How to determine how map drives are being mapped

group-policy mappeddrive

I know there are several ways to map a drive letter to a networked resource in a Windows environment. What I would like to know is how to quickly determine the means for which each mapped drive is being mapped.

Many of our users have up to 15 mapped drives. After a few hours of searching I've learned that some of those drives are mapped via Group Policies while others are mapped via scripts. But there are still others that I cannot figure out the source that is automatically mapping those drives for them.

How do I identify the method that is mapping one or more drives (e.g. Group Policy, Script, etc.)? If it's a Group Policy, which one? If it's a script, which one and from where? Thanks.


Solution 1:

Ah, sounds like an ex-NetWare shop. They were always fond of drive letters.

Windows doesn't track where they come from, unfortunately, so you're left with the forensic task of looking at everything that can cause a script to be mapped. That's a long slog, and I feel for you. There are many:

  • GPO direct maps
  • GPO indirect maps through scripts
  • Local registry-based persistent maps (can also be set via GPO when a BOFH is involved, swearing is permitted in these cases)

For tracking GPOs, the way that works for me is to:

  • Launch the GPO Manager
  • Go to Group Policy Results
  • Right click on it and pick Group Policy Results Wizard
  • Pick a user and computer object you want to check (pick someone with 15 mappings)
  • Review the resulting report, and go to the Settings tab
  • Note any scripts and their associated GPOs
    • Later on, go to each GPO and review the scripts
    • Check for mappings in the scripts
  • Note any drive mappings under User -> Preferences -> Drive Maps, and their associated GPOs.
  • Dig through for the various places you can set Registry settings, validate if they have [HKCU/Network/$something$] in them.

That'll give you a big start on the source of the drive-mappings that's coming from automation you manage. You can't do much about stuff users do themselves, some never clear the "remember this mapping" button.

Solution 2:

Another reply to an old thread. In my case, after much Sherlock Holmes'ing, I found they were mapping a drive by adding a line to the USRLOGON.CMD file (standard in every Terminal Services/Remote Desktop Services installation), which is executed every time a user logs on. Hope that helps some people.

Related

How to identify if my website DNS is A-Record or CNAME?
How to diagnose repeated "Starting up database '<dbname>'"
File change on a LAMP development server not taken into account
vSphere NIC Teaming - Any reason for Active/Standby?
How to make PowerShell add a new line after executing a command?
What is causing email sent from my Google Apps account to bounce?
Why does Serverfault use Dynect Platform? And should I too?
iptables - What does the range in bracket mean? [duplicate]
how many users typically use the "forgotten password" flow?
Setting up linux routing
tomcat processParameters complains about "invalid chunk ignored"
What is AddType application/x-httpd-php-source