Automatically Map Network Drives at Login with Stored Credentials (Task Scheduler + PowerShell)

Automatically Map Network Drives at Login with Stored Credentials (Task Scheduler + PowerShell)​

Difficulty: Intermediate | Time Required: 20 minutes

Introduction​

Mapping network drives automatically at login is a common need for sysadmins and power users. This tutorial shows a secure, repeatable method using a small PowerShell script plus a Scheduled Task that runs at user logon. This approach works well on Windows 10 and Windows 11 (and corresponding Server releases) and avoids storing plain-text passwords in scripts. It uses an encrypted credential file (Export-Clixml) or Credential Manager options and explains pros/cons.

Prerequisites​

• Windows 10 or Windows 11 (client) — Task Scheduler and PowerShell are built-in.
• Local user account or domain account that will own the saved credential file.
• Administrative rights to create folders and scheduled tasks (you do not need to run the mapping script as Administrator if you map within the user's session).
• Network share path(s) you want to map (e.g., \fileserver\share).
• Basic familiarity with PowerShell and Task Scheduler UI.

Notes on security

• Export-Clixml stores the password encrypted using the Windows Data Protection API (DPAPI). The file can only be decrypted by the same user on the same machine. This is generally secure for single-user scenarios.
• Credential Manager (cmdkey) can also be used; those credentials are stored in Credential Manager and are accessible to accounts that can access that store—use with caution on shared PCs.
• Avoid embedding plain-text passwords in scripts.

Step-by-step instructions​

1) Create a folder for your scripts

1. Press Windows+R, type powershell, and press Enter.
2. Create a script folder, e.g.:
   New-Item -Path "$env:USERPROFILE\Scripts" -ItemType Directory -Force
3. Note: store scripts in a location accessible by the user account that will run them.

2) Save credentials securely (Export-Clixml method)

• Run PowerShell as the user who will log on (important: the file is user/machine-bound):
  1. Prompt for credentials and save encrypted:
     
     Code:

     $cred = Get-Credential
     $cred | Export-Clixml -Path "$env:USERPROFILE\Scripts\netcreds.xml"

  2. When prompted, enter the username (DOMAIN\user or server\user) and password.
• Security note: this file is encrypted with DPAPI and only readable by this user on this machine.
  Alternative (Credential Manager)
• If you prefer Credential Manager:
  cmdkey /add:fileserver /user:DOMAIN\user /pass:YourPassword
• The Scheduled Task/script can then call net use or New-PSDrive without passing a password. Be aware cmdkey stores credentials in Credential Manager.

3) Create the mapping PowerShell script

1. Create a PowerShell script file:
   
   Code:

    $scriptPath = "$env:USERPROFILE\Scripts\MapNetworkDrives.ps1" @" # Delay to allow network to initialize Start-Sleep -Seconds 10 # Import credential (DPAPI encrypted XML) $cred = Import-Clixml -Path "$env:USERPROFILE\Scripts\netcreds.xml" # Create (or update) persistent mapped drive(s) # Example: map Z: to \\fileserver\share $driveLetter = 'Z' $remotePath = '\\fileserver\share' # Remove existing mapping if present (optional) if (Test-Path -Path "$driveLetter`:") { Remove-PSDrive -Name $driveLetter -Force -ErrorAction SilentlyContinue } New-PSDrive -Name $driveLetter -PSProvider FileSystem -Root $remotePath -Credential $cred -Persist -ErrorAction Stop "@ | Out-File -FilePath $scriptPath -Encoding UTF8 -Force

2. Edit the $driveLetter and $remotePath values to match your requirements.
3. Test the script manually in your PowerShell session:
   & "$env:USERPROFILE\Scripts\MapNetworkDrives.ps1"
   Verify the drive appears in File Explorer and by running Get-PSDrive.

