How to Map Network Drives Using Group Policy (GPO)

Why use Group Policy to map drives

Mapped network drives are still the most common way users access shared file resources, even in environments that have moved most other workloads to the cloud. However, mapping a drive locally on every machine doesn't scale, and custom logon scripts get fragile the moment a share name, drive letter, or department membership changes. Group Policy Preferences solves this by treating drive mapping as a configuration object rather than a script. You define the mapping once in the Group Policy Management Console (GPMC), link the GPO to the relevant OU, and the policy applies automatically at the next user logon.

GPO drive mapping was introduced with Windows Server 2008 alongside Group Policy Preferences, and it has been the recommended approach over logon scripts ever since. It supports a graphical configuration interface, item-level targeting for fine-grained control over which users see which drive, and four distinct action types that cover the full life cycle of a mapped drive.

Prerequisites before mapping drives

Domain Administrator privileges (or a delegated account with permission to create and link GPOs in the target OU).
A shared folder reachable via UNC path (e.g., \\fileserver\sales) with both share and NTFS permissions configured for the users who need access.
The GPMC installed on your management workstation, available via the Remote Server Administration Tools (RSAT) feature.
Windows clients with the Group Policy Preferences Client Side Extension. This is built into Windows Vista SP1 and above, so any supported Windows version already has it.

Drive Maps action types

The Action field under the General tab determines what the policy does on the client machine. Picking the right action prevents the most common drive mapping issues, so it's worth understanding how they differ before configuring the preference item.

Create: Creates the mapped drive only if it does not already exist and leaves any existing mapping untouched. Use this for first-time deployment of a new drive letter.
Replace: Deletes the existing mapping and creates a fresh one with the configured settings. Use this when migrating an existing drive letter to a new UNC path.
Update: Modifies the existing mapping in place or creates one if none exists. Does not delete the drive first. This is the recommended default for day-to-day operations in most environments.
Delete: Removes the mapped drive. Use this when decommissioning a share or removing access for a department.

Note: The Update and Replace actions look interchangeable, but they aren't. Update preserves any client-side state and just refreshes the configuration. Replace drops the drive and rebuilds it from scratch for when the underlying UNC path has changed.

How to map a drive using Group Policy Preferences

The example below maps \\fileserver\sales as the S: drive for the sales department.

Step 1: Create the GPO

Press Win + R, type gpmc.msc, and press Enter to open the GPMC.
In the left pane, expand the forest and the domain, then right-click the OU containing the target users (e.g., Sales).
Select Create a GPO in this domain, and Link it here.
Give the GPO a descriptive name such as Sales-DriveMap and click OK.

Step 2: Configure the drive map

Right-click the new GPO and select Edit to open the Group Policy Management Editor.
Navigate to User Configuration > Preferences > Windows Settings > Drive Maps.
Right-click in the right pane and select New > Mapped Drive. The New Drive Properties dialog will open.
Under the General tab, configure the following:

Action: Select Update for standard deployments. Use Replace when you are moving an existing drive letter to a new UNC path.
Location: Enter the full UNC path, e.g., \\fileserver\sales.
Reconnect: Check this box. The drive will reconnect at every logon, equivalent to net use /persistent:yes.
Label as: Enter a friendly name shown in File Explorer, such as Sales Share.
Drive Letter: Select Use and pick the letter (e.g., S), or select Use first available, starting at to skip past any letter that is already in use.
Hide/Show this drive and Hide/Show all drives: Leave these as No change unless you have a specific reason to override the user's view of File Explorer.

Click OK to save the preference item.

Note: The Connect as option is no longer available. Microsoft removed the ability to store credentials inside a GPO to improve security.

Step 3: Apply the GPO

On a representative target machine, open Command Prompt and run:

Click to copy script

gpupdate /force

Sign out and sign back in. Drive Maps preferences process at logon, not during background refresh.
Open File Explorer to confirm the S: drive appears.
To verify which GPO applied the drive, run:

Click to copy script

gpresult /h gp.html

Open gp.html and navigate to User Configuration > Preferences > Windows Settings > Drive Maps.

How to map drives based on security group, OU, or other conditions

Linking a GPO to an OU applies the drive mapping to every user inside it, which is rarely what you want when shares are scoped by department or role. Item-level targeting (ILT), found under the Common tab of the preference item, lets a single GPO contain multiple drive mappings that each apply to a different subset of users.

To configure ILT for the sales drive map:

Open the drive map preference item and switch to the Common tab.
Click Item-level targeting and click the Targeting... button to open the Targeting Editor.
Click New Item and select a condition. The most-used options are:

Security Group: Apply the mapping only to members of a specified AD group.
Organizational Unit: Apply only to user accounts in a specified OU.
Operating System: Restrict by client OS version.
LDAP Query: Apply based on any LDAP filter against AD.
IP Address Range: Apply only to clients on a specified subnet.
Site: Restrict to clients in a specific AD site.

For a security group target, select Security Group, browse to the group (e.g., Sales-Team), and confirm.
To combine multiple conditions, click Add Collection and use AND/OR logic between items. You can also use Item Options > Is Not for exclusive matches, e.g., "apply this mapping unless the user is a member of ExcludePublicDrives."
Click OK twice to save.

ILT is evaluated at every Group Policy refresh, so a user who is added to a security group will see the new drive mapping appear within the standard 90-minute refresh interval, or sooner if you force an update. This is the same mechanism that lets a single GPO serve different mappings to different departments. Link the GPO high in the directory tree (typically at the domain or department parent OU), then let ILT do the per-user filtering.

