locked
Use NPS to Deny Clients DirectAccess Connections RRS feed

  • Question

  • Hello all,

    I'm thinking of creating an additional NPS policy to deny members of a particular security group the ability to connect using DirectAccess.

    I'm just interested in some thoughts from some experts out there - is this a terrible idea? Will the client machines that are set to fail the NPS policy 'sort of' connect via DA still and as such their preferred method of connecting to corp net (old fashioned VPN) not work?

    It would be simple for us to use a WMI filter to prevent the GPO from applying but there are complications for us using this method.

    I guess overall we are just trying to prevent DA from "starting" up on around 50 client machines, more than happy to listen to other suggestions regarding how best to achieve this.

    Thanks,

    C


    Carl Barrett | Twitter: @Mosquat

    Tuesday, August 21, 2012 1:33 PM

All replies

  • DirectAccess connectivity settings are only given out to computers that are part of your particular AD security group that you created for DirectAccess clients...unless you are using an OU for assigning those settings? Assuming you used a group (this is by far the more common method), any computers not part of that "DA_Clients" group or whatever you called it won't be connected via DirectAccess.

    Or am I misunderstanding your question?

    Tuesday, August 21, 2012 2:26 PM
  • Hello Jordan - no you're right, we did have it set up this way but have since stopped using a security group and instead use a WMI filter on a couple of GPOs

    If for example, going back to the cenario you describe, you nested domain computers in the "DA_Clients" group but then wanted to prevent a selection of domain computers from using DA would blocking these clients via a Network Policy be feasible?

    Thanks


    Carl Barrett | Twitter: @Mosquat

    Tuesday, August 21, 2012 2:34 PM
  • I would say no. Not because it's not technically possible, but I say no because I would never dare risk placing "Domain Computers" in the DA_Clients group. You do not want to create even the potential for non DA client computers to receive DA connectivity settings. There are way too many things that could go wrong. :)
    Tuesday, August 21, 2012 2:39 PM
  • OK thanks - so going off of the original question a bit...how would you dynamically maintain the membership of the DA_Clients group - or is this the point, that membership should be manually maintained?

    Carl Barrett | Twitter: @Mosquat

    Tuesday, August 21, 2012 2:48 PM
  • It is designed to be manually maintained. I'm sure you could script the addition or removal of computers from the group, but I'm not sure what the "real world" purpose would be...? Even if you scripted it, at some point you are still having to handle what computers are being manipulated by the script.
    Tuesday, August 21, 2012 2:51 PM