When dealing with Group Policy Objects (GPOs) for drive mapping scripts, we often encounter scenarios where policies work perfectly at domain level but fail when applied to specific Organizational Units (OUs). The case described involves a logon.bat script that successfully mapped drives when applied domain-wide, but stopped working when moved to an OU-specific GPO.
Several factors could cause this behavior:
- Incorrect GPO inheritance blocking
- Security filtering misconfiguration
- WMI filtering issues
- Slow link detection problems
- Policy processing order conflicts
Here's how to systematically verify each potential issue:
# PowerShell command to check applied GPOs
Get-GPResultantSetOfPolicy -ReportType Html -Path "C:\temp\GPOReport.html"
# Check GPO inheritance
Get-ADOrganizationalUnit -Identity "OU=Main office,DC=domain,DC=com" |
Get-GPInheritance
The most common culprit is security filtering. When moving from domain-wide to OU-specific application, ensure:
- The Authenticated Users group has "Read" and "Apply Group Policy" permissions
- No explicit Deny permissions exist for the target computers/users
For reliable OU-specific drive mapping, consider this alternative approach using Group Policy Preferences:
<GroupPolicy xmlns="http://www.microsoft.com/GroupPolicy/Settings">
<ComputerConfiguration>
<Preferences>
<Drives clsid="{8FDDCC1A-0C3C-43cd-A6B4-71A6DF20DA8C}">
<Drive clsid="{935D1B74-9CB8-4e3f-A6C8-CC9F13D18BEB}"
name="S:"
status="S:"
changed="2023-01-01 12:00:00"
uid="{7B5A52A8-4E88-4C4C-A6B9-3F8D4D5E6F7A}">
<Properties action="U"
thisDrive="NOCHANGE"
allDrives="NOCHANGE"
userName=""
path="\\server\share"
persistent="1"
useLetter="1"
letter="S"/>
</Drive>
</Drives>
</Preferences>
</ComputerConfiguration>
</GroupPolicy>
For remote users, implement these optimizations:
- Set
Computer Configuration\Policies\Administrative Templates\System\Logon\Always wait for the network at computer startup and logonto Enabled - Configure slow link detection thresholds
- Consider using Item-Level Targeting in Group Policy Preferences
After making changes, always verify with:
gpresult /r
gpupdate /force
Check the Application Event Log for Group Policy-related events (Event ID 1500-1517).
When our domain-wide logon script (logon.bat) started causing 5-minute login delays for VPN-connected remote workers, we knew we needed a surgical solution. The script's drive mapping functionality became a bottleneck over slow connections, while remaining essential for headquarters operations.
Creating dedicated OUs (Main_office and Off-site) seemed logical. We:
- Removed the script from Default Domain Policy
- Created new "Map drives at logon" GPO
- Linked it exclusively to the Main_office OU
The result? Complete policy failure - no drives mapped at HQ either.
Three critical oversights:
- GPO Processing Order: The Default Domain Policy still processed first (LSDOU sequence)
- Conflict Resolution: Earlier settings weren't properly overwritten
- Security Filtering: Missing proper delegation
Instead of OU separation, we implemented WMI filtering:
# PowerShell to detect VPN subnet
$subnet = (Get-NetIPConfiguration | Where-Object {
$_.IPv4DefaultGateWay -like "192.168.100.*"
}).IPv4Address.IPAddress
if ($subnet) {
# Apply GPO only to non-VPN clients
New-GPLink -Name "MapDrives_MainOffice"
-Target "OU=Main_office,DC=domain,DC=com"
-LinkEnabled Yes
-Filter "NOT(subnet='192.168.100.0/24')"
}
For more granular control:
# AD Group creation
New-ADGroup -Name "VPN_Users" -GroupScope Global
# GPO Security Filtering
Set-GPPermission -Name "MapDrives_MainOffice"
-PermissionLevel GpoApply
-TargetName "VPN_Users"
-TargetType Group
-Deny
Always validate with:
# Check applied GPOs
gpresult /h gpo_report.html
# Test script execution
Test-NetConnection -ComputerName fileserver -Port 445
Through trial and error, we learned that GPO targeting requires considering multiple layers - not just OU placement. The solution now handles our hybrid workforce seamlessly.