How often have you gotten requests for someone to be added to the G: drive, the W: drive, the R: drive? If you are new to a position, or if you are in a large complex organization, deciphering what is actually; being requested can be a pain. Here’s a write up on how I’ve been mapping a network share. The end result of this process is identical to manually creating a network shortcut via the GUI in Windows 7. It results in older applications being able to open these locations as if they were drive letters. Admittedly, this is more convoluted than mapping a drive, but I think it has benefits. Since it’s all done via Group Policy, it can all be thoroughly commented and documented at the point of implementation. Now when people ask for permissions to a network resource, they should call it by specific name.
Why it’s so difficult
Microsoft has provided a method to add a shortcut to network resources in Group Policy Preferences. Using this method, you can make a link to a UNC path appear under the My Computer dialog in Explorer. This is a true shortcut. However, it does not appear in the expandable tree view in the navigation pane. When I originally formulated this idea, my former supervisor and I agreed that this would be too much of a divergence from the way people were used to operating and using drive letters. Microsoft’s network shortcut implementation is not visible to some older style save/open dialogs.
I researched the issue and discovered that a number of people were looking for the same functionality.
Basically, the links in the navigation pane are not shortcuts, but rather COM objects that explorer interprets in a specific manner. We can tell Windows to interpret this way by modifying the clsid of a folder by modifying a desktop.ini file inside that folder. By doing that, we get a network shortcut that behaves very similarly to the way a drive mapping would.
Here’s a few links explaining more
PROCESS
1. Create a shortcut named target.lnk to the UNC path. This shortcut should be placed in a user’s My Network Neighborhood path in a folder named what you would like to call the share (ie %My Network Places%\target.lnk)
2. Change that folder’s attributes to be read-only
3. Copy a desktop.ini file into that folder containing the following text. [.ShellClassInfo] CLSID2={0AFACED1-E828-11D1-9187-B532F1E9575D} Flags=2
All of these GPPs should be targeted at a group which delegates access to the share so that it only shows up for those users. I have set a logoff script to delete all network shortcuts so that any user who has been removed from a group will also have the network shortcut removed. This is not strictly necessary as most users will likely not change group memberships frequently and removing the user from the group will prevent actually access to the share though the shortcut will remain.
I can provide actual technical instructions on this process if we choose to pursue it for all share mapping.
When I first implemented this I did so via a vbscript, but I switched to group policy preferences so there was a single point of documentation at the site of implementation. The policy I've created is called “Drive and Share Mapping” and the purpose of each preference is documented in the comments for that preference item.
Here is a powershell script that could be modified for the same purpose
Here is a powershell script that could be modified for the same purpose
There are some disadvantages. As I mentioned, it is more inconvenient than mapping.
Additionally, if the user opens the network share and clicks the path, it will show as being located in C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Network Shortcuts\%sharename%. If you click on a folder to navigate the structure, then the true UNC path shows up. This is identical to how it behaves if you create the shortcut using the GUI. However, when looking in a recent documents file dialog, or going to save the document, the actual UNC path is used
It is a pain in the ass, but getting away from drive letters can make your permissions request that much more easy for you to complete.
No comments:
Post a Comment