locked
No items in Security Group - Policy still applies RRS feed

  • Question

  • I have recently set NAP for a client and as im still in testing, i only want to use a few computers for it to apply to.

    Im using NAP via DHCP and set up a global security group called NAP client computers. I have a WSHV that only checks for firewall. I have created the DHCP scope options to have for default user class to point to local DNS server and DNS Domain Name, and also for the default network access protection to point to the same DNS servers and DNS Domain Name of restricted.domain.local. I have turned on NAP in the scope. I have made the group policy changed, and i removed Authenticated Users from the security Filtering and added the NAP Client Computers group i created. This group did not have any members.

    When users started logging in, they were all getting on the restricted network, why has this happened? There are no members in the security group, so the policy should not be getting applied.

     

    Thursday, December 8, 2011 5:33 AM

Answers

  • Hi mattym84,

     

    Thanks for posting here.

     

    I think we need to add policies in order to exclude and except reset member hosts to be affected by NAP enforcement If just want to restrict several computers for testing purpose but not all

     

    Design an Exception Management Strategy

    http://technet.microsoft.com/en-us/library/dd125358(WS.10).aspx

     

    Determine Your Policy Strategy for Network Access Protection

    http://technet.microsoft.com/en-us/library/bb680336.aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, December 9, 2011 5:53 AM
  • Hi,

    When you turn on NAP in the DHCP scope, this immediately causes all computers to be evaluated by NPS (except those with a static IP). If you want a certain group of computers to be exempt, you can add a security group condition that automatically grants full access to them (i.e. domain computers). Keep in mind that if a computer isn't running NAP agent it will be considered non NAP capable and that is the policy that this kind of computer will always match, regardless of any security group it belongs to.

    Review the event log on NPS to see what policy computers are matching.

    To reiterate - when you turn on NAP in the DHCP scope, every computer will need to match a network policy or they will not receive an IP address. You can create policies to allow nearly all computers on the network regardless of health state and only evaluate the health of a smaller group, but you do need to design policies to do this for ALL computers.

    Policies are evaluated in order, and more specific policies need to come first, so if you have a small group of NAP test computers, create a policy to match these computers and place it first in the order. If you wish to have a health check you'll actually need two policies like this - one for compliant and one for noncompliant computers.

    Then, create another policy that matches ALL computers (with a condition such as time of day, using all 24 hours of all 7 days) and place it second in the order. This policy will allow full network access. If a computer matches the first policy it will ignore the second one, but if it doesn't match the first policy then it will automatically be granted full access.

    I hope this helps,

    -Greg

    P.S. I hope what I said is clear. What I am proposing is three polices:

    1st policy in the order has two conditions:

    Condition1: NAP client computers security group

    Condition2: Compliant with health policy

    2nd policy in the order has two conditions:

    Condition1: NAP client computers security group

    Condition2: Noncompliant with health policy

    3rd policy in the order has one condition:

    Condition1: Time of day and week is 24 hours a day, 7 days a week

    ----------------------

    Saturday, December 10, 2011 12:29 PM

All replies

  • Hi mattym84,

     

    Thanks for posting here.

     

    I think we need to add policies in order to exclude and except reset member hosts to be affected by NAP enforcement If just want to restrict several computers for testing purpose but not all

     

    Design an Exception Management Strategy

    http://technet.microsoft.com/en-us/library/dd125358(WS.10).aspx

     

    Determine Your Policy Strategy for Network Access Protection

    http://technet.microsoft.com/en-us/library/bb680336.aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, December 9, 2011 5:53 AM
  • Hi,

    When you turn on NAP in the DHCP scope, this immediately causes all computers to be evaluated by NPS (except those with a static IP). If you want a certain group of computers to be exempt, you can add a security group condition that automatically grants full access to them (i.e. domain computers). Keep in mind that if a computer isn't running NAP agent it will be considered non NAP capable and that is the policy that this kind of computer will always match, regardless of any security group it belongs to.

    Review the event log on NPS to see what policy computers are matching.

    To reiterate - when you turn on NAP in the DHCP scope, every computer will need to match a network policy or they will not receive an IP address. You can create policies to allow nearly all computers on the network regardless of health state and only evaluate the health of a smaller group, but you do need to design policies to do this for ALL computers.

    Policies are evaluated in order, and more specific policies need to come first, so if you have a small group of NAP test computers, create a policy to match these computers and place it first in the order. If you wish to have a health check you'll actually need two policies like this - one for compliant and one for noncompliant computers.

    Then, create another policy that matches ALL computers (with a condition such as time of day, using all 24 hours of all 7 days) and place it second in the order. This policy will allow full network access. If a computer matches the first policy it will ignore the second one, but if it doesn't match the first policy then it will automatically be granted full access.

    I hope this helps,

    -Greg

    P.S. I hope what I said is clear. What I am proposing is three polices:

    1st policy in the order has two conditions:

    Condition1: NAP client computers security group

    Condition2: Compliant with health policy

    2nd policy in the order has two conditions:

    Condition1: NAP client computers security group

    Condition2: Noncompliant with health policy

    3rd policy in the order has one condition:

    Condition1: Time of day and week is 24 hours a day, 7 days a week

    ----------------------

    Saturday, December 10, 2011 12:29 PM