4. Give the policy a name, for example, UPO_Drive_MAPS
5. Edit the new policy (right-click on it and choose Edit)
6. Expand Preferences > Windows Settings under the User Configuration.
7. Right-Click on Drive Maps and choose New > Mapped Drive

In the New Drive Properties dialog, we will need to configure a couple of options. The first one is the action. Let me explain the differences between each action:

• Create – Creates a new mapped drive
• Replace – Recreate a mapped drive. If it doesn’t exist, it will create it. Otherwise, it will overwrite the existing drive mapping.
• Update – Modify an existing mapped drive or create it. The difference between Replace and Update is that it only updates the settings defined within the preference item. All other settings remain as configured on the mapped drive.
• Delete – Removes a mapped drive

The best option is to use Update when creating the mappings. This way you are always sure that the user will have the correct drive mapping. The potential problem with Replace is that it may disconnect the drive briefly every 90 mins during the GPUpdate cycle. This can cause problems with specific applications.

Tip

Create a CNAME record in the DNS server for the file server. The CNAME record is an alias and makes it easier to move the shared folders to a new server later on.

8. Set the action to Update
9. Enter the location of the share
10. Make sure Reconnect is enabled
11. Optional, enter a label for the folder
12. Assign a drive letter. I prefer to use a fixed letter, users tend to remember drive letters better 😉

The option Hide/Show this drive in the lower left corner allows you to create hidden drive mappings. This can be useful when you need to create a drive mapping for an application, but don’t want to give the user direct/easy access to it. Hidden drives can still be accessible by the applications (although I recommend just use the UNC path in the application if possible)

Item-level targeting

We will now need to configure the Item-level targeting and enable the user security context for the mapped drive. The first will make sure that the drive mapping is applied to the user’s account. The Item-level targeting ensures that only specific users or devices gain access to the drive mapping, instead of all users.

Good to know is that you can re-use drive letters when using Item-level targeting.

1. Click on the Common tab
2. Enable Run in logged-on user’s security context
3. Enable Item-level targeting
4. Click on Targeting…

Targeting can be done on a lot of conditions and we can even apply multiple conditions with AND or OR statements. The most common however is to apply the mapping based on Security Groups, OU, or specific users.

For example, to give all users that are members of the IT security group access, we can configure the following:

4. In the Targeting Editor click on New Item
5. Choose Security Group
6. Select the security group from the Active Directory

As mentioned, we target multiple groups. Let’s say we want to map the network drive to not only members of the IT department but also Management.

6. Click again on New Item and select Security Group
7. Select the group Management in this case
8. With the management row selected, click on Item Options and choose OR

The mapping will now be applied to users that are either members of the IT or management security group.

Advanced Item-level Targeting

The item-level targeting also allows you to create collections. Collections are a group of rules that need to be true in order for the collection to be true. The advantage of collections is that you can create different combinations and test each of them.

For example, we want to create a drive mapping that is being applied to all IT members or to users that are members of the security group Management and are working on a computer in Amsterdam.

For the IT department, we can use a normal rule based on the security group. But of the management we will need to create a collection:

1. Click on Add Collection
2. Set the Item options to OR for the collection
3. Right-Click on the collection and choose add targeting item > Security Group
4. Select the managent security group
5. Next, click again on the collection > add targeting item > Organization Unit
6. This time select the OU with the computers in Amsterdam
7. Make sure that you apply the rule to Computer in OU

Using Variables in Drive Mappings

Good to know, is that you can also use variables when creating drive mappings. For example, when you offer a home drive (personal folder) on the file server, then we can use the user’s logon name in the folder location path.

To see which variables are available, press F3 when you have the New Drive Properties dialog open. This will give you a list of all options that you can use. Always make sure that you enable the option Run in logged-on user’s security context under the Common tab.

Assing the new GPO

After you have created the new GPO, we will need to verify it, optimize, test, and assign the policy. The first step is to verify the settings. Open the Settings tab of the GPO and verify the configuration.

The next step is to optimize the performance of the GPO. In this case, we create a policy with only user settings. To speed up the group policy processing time we can disable the computer configuration for this policy:

1. Right-click on the new policy
2. Choose GPO Status
3. Select Computer Configuration Settings Disabled

The last step is to assign the policy. Important is to always test your new policy with a small group of users or computers. After you have verified that it’s working correctly, you can assign it to all the users that need the policy.

To assign the policy, simply navigate to the OU where you want to assign the policy, right-click on the OU and choose Link an Existing GPO. Select the newly created policy from the list to assign it.

Map Network Drive in Windows 11

You can also manually map a network drive in Windows 11. This is particularly handy when you only need to map the drive temporarily or in home network environments where you don’t have a domain controller of course.

Mapping a network drive in Windows 11 is pretty easy: (you can find the steps for Windows 10 in this article)

1. Open the Explorer
2. Click on the 3 dots (more options)
3. Choose Map network drive

In the next screen, we can configure the drive letter and network folder to open. Make sure that Reconnect at sign-in is checked, otherwise, you will need to re-add the drive letter if you have logged in.

The option Connect using different credentials allows you to make a network connection to a shared folder with different credentials. For example, when you have a NAS, you will sometimes need to enter the credentials of the NAS in order to open the shared folder.

Verifying Drive Mappings

Drive mappings are applied after the next policy update, which occurs roughly every 90 min, but you can also for the update with the command GPUpdate. The easiest way to verify the drive mappings is to open the explorer. But that doesn’t work for hidden drive mappings.

In these cases, you can use the command Net Use. When you run this command in the command prompt or PowerShell, you will get an overview of all mapped network drives, the drive letter, and the network folder.

If the policy isn’t applying, then verify the policy with the RSOP utility This built-in tool allows you to verify group policy and find any problems that might have occurred in the background.

Wrapping Up

Using one Group Policy for all your drive mappings based on item-level targeting is the best practice to follow. It makes it easier to manage your mappings and it will speed up the logon process.

If you need to map a lot of network shares, then it’s sometimes better to map the parent folder and give the correct permissions on each subfolder, instead of mapping each subfolder.

I hope you found this guide useful, if you have any questions, just drop a comment below!