Assigned Window User to DirectAccess Client Setting GPO not being updated on workstation RRS feed

  • Question

  • I'm trying to have the Direct Access Client Settings GPO use only specific domain users and/or domain groups in the Security Filtering section.  I removed Authenticated Users and added two specific users.

    After doing a gpupdate /force on the workstation that I'm testing with, I do a gpresult /scope user /r and the GPO in question is in "The Following GPOs were not applied because they were filtered out" and it says Filtering: Disabled (GPO).  When I do a gpresult /scope computer /r in the same section I get Filtering: Not Applied (Unknown Reason). 

    However, if I place the computer name (that I'm using to test Direct Access) in the security filtering section of the GPO, and do a gpupdate /force, I checked the gpresult /scope computer /r and it shows that the GPO for the Direct Access Client has been applied but gpresult /scope user /r stills says the same thing "Filtering Disabled (GPO)".

    How can I get Security Filtering to work with domain user accounts and/or domain groups accounts, so that the GPO is appliedfor the user?


    Direct Access Server: Windows 2012

    Direct Access Client: Windows 8 Enterprise

    Thanks in advance

    Saturday, June 8, 2013 4:43 AM

All replies

  • Hi,

    Thats because DirectAccess GPO Settings apply to Computers, not users. If you want to filter users using DirectAccess, it's a little much more complicated. You have to configure filtering on Server-Side GPO. I wrote an article about this a long time ago. Sorry, it was written in french :

    Basically, you have to operate the same way DirectAccess enforce Smartcard use for DirectAccess users and manage AuthUserGrp parameter for the User IPSEC Tunnel. Problem with this approach, you will have to reconfigure this parameter each time you apply a new URA configuration because GPO rebuilded from scratch.

    If i have some time, i will write a new version in English and Powershell.

    BenoitS - Simple by Design

    Saturday, June 8, 2013 8:54 AM
  • Hi BenoitS,

    We are evaluating DA in our Environment. Our Environment is AD-2008R2SP1 & DA-Windows2012. In our AD Firewall is turned Off. When we enabled the DA role Group Policies are not applying to DA Server. It says error message in console "Configuration for server <servername> cannot be retrieved from  Domain controller". We were able to ping to AD & do the Gpupdate /force. But when we run the Gpresult /R command on DA serve we are getting "Direct Access Server Settings Filtering :Disabled (GPO)".

    But when we checked in AD Gpmc.msc filtering is set to None.

    Any help on this? Thanks in advance.


    Friday, June 14, 2013 7:06 AM
  • Hi

    Firewall must be enabled on the URA server. Otherwise, group Policy parameters applicable to URA server wont apply. Are you sure that GPOlink is not disabled or other thing that can block GPO processing (Block inheritance, ...).

    BenoitS - Simple by Design

    Friday, June 14, 2013 11:29 AM
  • Hi BenoitS,

    Thanks for the reply.

    Firewall is turn on in DA Server, In AD it is off. Yes GPOlink is not disabled or Filtered it is set to none in AD GPMC.msc. Is there any way to collect the log files for further analysis. For your reference I am attaching the Gpresult /R result.

    Please help me to collect any logs or any other way to troubleshoot.



    Saturday, June 15, 2013 2:33 PM
  • Hi

    It a GPO related problem. Your Client-side GPO and Server-side GPO are disabled. Did you customize theses GPO by disabling computer-reated parameters in the GPO properties?

    BenoitS - Simple by Design

    Monday, June 17, 2013 7:22 AM