I came across a scenario today when I was helping during a migration project. We wanted to map a drive based on a value in extensionattribute on the user. First, we thought that we would solve it with a script, but then it hit me like a lightning bolt that it is possible to use group policy preferences for this.
So, how do we do it?
First go into the Group policy and then go to the Environment section and add a new one:
In my case I wanted an environment variable named oldsamaccountname:
Set the «Run in logged-on user’s security context» and «Item-level targeting» (This is where the magic happens)
Then I filled out the following:
-Filter: (&(objectClass=User)(sAMAccountName=%USERNAME%))
-Binding: LDAP:
-Attribute: extensionAttribute4 (this is the attribute you want to get)
-Environment variable name: oldsamaccountname
If you then logon to a client and run the set command it will show you the output and the variable is present:
Next you create a drive mapping as normal, except that you can use the newly created variable:
I know, Group Policy Preferences is probably not the hottest topic at the moment to blog about, but still I find it very useful.
Maybe this helps someone that is trying to solve this exact problem 🙂 .
This also shows that scripting is not always the solution. (OMG did I just write those words…)
Update 22.03.2017:
As pointed out by Karl Magnus, you do not need to create a local variable just for drive maps. You could use the LDAP query directly within the drive mapping. If you however need the variable present on the client for other things, you will need to add it as a variable. Great feedback! Love it!
If you need this oldsamaccountname (stored in extensionAttr5) only for drive mapping, you can skip the environment preference, and just use the LDAP item level targeting directly on the Map drive Preference. Unless you need the oldsamaccountname as an local env variable.
I use this approach on several GP Preferences.
For example to set the start page in internet explorer based on the users wwwHomePage attribute in ActiveDirectory
This leaves us with ony one internet settings preferences for startpage instead of, say 15 (If 15 schools would like their own homepage as a startpage). This will make the internet settings xml file smaller, and also decrease the logon time for the user.
The processing of Internet settings preferences at logon went from around 15 seconds to less than 1 second 🙂
This approach could also be used to add the user specified in managed by attribute on a computer object to a local group on the computer.
Thats a good point! Will update the post! Thanks KM! 🙂
[…] subject says it all. Wanted to do this, found the following. […]
Hi,
this guide works perfect, this solution is the only solution which worked for me to get the user e-mail as user-enviroment variable. Thanks for sharing! Awesome job!!!
greetings
Mario