locked
DirectAccess on Server 2012R2 - with Laptops and Mobiles ONLY option? RRS feed

  • Question

  • Greetings,

    It looks like this may be the correct forum for Direct Access questions?  If not - please let me know which forum to direct the question to.

    Anyone running DA (2012R2) with the Mobile Only option?

    Apparently this creates a WMI filter which doesn’t include Windows 10.

    I am looking to see what you have for a WMI query.

    I attempted to add/insert this into my WMI query as outlined here:

    http://renshollanders.nl/2014/03/direct-access-automatic-gpo-configuration-sets-outdated-and-incorrect-wmi-filter/

     OR Version LIKE ‘6.3%’ OR Version LIKE ‘10.0%’ 

    However, when I attempted to pre-save - I received an error - which I then cancelled the save: 

    ” Either the namespace entered is not a valid namespace on the local computer or you do not have access to this namespace on this computer.  It is possible this is a valid namespace on the remote computer(s).  If you wish to use this namespace, press OK.  Press cancel to choose another namespace. “

    Looks like this could be ignored?

    http://www.virtual-ninja.com/2016/07/group-policy-wmi-namespace-warning/

    In regards to editing the GPO's that the deployment/configuration wizards creates, and links/placement in the domain tree:

    1. Has anyone removed the WMI filter from the DirectAccess Client GPO that the DA Deployment wizard creates when you select the Laptops and Mobiles only option?
    2. Is it possible (without breaking things, etc.) to link the Directaccess clients and DirectAccess Severs to a SUB-OU rather than the default Top of the Domain tree?  This so I can be more specific about the application of the GPO; without relying on the targeted specific computers/security group(s)? 

    Thank you in Advance,

    K


    Thanks in advance

    Monday, March 13, 2017 3:25 AM

Answers

  • Hi Kevin

    Or in fact better still you could pre-create the GPO's (Blank) using your naming convention and link them to the respective OU's (Server and Clients) and then select which GPO's you want populated in the final wizard (when applying) and saves using the default MSFT Group Policies which link to the root of the domain by default. Regardless of the WMI, the Client policy will always be filtered to the Group containing the clients, the WMI is belt and braces to limit to mobile / laptops. Gerald's impeccable answer on the WMI is correct though.

    Before you configure DirectAccess, link the created GPOs to the respective OUs.
    • When you configure DirectAccess, specify a security group for the client computers.

    • The Remote Access administrator may or may not have permissions to link the Group Policy Objects to the domain. In either case, the Group Policy Objects will be configured automatically. If the GPOs are already linked to an OU, the links will not be removed, and the GPOs will not be linked to the domain. For a server GPO, the OU must contain the server computer object, or the GPO will be linked to the root of the domain.

    • If you did not link to the OU before running the DirectAccess Wizard, after the configuration is complete, the domain administrator can link the DirectAccess Group Policy Objects to the required OUs. The link to the domain can be removed

    Ref - https://technet.microsoft.com/en-us/library/jj134204(v=ws.11).aspx#ConfigGPOs

    Kindest Regards

    John

    Monday, April 24, 2017 1:39 PM

All replies

  • Hi,

    You can ignore the error when saving the filter.
    Here's a copy of my working filter if you want to compare:

    Select * from Win32_OperatingSystem WHERE (ProductType = 3) OR (Version LIKE '6.2%' OR Version LIKE '6.3%'  OR Version LIKE '10.0%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 72 OR OperatingSystemSKU = 84)) OR (Version LIKE '6.1%' AND (OperatingSystemSKU = 4 OR OperatingSystemSKU = 27 OR OperatingSystemSKU = 70 OR OperatingSystemSKU = 1 OR OperatingSystemSKU = 28 OR OperatingSystemSKU = 71))

    For the other questions:

    1. You can remove the filter but it is used to target only laptops AND specific Windows SKU. When removed, your gpo could be applied to Computers that can't use DirectAccess (example: Windows Professional or Home edition).

    2. You can link the GPO created by the wizard on a specific OU if you want. Just unlink it from the root of your domain after.

    Gérald

    Tuesday, March 14, 2017 10:05 AM
  • Thank you Gerald..

    Much appreciated.


    Thanks in advance

    Tuesday, March 14, 2017 5:43 PM
  • Hi Kevin

    Or in fact better still you could pre-create the GPO's (Blank) using your naming convention and link them to the respective OU's (Server and Clients) and then select which GPO's you want populated in the final wizard (when applying) and saves using the default MSFT Group Policies which link to the root of the domain by default. Regardless of the WMI, the Client policy will always be filtered to the Group containing the clients, the WMI is belt and braces to limit to mobile / laptops. Gerald's impeccable answer on the WMI is correct though.

    Before you configure DirectAccess, link the created GPOs to the respective OUs.
    • When you configure DirectAccess, specify a security group for the client computers.

    • The Remote Access administrator may or may not have permissions to link the Group Policy Objects to the domain. In either case, the Group Policy Objects will be configured automatically. If the GPOs are already linked to an OU, the links will not be removed, and the GPOs will not be linked to the domain. For a server GPO, the OU must contain the server computer object, or the GPO will be linked to the root of the domain.

    • If you did not link to the OU before running the DirectAccess Wizard, after the configuration is complete, the domain administrator can link the DirectAccess Group Policy Objects to the required OUs. The link to the domain can be removed

    Ref - https://technet.microsoft.com/en-us/library/jj134204(v=ws.11).aspx#ConfigGPOs

    Kindest Regards

    John

    Monday, April 24, 2017 1:39 PM