Group Policy: (Part 3) Drive mappings

In the previous sections we discussed setting up admin accounts and managing printers via group policy.  For this installment we will touch on the third section: mapping drives.  Without further ado we will jump straight in!  We will start with setting up company shares and will then show you the same steps again but this time with user shares as the target and the last bit of this article will show you another layer: item level targeting

1)      As you will most likely have guessed we need to go back into the group policy management interface

2)      We will start by navigating to “User Configuration”, “Windows Settings” then the “Drive Maps” section

3)      From here you will be creating the mappings.  There are 4 options: create, update, replace and delete.  I will use the create action but the others can be used as needed

4)      Right click in the “Drive Maps” window and select “New”, “Mapped Drive”.  This will bring up the following window

5)      Select the create action to create your first new drive mapping (Yay!)

6)      Enter the UNC path to the share.  As you learned if you read the previous post on Printer Mapping in GP you will know that you need to create the share (and actually share it) first

7)      Now you will pick the drive letter for the mapping

8)      You can specify the connection options if you want. For this exercise I will leave them blank.  In practice, you should not need to set this unless the share requires special permissions (which most don’t)

9)      Then you can select the Hide/Show setting if needed. Again, that is up to you and is not required for setting up a basic share

10)   Click Okay and watch the magic happen. Seriously, that is all it takes.

11)   So in the preamble I told you that we will also cover user shares.   The truth is that we have to do the same steps again but with one small change:  In the location section just enter the user variable (%username%)

12)   The one “gotcha” here is that the user share must exist on the server in the given path.  So one of the first steps (or you can do it now if it was not already done) is to create a share on the server for the user and name it with the same name as the user logon account

13)   Here comes the last bit of wisdom for drive mappings: Item Level Targeting.  This nifty little option allows you to pick only certain users to have the mapping.  I use this to create a “Tech” share that only members of the technical team can see even though it is part of the same policy that all user get.  It helps keep GP a little cleaner and easier to manage.  Don’t’t worry – the mapping is not hidden from the other users: it is not there.  We target a group (or a particular user) and if you are not in the group (or are not the user) the share will not map so it remains totally secure

14)   So this is how to do it.  Click on the “Common” tab and select “Item-level Targeting” and click the button

15)   Pick the group/user in question and like that, you are done


So there you have it.  Corporate and user shares all mapped and uniform for everyone.  We also targeted the tech team and gave them access to a share only for them even though we did not have to create a whole new policy for them.  There are a few little tricks and tips I will impart with you before we wrap up: make sure to select the create action or the drive will not show up and remember to map the GP to the OU in question and make sure the user/group is in the same OU.

This is the last posting in my tour of Group policy.  I hope you learned a lot and feel much more comfortable to use this amazing tool.  Once you get used to the interface and terminology you will start to see that it is not so intimidating.  As a parting piece of advice:  the settings that can be controlled via GP are virtually endless.  I covered a few of the common ones but there is so much more to play with.   Build yourself a test environment or a test machine and start looking around – life is so much easier when it is well managed and GP does this and more!

Keep you stick on the ice!

Group Policy: (Part 2) Managing Network printers

Part 2: Mapping Printers


In the first two parts of this series I covered the introduction to Group Policy (where to find the interface, how to navigate the interface, common terminology, topology…) and the first gem was unearthed: How to set a local admin password via Group Policy.  Well, the trench has been dug and now we reap the fruit: in this installment we look at how to setup printers in group policy. One quick note of housekeeping:  screenshots in this section come from Server 2012 so they may look a little different but the functionality of GP is still the same. Hold on because we are about to get messy


The first steps here are the same as steps 1) – 6) in the previous post so I will not go into great detail on them but they are these

1)      Launch Group Policy management (read previous post if you are not sure how to access this)

2)      Navigate through the structure to locate the “Computers” OU

3)      Right click and select “Create a GPO in this domain, and Link it here…”

4)      In the new pop-up window give the GP a name

5)      This step can be skipped if this is a new policy

6)      Right click on the GP and select Edit

7)      Okay, here is the first new step (feels kind of cool to be a bit more familiar with the intro stuff already no?).  In the previous post we went to “Local Users and Groups” but this time we take a left turn and go to: “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Deployed Printers

8)            Right click and select “Deploy New Printer”

9)      In the new printer interface window you can either type the UNC path name to the shared printer on the server.  Note/Gotcha:  If the printer is not shared from the server first it will not be seen here.

10)    Click “OK” and we are done (kind of)

11)    The basics are quite simple right?  That is it- we are done…well, almost done. If you want to add various drivers to support all the different operating systems in your environment you will need to make a few more small tweaks

12)   Open up “Control Panel” and navigate to “Devices and Printers”.

13)    Click on the option at the top for “Print Server Properties”.  You may need to add “Print and Document” Role if you are using Server 2008

14)    From here you will need to click on the “Add Driver” button

15)    Next click on the processor architecture for the given operating system

16)    And then click the add driver. This window should be quite familiar as it is the same as when adding a local printer driver.  To know which driver to use is not always straight forward. I recommend going to a computer with the same OS as you are setting up, download, install and test the driver on that computer then take the driver on a USB key or network share and point this installer to the known good driver

17)    Repeat steps 13 through 16 for all the various OSs (and architecture) in the environment

18)    So now we are really done.  For real.

