(Still) Heavy on the Technical

On Windows Vista/Win7 when you map a drive under your admin account you will find that your mapped drive is not available after you switch to your full token via a RunAs or Consent dialog. This is by design because there are actually two tokens in play here. What happens is the LSA recognized that you are admin at logon and creates two logons. The first with a "filtered" token or non-admin which is used to render your desktop and the other containing your full token to be available after consent dialogs.

Because there are two separate logons there are separate logon ID's.  When network shares are mapped they are linked to the current logon session for the current process token. Meaning you don't have access to the network drive from the alternate logon. This can come into play with logon scripts and a number of other areas where you may require access to a network share from both tokens.

If you set the following key it will change how SMB shares are mapped. They will be mapped to a token, which means that LSA will check to see if there is a linked token associated with the user session and add the network share to that location as well. Basically all of this means that after setting this drives will be accessible from both tokens no matter which they are mapped under.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
EnableLinkedConnections = 1 (DWord)

---------------------------------------------------------------------------------
Logon Script does not run (specificly via GPO)
Looks to also fix via NT4 (profile)

KB Article Number(s): 2550944
Language: All (Global)
Platform: i386
Location: (http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix368060/7600/free/433173_intl_i386_zip.exe)

-----------------------------------------------------------
KB Article Number(s): 2550944
Language: All (Global)
Platform: x64
Location: (http://hotfixv4.microsoft.com/Windows%207/Windows%20Server2008%20R2%20SP1/sp2/Fix368060/7600/free/433183_intl_x64_zip.exe)

---------------------------------------------------------------------------------

ifmember under Vista+  does not work

Two methods to make it work:

1. ifmember.exe can be made to work with Vista+ (Win7). The problem is that when the login script loads, it is unable to find ifmember.exe because it cannot read from a UNC (i.e. \\DC01\NETLOGON). It then tries to read it from c:\windows\system32 and fails unless you have placed a copy there. The work around is to first map a drive to NETLOGON and then prefix your call to ifmember with the drive you mapped.

net use z: \\DC01\Netlogon

z:\ifmember "MY Group"
if errorlevel 1 net use m: \\Server\MYGroup

net use z: /delete

OR

2. Use the following

net user /domain %username% | find "MY Group"
if not errorlevel = 1 (
net use m: \\Server\MYGroup
)