GPO — Drive Mappings

How to map network drives via Active Directory Group Policy, including item-level targeting, and how to map a drive manually in Windows 11.

Configuration Updated August 21, 2025

Even as more business data moves to the cloud, on-premises drive mapping is still a common pattern. Mapped drives give users predictable, fast access to files and folders on network shares and servers.

On Windows, you can create a drive mapping via Group Policy (GPO), via PowerShell, or by hand. This article covers the GPO approach (which is the right answer for a managed fleet) and shows how to add a drive manually for one-off cases.

Why GPO is the right default

A GPO drive map is centrally managed, easy to change, and supports item-level targeting so different users or devices can receive different drives. When you build a drive-mapping GPO you choose where to link it:

  • User OU — the drive map follows the user. Whichever device they sign in on, the drive is there.
  • Computer OU — the drive map follows the device. Whoever signs in to that computer gets the drive.

Best practice is to keep all drive mappings inside a single GPO and use item-level targeting to scope each entry to the right users, groups, or computers. One GPO keeps the picture clear and makes logon faster than scattering many GPOs across the directory. Link the GPO at a high-level OU (Users or Computers).

Creating a drive-mapping GPO

  1. On the domain controller, open Group Policy Management.
  2. Expand your domain and open Group Policy Objects.
  3. Right-click the container and choose New.
  4. Give the policy a name. A useful convention is to prefix with UPO_ for a user-targeted policy or CPO_ for a computer-targeted policy (e.g. UPO_Drive_Maps).
  5. Right-click the new policy and choose Edit.
  6. Under User Configuration, expand Preferences › Windows Settings.
  7. Right-click Drive Maps and choose New › Mapped Drive.

Choosing the right Action

The Action dropdown has four options. The differences matter:

  • Create — make a new mapped drive.
  • Replace — recreate the mapping every time. If it doesn’t exist, create it; otherwise overwrite. Replace briefly disconnects the drive during every Group Policy refresh (~90 minutes), which can break long-running applications.
  • Update — modify the listed settings on an existing mapping or create one if it’s missing. Other settings on the existing drive are left alone.
  • Delete — remove a mapped drive.

Use Update. It avoids the periodic disconnect that Replace causes while still keeping the mapping in sync with the policy.

Tip. Create a DNS CNAME for the file server and reference the alias (not the server name) in the share path. When the shares move to a new server later, you only update DNS.

Filling in the mapping

  1. Set Action to Update.
  2. Enter the share location (UNC path).
  3. Make sure Reconnect is enabled.
  4. Optionally give the folder a friendly label.
  5. Assign a drive letter. Fixed letters are easier for users to remember than first-available.

The Hide/Show this drive option in the lower-left lets you create a hidden mapping — useful when an application needs the drive but the user shouldn’t browse it directly. (Even better: hard-code the UNC path inside the application and skip the mapping altogether.)

Item-level targeting

Targeting scopes the mapping to specific users, groups, OUs, or devices instead of applying to everyone the GPO covers. With targeting in place, you can reuse the same drive letter across multiple mappings as long as no user receives two of them.

  1. Open the Common tab on the drive mapping.
  2. Enable Run in logged-on user’s security context.
  3. Enable Item-level targeting.
  4. Click Targeting….

Targeting supports a wide range of conditions and lets you combine them with AND/OR. The most common conditions are security group, OU, or specific user. For example, to give both the IT and Management security groups access:

  1. In the Targeting Editor, click New Item.
  2. Choose Security Group and select IT.
  3. Click New Item again, choose Security Group, select Management.
  4. With the Management row selected, click Item Options and change it to OR.

Collections for complex rules

A collection groups rules together so the whole group must evaluate true. Collections are the easiest way to express something like “all IT members, OR Management users on a computer in the Amsterdam OU”:

  1. Click Add Collection.
  2. Set the collection’s item option to OR.
  3. Right-click the collection and add a Security Group target pointing at the Management group.
  4. Add a second target on the collection: Organizational Unit, pointing at the Amsterdam computers OU. Apply this one to Computer in OU.

Variables in the share path

You can use variables inside the share path so a single mapping serves a per-user folder (typical for home drives). Press F3 inside the New Drive Properties dialog to see the available variables. Whenever you use them, make sure Run in logged-on user’s security context is enabled on the Common tab.

Optimizing and assigning the GPO

A user-only GPO doesn’t need to evaluate any computer settings, so disabling that half speeds up logon processing:

  1. Right-click the policy.
  2. Choose GPO Status.
  3. Select Computer Configuration Settings Disabled.

Then link the GPO to the OU you want to apply it to:

  1. Navigate to the target OU.
  2. Right-click and choose Link an Existing GPO.
  3. Pick your drive-mapping policy.

Roll it out to a small pilot group first, then expand once you’ve verified it’s behaving.

Mapping a drive manually in Windows 11

For one-off mappings — temporary needs, or a home network without a domain — Windows 11’s File Explorer can do this directly:

  1. Open File Explorer.
  2. Click the (more options) menu in the toolbar.
  3. Choose Map network drive.
  4. Pick a drive letter and the UNC path of the share.
  5. Tick Reconnect at sign-in so the mapping persists across reboots.
  6. Tick Connect using different credentials if the share requires a separate account (typical with NAS devices).

Verifying mappings

Group Policy refreshes roughly every 90 minutes; you can force a refresh immediately with gpupdate /force. After that:

  • Open File Explorer to see the mapped drives.
  • For hidden mappings, run net use in Command Prompt or PowerShell — it lists every active mapping, its drive letter, and the underlying network path.
  • If the policy isn’t applying as expected, use the RSoP (Resultant Set of Policy) utility to walk through what Group Policy actually evaluated for that user on that machine.

A final piece of advice

If a user needs access to many sibling folders under one parent share, map the parent folder once and set permissions on each subfolder. That’s almost always cleaner than maintaining a dozen sub-folder mappings.

Related articles