How was that was a tour of how to setup network printers via group policy.  The one main reason to do all this work is that now all your computers will be using the same driver and settings.  It will make your life so much easier as printing issues (which can be a real nightmare) will have a bit more consistency: you can manage and review settings from one place.

EOD: End of Days for Server 2003

10 months.  300 days.  Seems like a long time.  The end is far closer than you would expect.  The end of extended support for Windows Serve 2003 is coming but the future looks so bright we have to wear shades!  Those in the know are already planning for their migration –are you?  If you include all the hardware delivery time and setup, strategical decisions and the countless hours of planning you have far less time than you think.  Many estimates put the time to implement a new server (with a new OS) at around 250 days (start to finish).  Sounds a bit daunting right?  No worries – there is still time (but you have to start now!)  In this first article on Why to Switch to Server 2012 we will look at my top 10 reasons to switch

10)          You really have to.  Okay, so this easily could have been number one but the value of the other points need to be fully explored.  No more updates after June 2015 if you are running Serve 2003 – that alone is reason enough to switch.  Security is always a concern (and is gaining importance all the time – BYOD, ubiquitous networking, and many more concerns) so keeping the OS up to date is a major concern

9)            Hardware.  Most of the 2003 servers I have come across are 32-bit.  I even remember telling clients (when the OS was brand new) that they did not need 64-bit support since the hardware should be life-cycled before the memory limit was reached.  Most people did so but some have held on.  Support costs for these old servers are getting to be extremely high and there are just so many limits that the time has come

8)            Server Core.  Don’t have money for a full powered workhorse server? No worries there is a new player in the game.  Server Core offers a huge array of benefits and merits its own top ten list but for the purpose of this exercise I will name a few of my favorites.  Since it has no graphical interface the hardware requirements are significantly lower.  As another advantage the lack of graphical interface is the lack of exploits that target the graphics subsystem.  Another advantage (in my opinion) is that it is a text only OS so you get to practice and learn command line interfaces – the number of times these have helped me out is long and distinguished.  The new command line PowerShell is just great (see item 3 on this list)

7)            DirectAccess.  Tired of clunky VPN connections?  Fed up with walking users through how to connect to the VPN so they can access files from home?  Have we got something for you!  DirectAccess is a new (to server 2008) technology that provides an “always-on, certificate based VPN” so users (and the techs who support them) never have to figure out to connect.  If you have an open connection to the internet than you can access your work files

6)            Workplace join.  Another fantastic feature that is long past due is Workplace Join.  This is part of the BYOD (Bring Your Own Device) approach that is really taking off.  This allows you to join any device (including iOS devices) to your corporate environment.  The basic mechanics are that you will need to setup AD, setup a certificate, setup ADFS then create a webserver.  Whew, sounds like a long list right?  True, but once done users can register their own devices and you can stop pulling (your remaining) hair out and get a good night’s sleep J

5)            NIC teaming.  One of my personal favorites since I had the honor of presenting this at a Montreal IT Pro User Group meeting recently.  It is another great new feature and makes your life so much easier.  Wait, “new” feature!?  Yes, this is now natively supported by the OS (and by Microsoft).  You can even team dis-similar hardware: want to create a team with Broadcom and 3com NICs?  Go ahead – it will work and it is supported.  There are a ton of other features here as well so do yourself a big favor and look at load balancing and failover options.

4)            Storage Spaces.  Another simply fantastic feature.  This one hits the Small-Medium market squarely in the wallet.  The reality is that this a fault tolerance system built into the server or you can use SSDs to speed up drive performance or both!  Think of a RAID 5 array (not called that but is conceptually very similar) with SSDs to speed up and work as a cache – all supported within the OS so no special hardware needed.  Take the money you would have spent on hardware and spend it on …anything else you want J

3)            PowerShell.  For those in the know:  PowerShell makes the command line cool again.  You can take bits and pieces of this or dive in as deep as you want.  As an IT Pro I have used it so many times to save my bacon!  It seems like whenever you get a weird, cryptic error the answer that comes back is: fix it via PowerShell.  The most recent versions of PowerShell do require the latest (and greatest OSs) but even Server 2003 can run the first iterations

2)            Virtualization. Again there are new features and features that, although not new, are just so much fun.  This is where Hyper-V comes in.  It has been around for a while now and you owe it to yourself and your organization to at least try it (it is even fully supported on Windows 8 provided that the PC hardware supports virtualization).  Virtualization allows you to run several virtual machines on a single physical box – bosses love it since they can maximize costs and techs love it since it means less hardware that can go down (if downtime is an issue you should also be looking at High Availability).  Go Virtualize!

