the server, open up command prompt and type
echo %username%
Does it return the username?
Yes its return the username, but still the Home folder no appearing in the System
Same Here, OS Server 2008 R2 / Client Windows 10