I'm trying to get rid of all manually mapped network drives on all workstations in my domain. I want our end-user's mapped drives to be mapped solely via GPO (GPO's are already in place).
I'm trying to write a script that will:
- Unmap all network drives when the user logs in
- Run
gpupdate /fto re-map drives based on applied GPO
I'm planning to have this logon script policy applied only for a few weeks, until I can verify that all manually mapped drives are gone.
Here is the contents of my batch script:
REM Delete all mapped drives
net use * /del /y
REM force a group policy update to map all drives according to GPO's.
gpupdate /force
REM create a directory to verify the script is actually running.
mkdir %USERPROFILE%\testI've placed this script on my NETLOGON directory on my domain controller. The script runs as intended if manually run from this directory. However, when applied as a logon script, the net use /delete /yes command doesn't seem to work. I've verified that the script is actually running during logon with the mkdir %USERPROFILE%\test.
I've even tried to redirect the output of the first command net use * /del /y > result.txt and the output came out as
"There are no entries in the list"
Is there any reason why my script is working when I run it manually, but not as a logon script?
Server: Windows 2012R2
Host: Windows 10
2 Answers
I just had issue using net use g: /delete /yes on WIndows 2012R2, it was causing mapping conflicts. My G drive mapping would map to other servers, and sometimes additional z mapped drive appeared that was a ghost. It's wasn't in the batch script
If you Must delete network drives before the actual mappings using shares on Server 2012R2, use net use g: /del (ONLY)...this will work on 2012R2 Server
MJ
1If the user in question is an administrator, (un)mapping drives using scripts won’t work.
With UAC, you have two tokens and login sessions: one with all permissions (“elevated”) and one with limited permissions only. Scripts started by GPOs run with full permissions.
Mapped drives are tracked per session. When you try to map or unmap drives from logon/logoff scripts, they will only be available to programs running elevated. Explorer never runs elevated by default.
Here’s more info directly from Microsoft.
To work around this, use the following .reg script. After that, changes to mapped shares will affect both the full and limited token.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLinkedConnections"=dword:00000001This also fixes errors when trying to run setups (or other stuff that runs elevated) from mapped drives.
2
