We're testing out Windows 10 Creators Update (Build 15063) here. So far this is the only unsolvable issue we've encountered.
This issue is exclusive to Creators: identical Users and GPO's work fine on Windows 10 Anniversary (Build 14393), and Windows 7 SP1, all with the latest windows updates run
We have two domains here, with no trust relationship between them. To get one particular drive mapped, we add the username and password in using group policy preferences (Used to be done with a login script, but changed to support user account control) to cross authenticate. Here's a (redacted) screenshot of the preference options in GPO:
When the policy runs on 10 Creators, the other's drive map, but the M: Drive is not there. Looking at the event viewer gives this error:
The user 'M:' preference item in the 'GPO Drive mappings {C65A2351-20C1-42D4-BF2B-AE604CD9DC0A}' Group Policy Object did not apply because it failed with error code '0x80090005 Bad Data.' This error was suppressed.
The user can manually map the same drive, adding the other domain's credentials when prompted. They can also do it using the net use command.
I've tried googleing around GPO Mapping, Windows 10 Creators, and 0x80090005 Bad Data, but not found anything relevant.
Best Answer
So, I'm one of the 10 or so GP MVPs from Microsoft.
In short: This isn't supported. @Twisty is right: This security hole was closed by modern GPMCs and not permitted anymore. The KB:
https://support.microsoft.com/en-us/help/2962486/ms14-025-vulnerability-in-group-policy-preferences-could-allow-elevati
I have two possible workarounds:
1: Try REMOVING the trailing \ at the end. So, the correct UI would be
\\server\share and not \\server\share\
2: Without testing it though, a workaround might be worth testing. Try the policy setting (on ONE MACHINE using GPedit.msc):
Computer | Admin Templates | System | Group Policy | Allow cross-forest user policy and roaming user profiles
Just set ONE machine locally with that policy.. (GPedit.msc LOCALLY on one Win10 1703 / creators edition box).. dont go crazy and enable it everywhere yet.
Then, reboot and re-test.
Did that work?
If yes, yay. If not.. that's all I have to offer.
-Jeremy Moskowitz, 15-year Group Policy MVP from GPanswers.com