1)            Cloud readiness.  Topping this prestigious list is the new future of IT. Proper provisioning prevents poor performance – haven’t we all heard this since we were young.  Well, okay, I did steal that line from somewhere but the reality is that the cloud is here to stay.  It allows even more efficient usage, scalable provisioning and cost effective administration.  There is a veritable Pandora’s box available in Azure (or any other cloud offering for that matter).  It is one of my personal goals to get my into the clouds (bad pun I guess since I have always been a bit of a dreamer)

There it is.  My personal top 10 list.  The list is in no way complete and it completely subjective.  Find other features you love?  Let me know and we can all learn them together.  Thanks for reading and get and play with Server 2012:  The more you learn, the more you will want to learn.

Group Policy: (Part 1) Setting local admin account

 Part 1:  Setting local admin account

Hopefully you read the first post in this series, if not, feel free to take a look at it.  It covered some of the basics in Group Policy.  If you want to learn the inner workings it is a great start.  If you only want to get to the meat and potatoes keep reading.  In this post I will show you how to setup a group policy that will create a standard local admin account. The value in this is that if a user cannot login or there issues with a domain based login then a local can be used to troubleshoot (or you may not even have a domain – but then you will have some fun pushing out this setting).  One quick note of housekeeping:  the person who showed me how to do this (and a ton of other things) is Shaun Rioux at Cistel: I owe him many debts.  So you are most likely using a domain based (server based) environment and have a local admin account in case of emergency or to allow you entry level techs a degree of admin control without opening the flood gates of giving them domain admin permissions. If you want the answer just stay tuned because here we go!


1)      Launch Group Policy management (read previous post if you are not sure how to access this)


2)      Navigate through the structure to locate the “Computers” OU


3)      Right click and select “Create a GPO in this domain, and Link it here…”


4)      In the new pop-up window give the GP a name (as per my previous post: be descriptive – it will make it much easier to find later).  You can use a starter GP if you have any configured (more on those in another article)


5)      Now you have to edit the policy. This next blurb only applies if you have an existing group policy (skip to step 6 if this is the first policy you create) if you have an existing policy you can use it as a starting place to point you in the right direction.  As you can see in the screen shot below which is taken from the “Settings” tab of the GP where we are heading is in “Computer Configuration -> “Preferences” -> “Control Panel Settings” -> “Local Users and Groups”


6)      Right click on the GP and select Edit


7)      Navigate to “Computer Configuration” -> “Control Panel Settings” -> “Local Users and Groups”


8)      Right click in the Local Users and Groups screen and select “New”-> “Local User”  


9)      From here you create the user account just like you would in AD.  The interface looks a little different from AD but the options are still the same.  The only new item here is the option to rename the account. Well that is not entirely true: there is one other new item and it relates directly to Group Policy


10)   The first line in the above screen shot shows that we are going to “Update” the existing policy.  If you click on the drop down you will see that there are 4 options. “Create” and “Delete” are fairly straight forward so I will not explain them.  The “Replace” action is more suited to files. Think of this as remove and replace.  The “Update” action is used to change the properties.  This is what we will do here since the account already exists (in my case – you may most likely want to create one however).  Later on (after the policy has been applied) you can change this from a “Create” action to an “Update” action.


11)   Now comes the fun part.  Sitting around and waiting for the policy to update.  No time for waiting?  Log onto the local machine to which you wish to push the policy and open a command prompt.  Type the following command: “GPUPDATE /FORCE”


That is all there is for this time! Enjoy your newly created (and completely uniform) local admin accounts! You should now know how to create a local admin account.  We covered the steps to open group policy, navigate the structure and create a new “Update” policy.  In the next section we will see how to map printers: stay tuned 🙂


Group Policy: (Intro) Getting to use the server tools as they were meant to be (Intro)

Here we go!  Diving into the deep end again J  As up-and-coming IT Pros servers can seem like a brave new world: full of mystery and wonder.  And so many new toys to learn and play with too!  In this series (at least 3 parts) I will try and demystify Group Policy… at least insofar as it goes for us IT Pros.  I will start off with setting up a standard local admin account via Group Policy in Part 1, then in Part 2 we will look at setting up printers (mappings and drivers). And lastly: in Part 3 we will dive deep into how to setup drive mappings (including a few gotchas I ran into).  In this post I will go over some of the locations and terms we will see and use while we take our adventure into GP.

So the first thing we need to see is where we go to open the management interface (seen below).  It is located in the Control Panel -> Admin Tools -> Group Policy Management.  For this series I will be using screen shots from Serve 2012 r2 but the locations and terms are almost the same (some have been and a few removed but learning on one platform is highly portable to any other).

Once opened the first thing you will see is that the structure looks a lot like what you see in Active Directory.  Group Policy works with AD.  The policies you create here are tied to objects (groups but not containers) from Active Directory.  That is one of the main strengths of Group Policy – it is tied to so many other tools you already know (or are surely looking to learn).  What you see in the screen shot below is a mirror of AD on the same server.  Notice that there is one Group Policy already listed (called “Default Domain Policy”).  This is created by default.  Other policies can be created and linked to other groups.