A project I am working on is to eliminate the use of login scripts within SYSVOL to control drive mapping. Drive mapping here is a mess and causes more confusion between departments than benefit. I plan to do this through DFS and access based enumeration.
File server is a 2003R2 (the next step is migrating to 2012) and the clients are Win 7 pro boxes. Domain is 2003 functional with a mix of 2003R2, 2008 and 2008R2 DCs.
So far I have setup DFS, installed the msi for Access Based Enumeration. The root share has ABE applied on the file server and has the following rights for Domain Users: List Folder / read data, Read attributes, Read Extended Attributes.
What this accomplishes is it allows all domain users to browse the root share via the DFS link, but limits the subfolders that they see to those they have permissions over.
All of that is working well. Users can browse the share both directly to the server and via the DFS share. The issue I am having is mapping the share via Group Policy. For admin users, that have full rights at the root, the Group Policy applies and they get the mapping. For other users who rely on the Domain Users permissions, it will not map. The following error is logged in their computer event log: Log Name: Application Source: Group Policy Drive Maps Date: 6/21/2013 2:07:36 PM Event ID: 4098 Task Category: (2) Level: Warning Keywords: Classic User: SYSTEM Computer: xxxxxxxxxxxeditedoutxxxxxx Description:
The user 'S:' preference item in the 'Default Domain Policy {31B2F340-016D-11D2-945F-00C04FB984F9}' Group Policy object did not apply because it failed with error code '0x80070005 Access is denied.' This error was suppressed.
I have changed the drive mapping within group policy to about every scenario possible. This includes adding Run in logged-on user's security context, changing the action from Update to Create, Replace... etc.
If I go to the share location logged in as the most basic user, it shows up. However, Group Policy fails with a credentials issue.
Anyone have any ideas?
