How to determine how map drives are being mapped

I know there are several ways to map a drive letter to a networked resource in a Windows environment. What I would like to know is how to quickly determine the means for which each mapped drive is being mapped.

Many of our users have up to 15 mapped drives. After a few hours of searching I've learned that some of those drives are mapped via Group Policies while others are mapped via scripts. But there are still others that I cannot figure out the source that is automatically mapping those drives for them.

How do I identify the method that is mapping one or more drives (e.g. Group Policy, Script, etc.)? If it's a Group Policy, which one? If it's a script, which one and from where? Thanks.


Solution 1:

Ah, sounds like an ex-NetWare shop. They were always fond of drive letters.

Windows doesn't track where they come from, unfortunately, so you're left with the forensic task of looking at everything that can cause a script to be mapped. That's a long slog, and I feel for you. There are many:

  • GPO direct maps
  • GPO indirect maps through scripts
  • Local registry-based persistent maps (can also be set via GPO when a BOFH is involved, swearing is permitted in these cases)

For tracking GPOs, the way that works for me is to:

  • Launch the GPO Manager
  • Go to Group Policy Results
  • Right click on it and pick Group Policy Results Wizard
  • Pick a user and computer object you want to check (pick someone with 15 mappings)
  • Review the resulting report, and go to the Settings tab
  • Note any scripts and their associated GPOs
    • Later on, go to each GPO and review the scripts
    • Check for mappings in the scripts
  • Note any drive mappings under User -> Preferences -> Drive Maps, and their associated GPOs.
  • Dig through for the various places you can set Registry settings, validate if they have [HKCU/Network/$something$] in them.

That'll give you a big start on the source of the drive-mappings that's coming from automation you manage. You can't do much about stuff users do themselves, some never clear the "remember this mapping" button.

Solution 2:

Another reply to an old thread. In my case, after much Sherlock Holmes'ing, I found they were mapping a drive by adding a line to the USRLOGON.CMD file (standard in every Terminal Services/Remote Desktop Services installation), which is executed every time a user logs on. Hope that helps some people.