
Automate Mapped-Drive Setup with a Logon Batch Script
Before you run this
This guide sets up a .bat logon script that runs net use to attach network shares to fixed drive letters (for example S: and H:) every time a user signs in on a domain-joined Windows machine. Its purpose is consistent, hands-off drive mapping so users don't set them up manually.
- What it changes: it removes any existing mapping on the drive letters you name, then re-creates them pointing at your file server. It does not touch files, share permissions, or user accounts — only the client-side drive-letter-to-UNC associations in each user's session. Deployment happens through a Group Policy Object, which changes how logon behaves for every user in the GPO's scope.
- Privileges: the script itself runs unprivileged, in the user's own context, at logon — that is by design and it needs no elevation. Editing the GPO and writing to NETLOGON does need domain rights (a member of Domain Admins or someone delegated Group Policy edit rights and write access to the SYSVOL scripts folder).
- Test first: read the script, then try it on a single test account in a lab OU or a test VM before you scope it to real users. Link the GPO to a small test OU, sign in as a throwaic test user, and confirm the drives look right. Do not link it at the domain root as your first move.
- Reversibility: this is easy to undo. Mappings made with
/persistent:novanish at logoff, and removing the script from the GPO stops it entirely. Nothing here is irreversible — but a wrong server path or a drive-letter collision will confuse every user in scope, so treat the rollout scope with care.
What I'm assuming
- An Active Directory domain (Windows Server 2016 or later) with SYSVOL replicating normally.
- Windows 10/11 domain-joined clients.
- You manage policy from a machine with the Group Policy Management Console (RSAT).
- The file server and shares already exist and users already have NTFS/share permissions on them. This guide maps drives; it does not create shares or set permissions.
One note before we start: Microsoft's current mainstream mechanism for this is Group Policy Preferences → Drive Maps (User Configuration → Preferences → Windows Settings → Drive Maps), which supports item-level targeting per group without any scripting. If you're building this fresh, that's worth knowing by name. This guide covers the classic logon batch script because it's simple, transparent, and still completely standard — plenty of environments run it.
The script
Save this as map-drives.bat. Replace fileserver.example.com and the share names with your own. %USERNAME% is expanded automatically by the shell to the logged-on user's name — leave it as-is.
@echo off
rem map-drives.bat - runs at logon in the user's context.
rem Maps departmental and home drives via net use.
rem Clear any existing mapping on these letters first so we start clean.
rem 2>nul hides the "not connected" error when there is nothing to remove.
net use S: /delete 2>nul
net use H: /delete 2>nul
rem Shared departmental drive, same for everyone in scope.
rem /persistent:no means the mapping is rebuilt each logon, never cached stale.
net use S: \\fileserver.example.com\Shared /persistent:no
rem Per-user home drive: the share has a folder named for each user.
net use H: \\fileserver.example.com\Home\%USERNAME% /persistent:no
exit /b 0
A few things worth saying plainly:
- I delete before I map. If a user already has a leftover mapping on
S:,net use S: \\...would fail with "local device name already in use." Clearing first avoids that. - I use
/persistent:noon purpose. Persistent mappings get cached in the user's profile and reconnect on their own, which causes stale or duplicate mappings when servers change. Letting the logon script rebuild them every time is cleaner. - I do not put a password on the
net useline. In a domain the user's Kerberos ticket authenticates them to the share. Never hard-code credentials in a logon script — it sits in NETLOGON where every authenticated user can read it.
Mapping different drives for different groups
The honest answer: conditional-by-group logic in a batch file is awkward, and there's no built-in net switch that says "only if the user is in group X." People historically used the Resource Kit ifmember.exe tool for this — I'm not going to reproduce its syntax from memory, so if you go that route, check its own documentation. For anything group-conditional, Group Policy Preferences Drive Maps with item-level targeting is the cleaner, supported path and I'd steer you there rather than growing this batch file. Keep the script for the simple "everyone gets the same drives" case.
Deploy it through a GPO
- Copy
map-drives.batinto the NETLOGON share. From an admin session on a DC, that's the scripts folder under SYSVOL, reachable as\\example.com\NETLOGON(substitute your domain). Putting it here means it replicates to all DCs and every client can read it. - Open Group Policy Management, create or pick a GPO, and link it to the OU that contains your test users first.
- Edit the GPO and navigate to: User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff).
- Double-click Logon, click Add, and in the Script Name box enter just the file name,
map-drives.bat. When a script lives in the default NETLOGON location, the name alone is enough — you don't need the full path. Leave Script Parameters blank. - Apply, close the editor.
Group Policy refreshes on its own, but logon scripts apply at the next sign-in, so for testing just sign the test user out and back in.
Verify it worked
Sign in as the test user, open a command prompt, and run:
net use
You should see S: and H: listed as OK with their UNC paths. Open File Explorer and confirm both drives appear and you can browse them. If a drive shows as Disconnected, that usually means a name or permission problem on the share, not the script — test the UNC path directly with net use S: \\fileserver.example.com\Shared typed by hand and read the exact error.
To confirm the GPO itself reached the client, run:
gpresult /r /scope user
and check that your GPO appears under Applied Group Policy Objects.
Undo and rollback
Because this is non-destructive, backing out is quick:
Remove one session's mappings immediately:
net use S: /delete net use H: /deleteOr clear everything the user has mapped with
net use * /delete(it will prompt for confirmation).Stop the automation: in the GPO's Logon scripts dialog, select the script and click Remove. Users lose the mappings at their next logoff/logon since they were
/persistent:no.Kill it faster: unlink or disable the GPO in Group Policy Management. Nothing is left behind on the clients once they refresh and users sign in again.
The script file in NETLOGON can be deleted separately once no GPO references it.
For the exact, current syntax of the net use command and its switches, see Microsoft Learn's "net use" reference rather than trusting anyone's remembered flags — including mine. And if you outgrow the single-script approach, read up on Group Policy Preferences Drive Maps on Microsoft Learn; it's where most of this eventually belongs.
Runs enterprise networks and security for a living, and writes Shore Up to turn two decades of hands-on Linux, Windows and mail-server work into guides you can actually use.
More about the author →Was this article helpful?
Tap a star — no sign-in needed.
Be the first to rate this article.
