locked
Windows Group Conditions on NAP for domain computers RRS feed

  • Question

  • I read several topics about the problem related to use Windows Group as condition on NAP. I need to use this conditions to my computers domains doesn´t have any problem, because there are all NAP requirements configured, my problem is related with domain computers from another domains from the same florest. Let me explain, just on my domain (sa.bm.net) there is a NAP Configured, and We receives serveral visitors from another domains and my NAP blocks.

    I like to create a rule to enable full access to "windows group" conditions to "uk\domain computers, eu\domain computers..."

    The latest information is that the DHCP packet sent when the client is non NAP-capable doesn't contain the FQDN, which it needs to be recognized in a domain security group. Only the machine name is sent. One way of working around this would be to use the MAC address instead, but I know this isn't really an acceptable solution. We are still looking into it and perhaps there is another workaround such as a registry key that can be set to enable sending the FQDN. If not, this may require a patch.

    Someone know about a news about this problem?

    sorry my english is not good yet


    MCP, MCDST, MCTS(Forefront, Windows7, Windows2008), MCSA, MCSE, MCT, ITIL, Vencedor do Winthe7.com.br 2009, Quarto lugar Copa de Talentos Microsoft 2010
    Thursday, February 17, 2011 6:30 PM

Answers

  • Hi,

    In the case of a non-domain computer, you are correct that the FQDN is not sent. However, if the computer has configured the primary DNS suffix in computer properties, this is sent if the computer is NAP-capable. In the case of a non-NAP capable computer, nothing is sent (because FQDN is contained in the NAP packet). So, you cannot use a Windows Groups condition here. You can use the MAC address condition as you described, but there is no other workaround.

    -Greg

    • Marked as answer by Adriano Neiva Friday, February 18, 2011 1:40 PM
    Friday, February 18, 2011 4:31 AM

All replies

  • Hi,

    In the case of a non-domain computer, you are correct that the FQDN is not sent. However, if the computer has configured the primary DNS suffix in computer properties, this is sent if the computer is NAP-capable. In the case of a non-NAP capable computer, nothing is sent (because FQDN is contained in the NAP packet). So, you cannot use a Windows Groups condition here. You can use the MAC address condition as you described, but there is no other workaround.

    -Greg

    • Marked as answer by Adriano Neiva Friday, February 18, 2011 1:40 PM
    Friday, February 18, 2011 4:31 AM
  • Hi Adriano,

     

    Thanks for posting here.

     

    > my problem is related with domain computers from another domains from the same forest

     

    You should creating two-way trust between both domain(uk and eu in this case), so that NPS(Radius) server could connect with domain controller to authenticate for computer accounts that are not members of the domain in which the NPS(Radius) server is a member.

     

    Please read the articles below and get a better understanding:

     

    Trust Technologies

    http://technet.microsoft.com/en-us/library/cc759554(WS.10).aspx

     

    Active Directory Domains and Trusts

    http://technet.microsoft.com/en-us/library/cc770299.aspx

     

    Administering Domain and Forest Trusts

    http://technet.microsoft.com/en-us/library/cc816880(WS.10).aspx

     

    Thanks.

     

    Tiger Li

     

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact tngfb@microsoft.com


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Adriano Neiva Friday, February 18, 2011 1:40 PM
    • Unmarked as answer by Adriano Neiva Friday, February 18, 2011 1:40 PM
    Friday, February 18, 2011 5:09 AM
  • Hi Tiger,

    I didn´t explain correctly, the domains are part of same tree, there is a root damain named bm.net, my is sa.bm.net and some others like eu.bm.net, uk.bm.net, etc.

    Another information is related to primary dns sufix, all computers have this feature configured.

    I Know that is possible to create the for all others domains the same GPO to enable "network access protection service" "security Center service" and enable dhcp enforcement by GPO, Is think with this will to solve my problem. Before that I will look for news about to enable full access based on Windows Groups to computers from my tree domains. I am creating mac exception rules every day to my visitors from another domains, it is causing much inconvenience.

     

    thanks a lot

     


    MCP, MCDST, MCTS(Forefront, Windows7, Windows2008), MCSA, MCSE, MCT, ITIL, Vencedor do Winthe7.com.br 2009, Quarto lugar Copa de Talentos Microsoft 2010
    Friday, February 18, 2011 10:32 AM
  • Today I made some test using a computer from another domain,  after manually start the Network Access protection service, and using the mmc snapin "Nap Client Configuration" / Enforcements client / Dhcp Quarentine enforcement cllient (Enable), we have a success related to network police "Windows Group" exception  for domain computer from another domain and have success too related to NAP Compliant Rule, because this machine had Antivirus installed and updated.

    I found the following comment about that "you must have NAP agent running on the client to use the security group condition. This is because the FQDN is provided in a SoH. The FQDN is needed to match the group membership"

     


    MCP, MCDST, MCTS(Forefront, Windows7, Windows2008), MCSA, MCSE, MCT, ITIL, Vencedor do Winthe7.com.br 2009, Quarto lugar Copa de Talentos Microsoft 2010
    Friday, February 18, 2011 1:40 PM