locked
Identify Domain computers RRS feed

  • Question

  • I am trying to identify domain computers using a network policy. For this, I am using a condition "Windows Group - Domain computers". This is the first network policy in the list. The domain computers are just getting past this policy as if they are not identified as domain computers. Any thoughts?

    Where does NPS obtain the client information (like AD domain name, group membership, logged in username etc) from?

    Thanks,
    Mayur
    Mayur
    Tuesday, September 1, 2009 11:40 PM

Answers

  • Never mind, it was a stupid error in testing.

    I read your other thread where you are discussing how to identify OS during NAP check. The test scenario you discussed is similar to what I am trying to achieve. Its unfortunate that I cannot identify domain computers that have NAP agent off.

    I can always assume that the domain computers will always have the NAP agent on, but that creates a loophole for the users who will figure out how to get past the NAP check while still be using a domain computer.

    Thanks anyway.


    Mayur
    Wednesday, September 2, 2009 6:17 PM

All replies

  • Hi,

    Unless you perform machine authentication in connection request policy, you must have NAP agent running on the client to use the security group condition. This is because the FQDN is provided in a SoH. The FQDN is needed to match the group membership.

    -Greg
    Wednesday, September 2, 2009 2:10 AM
  • Hi Greg,
    If FQDN is provided in SoH, then NPS should be able to identify my client as a domain computer since the client does have NAP agent running.
    Mayur
    Wednesday, September 2, 2009 3:36 PM
  • Never mind, it was a stupid error in testing.

    I read your other thread where you are discussing how to identify OS during NAP check. The test scenario you discussed is similar to what I am trying to achieve. Its unfortunate that I cannot identify domain computers that have NAP agent off.

    I can always assume that the domain computers will always have the NAP agent on, but that creates a loophole for the users who will figure out how to get past the NAP check while still be using a domain computer.

    Thanks anyway.


    Mayur
    Wednesday, September 2, 2009 6:17 PM
  • Hi Mayur,

    If I understand the problem, you need to let non-domain joined machines have access even if NAP is OFF, but restrict access for domain computers that have NAP turned OFF.

    Aren't non-domain computers more of a risk than domain computers? Why would you want to grant access to these computers? Is it because it is too difficult for these computers to be nap-capable whereas domain computers are expected to provide their statement of health? I'm just curious why this type of configuration is needed. Typically, you would apply the same access to all computers that are non NAP-capable.

    -Greg
    Wednesday, September 2, 2009 9:10 PM
  • The requirement is to only manage domain computers with NAP, we have another solution that will be used for non-domain computers.
    Mayur
    Wednesday, September 2, 2009 9:47 PM