[This article originally appeared in "The Edge Man" blog at http://blogs.technet.com/tomshinder/archive/2010/03/13/uag-directaccess-group-policy-assignment-make-sure-the-right-policies-are-applied.aspx]

(Discuss UAG DirectAccess issues on the TechNet Forums over at http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag)

When you run the configuration wizard on the UAG DirectAccess (DA) server, one of the things it does is create Group Policy Objects (GPOs) and Group Policy Settings in those GPOs. After the UAG DA server creates the GPOs and configures the settings, it can automatically deploy these settings into your domain. These settings are linked to the root of the domain that the UAG DA server belongs to. There are three GPOs created by the DA wizard, as seen in the figure below.



These GPOs are:

  • UAG DirectAccess: AppServer {GUID} – these GPO settings are applied to machines that you include in the application servers groups, which are called out at the end of the UAG DA configuration wizard. These policies enable end to end IPsec protection between the DA client and the destination server.
  • UAG DirectAccess: Client {GUID} – these GPO settings are applied to the DA clients. DA clients are assigned to a security group that you create when you configure the DA solution for your organization. There is no “built in” DA clients security group, you need to create this yourself.
  • UAG DirectAccess: DaServer {GUID} – these GPO settings are applied to the UAG DA servers themselves. If you have a single UAG DA server, then these settings will be applied to that server. If you have an array of UAG DA servers, then the GPO settings will be applied to each of the servers in the UAG DA server array.

Group Policy assignment uses GPO Security Filtering to assign the GPO settings to the correct machines. In the figure below, you can see that I’ve selected the UAG DirectAccess: DaServer {GUID} policy in the left pane of the console. In the right pane, in the Security Filtering section, you can see that the policy is applied to the machine accounts of the two UAG DA servers participating in a UAG DA high availability array.


Security Filtering is also used to assign the GPO settings to the DA clients. In the figure below you can see that I’ve selected the UAG DirectAccess: Clients {GUID} GPO. In the right pane of the console you can see in the Security Filtering section that the GPO is applied to members of the DA_Clients (CORP\DA_Clients) security group. Keep in mind that DA is made available to computers, not users. Therefore, you need to put the computer accounts into the security group you’ve designated for your DA client computers. After you create the security group, add the computer accounts to that group. Then the DA Clients GPO settings will be applied to those machines.


It’s critical that you apply the Group Policy settings to the correct computer accounts and groups. If you apply the DA Clients GPO settings to the wrong computers, some very bad things can happen, such as name resolution failing throughout your network in some scenarios. There can be many unintended effects if you apply the settings to all authenticated users or any of the built-in security groups included in Active Directory, such as the Domain Computers security group.

If you find that you’ve applied the GPOs to the wrong computers, and end up with problems with network connectivity or name resolution on your network, I want to recommend to you that you call Microsoft Customer Support Services (CSS). While there are some things I can recommend to you that might help fix the problem, there are too many different scenarios where this problem might find itself so that a generic solution is unlikely to be useful in your case.

The UAG DA wizard will assign the correct GPO settings to the right computers if you made the correct selections in the wizard. For more information on how to use the UAG DirectAccess wizard, check out the UAG DirectAccess Deployment Guide at http://technet.microsoft.com/en-us/library/dd857320.aspx