How to map a personal home drive for each user

Alternative: Map drives using a logon script

Troubleshooting common drive mapping issues

When a drive doesn't appear or doesn't behave the way you expect, the Group Policy Drive Maps preference logs to the Application event log under the source Group Policy Drive Maps. Event ID 4098 is the catch-all entry for a preference processing failure, and the message text usually identifies the exact cause.

Drive does not appear after logon.
The drive letter is likely already in use on the target machine. Open the preference item and either set Drive Letter to Use first available, or change the action to Replace to force the mapping to be recreated. Run gpupdate /force and have the user log back on.
Drive appears but shows "Access is denied."
The GPO worked, but the user lacks permissions on the underlying share. They need at least Read on both share-level and NTFS layers, or Modify to edit files. Grant rights on both layers, ideally through a security group, then refresh the policy.
Drive maps for some users only.
Item-level targeting is almost always the cause. Open the preference item, switch to the Common tab, and review the Targeting rules. Common mistakes include referencing the wrong security group or combining AND and OR collections incorrectly.
gpresult shows the GPO applied, but no drive maps.
The Preferences client-side extension failed during the mapping itself. Check the Application event log for Event ID 4098 from Group Policy Drive Maps. The message indicates whether the UNC was unreachable, the share denied access, or a variable like %username% failed to resolve.
Drive maps intermittently.
This is usually fast logon optimization causing policy to apply after the desktop loads. Enable Always wait for the network at startup and logon under Computer Configuration > Policies > Administrative Templates > System > Logon. Logons take slightly longer but mappings become reliable.
DFS namespace path doesn't map.
Test the path manually with \domain.local\dfsroot\share to confirm it resolves. Verify that Active Directory Sites and Services has the client's subnet linked to the correct site, and that port 445 isn't blocked.
Drive maps but the user can't see files.
The mapping is running under the SYSTEM account instead of the user's, so the share is accessed with the wrong credentials. On the Common tab, enable Run in logged-on user's security context (user policy option), then refresh the policy.

If the drive mapping works manually with net use but fails through GPO, the most common cause is that the GPO is linked to the wrong scope. User-targeted preferences (under User Configuration) apply only when a user from the linked OU logs on. Computer-side mappings need a different approach, typically a startup script.

How to manage drive mapping GPOs at scale with ADManager Plus

Once your drive mapping GPO is configured in the GPMC, ManageEngine ADManager Plus extends what you can do with it across the rest of the domain through a single web console:

Bulk linking across OUs: Link a single drive mapping GPO to multiple OUs in one action, instead of linking each container individually in the GPMC.
On-demand policy refresh: Force an immediate GPO refresh on selected computers without waiting for the default 90-minute interval or running gpupdate /force on each machine.
Link order management: Adjust GPO link precedence where multiple drive mapping policies overlap on the same container, so the right mapping wins.
Cross-domain reuse: Copy or merge GPOs to reuse the same drive mapping configuration across domains without rebuilding the preference items by hand.
Drift detection through reports: Surface every container the GPO is linked to, where inheritance has been blocked, and which OUs share the same drive mapping policy.
Automated home folder provisioning: GPO management sits alongside User Creation Templates that populate the Home Folder path and Logon Script attributes during account creation. New hires receive their personal mapped drive automatically at first sign-in, with the home folder created on the file server and NTFS permissions set during provisioning rather than as a separate step.
Delegated help desk access: Technicians can run drive mapping changes through role-based delegation without domain admin rights, and every change moves through an audit-logged workflow before applying to AD.
Comprehensive visibility: 200+ prebuilt reports across users, computers, GPOs, and permissions keep visibility on every change.

FAQ

1. How can I map a network drive through Group Policy?

To map a network drive via Group Policy, open the GPMC, create a GPO, and link it to the OU containing the target users. Edit the GPO, navigate to User Configuration > Preferences > Windows Settings > Drive Maps, and add a new mapped drive with the UNC path, drive letter, and Update action. Run gpupdate /force on a target machine and have the user sign out and back in to apply the mapping.

2. How can I map a network drive for multiple users?

To map a network drive for multiple users, link a single GPO high in the directory tree, typically the domain or a department parent OU, and use item-level targeting under the Common tab of each Drive Map preference item to filter by Security Group, Organizational Unit, or LDAP Query. One GPO can hold multiple drive mappings, each scoped to a different subset of users, so a finance share maps only for Finance members while a marketing share maps only for Marketing members from the same policy.

3. How can I map a network drive through IP?

To map a network drive through IP, replace the server hostname in the UNC path with the server's IP address. For example, \\192.168.10.20\sales instead of \\fileserver\sales. The same syntax works in net use, in the Location field of a GPO Drive Map preference, and in File Explorer. Hostnames are preferred in production because mapping by IP bypasses Kerberos, falls back to NTLM authentication, and breaks if the server's IP changes.

4. How can I map a network drive through cmd?

To map a network drive through cmd, open Command Prompt and run net use [drive letter]: [UNC path]. For example, net use S: \\fileserver\sales. Add /persistent:yes to reconnect the drive at every logon, append /user:domain\username to specify alternate credentials, and run net use S: /delete to remove the mapping. Run net use with no arguments to list every drive currently mapped on the machine.

How to map drives using Group Policy