none
UAG - DirectAccess - Cannot complete UAGDirectAccess_GroupPolicy.ps1 RRS feed

  • Question

  • Hi,

    When applying UAGDirectAccess_GroupPolicy.ps1 script at the end of DirectAccess configuration, I get this following error :

    UAG DirectAccess: Client{3491980e-ef3c-4ed3-b176-a4420a810f12} exists.
    Clearing associated security groups ...
    done.
    UAG DirectAccess: DaServer{ab991ef0-6fa9-4bd9-bc42-3c397e8ad300} exists.
    Clearing associated security groups ...
    done.
    UAG DirectAccess: AppServer{f7b77f47-7c33-4d8c-bb9a-a913c5675d8d} exists.
    Clearing associated security groups ...
    done.
    Executing Add MYDOMAIN\DA_Clients to UAG DirectAccess: Client{3491980e-ef3c-4
    ed3-b176-a4420a810f12} gpo. ...
    failed. The operation cannot be completed because "MYDOMAIN\DA_Clients" is no
    t a valid security group in the "MYDOMAIN" domain. Make sure that the TargetName and TargetType parameters specify a valid security group for the domain. Then, run the command again.
    Parameter name: TargetName

    I saw this Microsoft KB : http://support.microsoft.com/kb/978838/en-us but even applying this patch, my issue was not solved.

    Any idea ?

    Thanks

     


    n3id
    Wednesday, May 12, 2010 2:53 PM

Answers

All replies

  • Are you running UAG Update 1?

    What type of group is DA_Clients?

    Have you tried using a group name without an underscore?

     


     

    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk

    • Marked as answer by n3id Friday, May 14, 2010 12:40 PM
    Wednesday, May 12, 2010 7:11 PM
    Moderator
  • Some more considerations:

    Are you logged in as a local admin?

    Are you using Update 1 (whoops! Jason already mentioned that one) :)

    Is the UAG server connected to the domain? (try nltest to confirm)

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Wednesday, May 12, 2010 11:15 PM
    Moderator
  • Hi,

    Thanks for answers, we are running Update 1, we are logged into the domain as domain admin. The security group used is Universal (we tried both Global and Universal) but having same issue.

    We will try using a security group without underscore.

    Thanks !

     


    n3id
    Thursday, May 13, 2010 8:29 AM
  • Also, when you create the new security group, make sure its a global group.

    Although, http://technet.microsoft.com/en-us/library/dd857386.aspx clearly indicates that a Universal Group is OK.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Thursday, May 13, 2010 12:29 PM
    Moderator
  • Thanks for all your answers, the problem was solved using a security group without underscore !

    Thanks again !


    n3id
    Friday, May 14, 2010 12:41 PM
  • Nice...not!

    Tom, can you log this as a bug?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Friday, May 14, 2010 2:05 PM
    Moderator
  • It makes sense, because the UAG DA Management UI uses the security group's name, while the Powershell Script uses group policy API which requires the sAMAccountName (pre windows 2000 name). So this issue can happen when those names are different.

    Hopefully this is already resolved in SP1.

    Friday, May 14, 2010 2:30 PM
  • Is this an issue that started with Update 1?

    Both the Windows DA and UAG DA Test Lab Guides use the example Security Group DA_Clients and have not had a problem with it.

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Monday, May 17, 2010 2:32 PM
    Moderator
  • I think it depends on whether the Name and the pre windows 2000 name of the security group are identical or not.

    There is no problem with the underscore character.

    We do have a problem however with other characters in the security group name, such as double quotes. That will be fixed in SP1 though

    Tuesday, May 18, 2010 9:16 AM
  • OK, that makes sense, but I don't see how the pre-Windows 2000 Security Group name could be different than the name that appears in the UI. Is this something that the admin has to do explicitly? Or is it related to the domain configuration?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team
    Tuesday, May 18, 2010 2:58 PM
    Moderator
  • When creating a security group you need to enter a name and a pre windows 2000 name, those could be different.

    When selecting a Security Group in UAG RTM you'll see the real name, however the API used in the GP script requires the pre windows 2000 name.

    Thursday, May 20, 2010 6:54 AM