Today I want to talk about UAG DirectAccess Group Policy objects and some useful tweaks you can apply to them.
While the script generated by the UAG DirectAccess Configuration Wizard works well in most cases, in some cases you may have to edit the script.
Two reasons that may require you to edit the script are:
In these cases, you need to save the PowerShell script, and then edit it as follows:
1. In the first section of the file there are three variables called
2. You should rename them from the “UAG DirectAccess: ….” name they currently have to other different preconfigured GPO names
3. Then you should comment out the calls to the function TryCreateGPO. There should be three calls, and you should comment out all three.
4. The next two lines (three if you are using End to End authentication) following the calls to TryCreateGPO indirectly call Set-GPPermissions to set the relevant permissions on the GPO, and you should disable them as well.
5. The next two lines (three if you are using End to End authentication) call LinkGpoToDomains. They need to be commented out as well.
Overall it should look as follows:
If you want to configure DirectAccess clients from one domain and have the UAG machine in another domain, you can use the steps described above to create the GPOs, then you should use conventional Group Policy tools to copy/move the client GPO from the UAG domain to the DirectAccess client domain.
Please note though that the client domain and the UAG domain should have full Kerberos trust between one another.
Some UAG DirectAccess customers were interested in deploying only the “infrastructure” tunnel for DirectAccess clients. This usually occurs where you want your DirectAccess clients to be “always managed”, but do not want them to have access to all of the corporate resources.
In that case, run the Forefront UAG DirectAccess Configuration Wizard as usual and in the “DirectAccess Server” step, in the Authentication Options screen, select the Clients that log on using a PKI smart card check box and then complete the Forefront UAG DirectAccess Configuration Wizard.
Save the exported PowerShell script generated by the UAG DirectAccess Configuration Wizard, and then edit it as follows:
Overall it should look like the following:
The new script creates a policy that contains only the “manage out” tunnel. That enables the clients to only get access to “infrastructure” servers defined in the UAG DirectAccess Configuration “Management” server list.
It affectively disables the “corp” tunnel by denying it from any user groups (instead of allowing it only to users that authenticated with smartcard)
One last note – always remember that the UAG DirectAccess Configuration Wizard, generates a new script each time you complete the wizard, so if you plan to use “tweaked GPOs” on a regular basis you should consider automating the script editing.
Oh yes, just one last thing, note that running the script is just one part of the configuration process, and you should always activate the configuration from the UAG Management console, whenever you make changes in the UAG DirectAccess Configuration Wizard.
And that’s about it for today…
Author: Ben Bernstein, Senior Program Manager
Reviewers: Tom Shinder, Technical Writer Simon Rabinowitz, Technical Writer
This blog was updated today with some changes to the Manage Out “Only” scenario.