none
Direct Access 2012 -- method for disabling and re-enabling client access ? RRS feed

  • Question

  • We have a reliably functioning DA 2012 setup (which is great), but I need a way to selectively Disable and later Re-Enable DA for particular clients. We use a security group for the Computer accounts of the clients and this is referenced both by Group Policy (to assign the right settings to the DA Clients) and by the DA Server (to grant the access).

    We had hoped that we could simply delete the client Computer account from the security group, but when we tried this the DA server seems to just ignore it, even after a reboot of the DA Server.

    We have looked all through the settings of the DA server to see if there is a "disconnect client" option, but can't find anything (which truly amazes me!).

    I have seen one blog post from Richard Hicks which recommends running some PowerShell commands (http://directaccess.richardhicks.com/2013/06/11/disconnecting-directaccess-clients-on-windows-server-2012) but after testing these it seems clear that this really only helps me in a scenario where (A) the client is offsite; and (B) I first Disable the Computer account in AD and then replicate AD.

    Wondering what my options are? What do I do when we want to Disable DA for a particular client and then turn it back on again some weeks later?

    • Edited by 0499FROSTY Sunday, March 2, 2014 11:50 PM
    Sunday, March 2, 2014 10:33 PM

All replies

  • When you remove the computer account from your group, it will stop DirectAccess from working, but only once the DA client machine receives it's next Group Policy refresh. The purpose of the group is to get those DirectAccess connectivity settings applied from the DA GPO. So if you remove the account, sometime over the next couple of hours Group Policy will refresh on that laptop, and the DirectAccess settings will be removed. If you do this, then later down the road when you want to turn DirectAccess back on, you'll need to get that laptop either back into the office or connected via some kind of VPN, because when you add the computer account back to the group, the client machine will have to receive the GPO settings all over again.

    I have been installing DirectAccess for years in tons of places, and I don't think I have ever heard of the business requirement to remove and re-add computers to DA like you are describing - do you mind sharing your reasoning behind this? (I'm just truly curious, I'm always interested in finding new ways that companies are using DA)

    The quickest way to disconnect a client machine from DirectAccess is to disable the computer account in AD. You could then re-enable the computer account later and DA would start working again, but of course if you leave a computer account disabled in Active Directory for a long period of time, it could cause other kinds of sync problems outside the scope of DA.

    DirectAccess, if designed properly, turns itself off whenever the computer is connected to the corp network, whether physically onsite or connected via another form of VPN. Given this behavior, I'm not sure why you would want to be able to disable DA for a while and then turn it back on again later...?

    Monday, March 3, 2014 1:37 PM
  • Thanks Jordan,

    We are a small organisation (around 120 staff) but with a relatively large number of people needing to at least occasionally use Direct Access (around 40 staff) and I currently have just 10Mbps of Internet bandwidth to work with.  So there is a bandwidth technical constraint to consider, at least for the time being.

    The second constraint is to do with organisational culture.  Due to the relatively large number of staff needing DA (lets say more than 30%) we don't want it turned on for all of them all the time because this facilitates a tendency "I'm not coming in to work today; I'll work from home".  Some organisations might like this.  We don't.

    So those are the two reasons why I would like to "turn it on", "turn it off again", for at least some of the DA clients.

    We've tested with clients which are IN the office, and that works fine.  Removing the Computer account from the nominated AD Security Group does the job.  I was just hoping for a better solution for clients which already have DA turned on, but which are out of the office.

    I guess one good thing to come out of this is that a misunderstanding evident in the first paragraph of my first post (above) has been corrected.  I had written:  "We use a security group ... referenced ... by the DA Server (to grant the access)".  This is only partly true it seems.  The only way the DA Server uses that security group is in the setting up of the GPO for the Client Settings.  It does NOT appear to use it for any kind of client validation.  That's the bit I misunderstood and which still surprises me a bit ...


    • Edited by 0499FROSTY Monday, March 3, 2014 11:56 PM
    Monday, March 3, 2014 11:55 PM
  • I seem to have run into a problem:  the Group Policy automatic refresh is not happening.

    At first I put this down to a GPO setting which had explicitly turned this OFF for workstations.  But I reset that so that Background Refresh was Enabled again, every 60 minutes, +/- 10 minutes.

    I refreshed policy so that this new setting would be applied.  Rebooted the client.  Connected to the Internet and established the DA connection.  Removed the Computer account from the DA security group.  Left it for 90 minutes.  But Group Policy apparently never refreshed and so it never disconnected. 

    When I ran GPUPDATE /FORCE and restarted, the client (correctly) was unable to re-establish its Direct Access.

    I'll test again overnight, but just in case I get the same result, where to look next?  e.g. slow link detection perhaps?


    • Edited by 0499FROSTY Monday, March 17, 2014 3:50 AM
    Monday, March 17, 2014 3:45 AM