4) Create a Scheduled Task that runs at logon
GUI method (recommended):

1. Open Task Scheduler (Start → Task Scheduler).
2. Click “Create Task…” (not “Create Basic Task”).
3. On the General tab:
   • Name: Map Network Drives at Logon
   • Configure for: Windows 10/11
   • Select “Run only when user is logged on” (so drive mappings are visible in the interactive session).
   • Optionally check “Run with highest privileges” only if required.
4. On the Triggers tab:
   • New… → Begin the task: At log on
   • Select the specific user or “Any user” depending on your scenario.
   • Optionally set a delay (e.g., Delay task for: 30 seconds) to let the network initialize.
5. On the Actions tab:
   • New… → Action: Start a program
   • Program/script: powershell.exe
   • Add arguments:
     -ExecutionPolicy Bypass -NoProfile -File "C:\Users\YourUser\Scripts\MapNetworkDrives.ps1"
     (Adjust the path to your script.
6. Conditions tab:
   • Clear “Start the task only if the computer is on AC power” if you want it to run on battery.
   • Consider enabling “Start only if the following network connection is available” (if present).
7. Settings tab:
   • Allow task to be run on demand, and restart if it fails.
8. Click OK. If asked for credentials, provide the account that owns/should run the task (for the user-bound Export-Clixml method, schedule it under the same user).
   CLI method (schtasks)
   • Example:
     schtasks /Create /TN "Map Network Drives" /TR "powershell.exe -ExecutionPolicy Bypass -NoProfile -File \"C:\Users\YourUser\Scripts\MapNetworkDrives.ps1\"" /SC ONLOGON /RU YourUser

5) Test login behavior

• Log off and log back on (or reboot) and verify the mapped drive appears.
• If it does not appear, run the script manually and check errors.

Tips and troubleshooting​

• Delay issues: If the mapping fails at logon because network isn’t ready, add Start-Sleep at top of script (10–30s) or set a delayed trigger in Task Scheduler.
• Permissions: Ensure the script and netcreds.xml file have file permissions that prevent other users from reading them. The DPAPI file is user-bound, but keep folder ACLs restrictive.
• Execution policy: Use -ExecutionPolicy Bypass in the task action to avoid changing system-wide execution policy.
• Use New-PSDrive -Persist to make the mapping visible in File Explorer. Mappings created only in the PowerShell session may not persist to Explorer.
• Error logging: Add Try/Catch and Out-File to capture errors:
  
  Code:

  try {
  New-PSDrive ...
  } catch {
  $_ | Out-File "$env:USERPROFILE\Scripts\MapDriveError.log" -Append
  }

• Domain environments: For large-scale deployments, prefer Group Policy Preferences (Drive Maps) or logon scripts via Group Policy for centralized management.
• Credential Manager alternative: If using cmdkey, verify credentials appear in Credential Manager (Control Panel → Credential Manager → Windows Credentials).

Warnings​

• Never store plain-text passwords in scripts or scheduled task arguments.
• Export-Clixml is safe for single-user, single-machine use; it is not portable across machines or users.
• If choosing cmdkey, be aware Credential Manager entries can be managed or cleared by the user or by system policies.

Conclusion​

Using a PowerShell script plus a Scheduled Task to map network drives at logon provides a secure, automated way to ensure users have the network resources they need without manual steps. Storing credentials with Export-Clixml (DPAPI) keeps passwords encrypted and usable only by the same user on the same machine. This method is flexible, works on Windows 10 and Windows 11, and avoids putting plain-text passwords in scripts.
Key Takeaways:

• Use Export-Clixml to securely store credentials encrypted to the current user/machine.
• Use New-PSDrive -Persist in a PowerShell script to create mappings visible to File Explorer.
• Schedule the script to run at logon via Task Scheduler; add a short delay to allow network readiness.
• Avoid storing plain-text passwords; prefer DPAPI or Credential Manager with awareness of security trade-offs.
• For enterprise-scale deployments, consider Group Policy Preferences instead.

---

This tutorial was generated to help WindowsForum.com users get the most out of their Windows experience.