I am trying to identify domain computers using a network policy. For this, I am using a condition "Windows Group - Domain computers". This is the first network policy in the list. The domain computers are just getting past this policy as if they are not identified as domain computers. Any thoughts?
Where does NPS obtain the client information (like AD domain name, group membership, logged in username etc) from?
I read your other thread where you are discussing how to identify OS during NAP check. The test scenario you discussed is similar to what I am trying to achieve. Its unfortunate that I cannot identify domain computers that have NAP agent off.
I can always assume that the domain computers will always have the NAP agent on, but that creates a loophole for the users who will figure out how to get past the NAP check while still be using a domain computer.
Unless you perform machine authentication in connection request policy, you must have NAP agent running on the client to use the security group condition. This is because the FQDN is provided in a SoH. The FQDN is needed to match the group membership.
Hi Greg, If FQDN is provided in SoH, then NPS should be able to identify my client as a domain computer since the client does have NAP agent running.Mayur
I read your other thread where you are discussing how to identify OS during NAP check. The test scenario you discussed is similar to what I am trying to achieve. Its unfortunate that I cannot identify domain computers that have NAP agent off.
I can always assume that the domain computers will always have the NAP agent on, but that creates a loophole for the users who will figure out how to get past the NAP check while still be using a domain computer.
If I understand the problem, you need to let non-domain joined machines have access even if NAP is OFF, but restrict access for domain computers that have NAP turned OFF.
Aren't non-domain computers more of a risk than domain computers? Why would you want to grant access to these computers? Is it because it is too difficult for these computers to be nap-capable whereas domain computers are expected to provide their statement of health? I'm just curious why this type of configuration is needed. Typically, you would apply the same access to all computers that are non NAP-capable.
