I have a Windows 2012 R2 domain controller running the most recent version of Active Directory. I have 17 client computers (desktops and laptops), most are Windows 10 and some are Windows 8 or Windows 8.1. I also have this NAS that does NOT support LDAP / AD signons. I have a list of 6 users that need access to the NAS, but the creds are local to that device and cannot be shut off (e.g.. SOME credentials must be used) to access the shares via SMB.
What I used to do is setup a share in GPP using a mapped drive then filling in the "Connect as (optional)" dialog with the appropriate credentials. Well, I guess Microsoft disabled this capability because of some silly security issue [sarcasm] and now I'm not quite sure how to accomplish the same effect.
I've tried the following:
Created a vbs/ps1/bat logon script [yep, I tried each] that blows away all drives and explicitly maps the drives with the the credentials embedded in the script (obviously I'm not overly concerned about security with this) and maps the drives accordingly as a startup script for EVERYONE using a GPO. In this case, the script never runs on Windows 10 or Windows 8 even with the "Configure Logon Script Delay" set to 0 or 1 or 2 or any number. No drive ever gets mapped or appears under my computer.
When that didn't work I tried putting an explicit script vbs/ps1/bat under each individual users profile with the credentials embedded using the "Logon Script" function in the properties of the user object, which also did not work. Again, no drive ever got mapped.
Hunted for the patch that disabled the abitlity to map a drive using alternate credentials "Connect as (optional)" to un-install it and use the old method, but the patch has tons of stuff bundled in it and I don't want to break anything else in my environment.
I'm not concerned at all with the user credentials being exposed in this scenario, since they are not shared with any other creds and the data on the NAS is not super critical to protect.. but I do need some way to map these drives for these users auto-magically.
Also, I'm positive that all the scripts work without error, as I've run them all locally on several machines during troubleshooting, I can even whack to the sysvol share and kick them off manually and that works, and the permissions are rwx. It just won't work with GPO..
So, I'm open to suggestions and any help is GREATLY appreciated.
I really have two questions:
- Why don't logon scripts work in Windows 10?
- What is the best way to map a drive that is not part of your active directory domain for users in batch?
