I have a working policy on my entire domain. I just found out, when logging with the domain administrator, that this policy is not applied (EDIT: Running : gpresult shows that the GPO's are applied – but, this GPO is for Drive Mappings, and the actual drive mappings are NOT shown)
- The administrator account – does not have any login script on his profile tab.
-
To note: The mappings were applied before the GPO with a login script using the : net use … command – all was working perfectly and correctly for the domain administrator user as well – That removes sharing and security problem (IMO)
-
My GPO's are mainly small/atomic settings: single GPO to handle each settings: UAC, Firewall, printers.
-
GPO status for the object is enabled
That's an overview of the Drive Maps:
Reading on MS support site, I checked the delegation tab, and it is marked as applied to domain and enterprise admins.
Every user gets these policies correctly.
The OU that is set is the root of the domain. (for testing purpose – I did that to eliminate hierarchy issues – did not help)
- Block Inheritance is disabled. (never used it anyway)
GPO link
GPO Security Filterings
Best Answer
I suspect you are falling foul of the fact that Domain Admins are part of a special set of groups that have their ACLs reset every hour by the domain controller.
See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q318180 for more details