Export (0) Print
Expand All

Configure NAP Enforcement Clients in Group Policy

Updated: February 29, 2012

Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

To configure NAP enforcement clients in Group Policy, configure a NAP client Group Policy object (GPO) and apply this GPO to a NAP client security group with security group filtering.

Membership in the local Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

Use the following procedure to create a NAP client GPO to enforce NAP client settings on client computers.

  1. On a domain controller or member server with the Group Policy Management feature installed, click Start, click Run, type gpme.msc, and then press ENTER.

  2. In the Browse for a Group Policy Object dialog box, click the Create New Group Policy Object icon, type the name of the GPO (for example, NAP GPO), and then click OK. The Group Policy Management Editor opens.

Use the following procedure to enable NAP enforcement clients in a GPO.

  1. In the Group Policy Management Editor, open Computer Configuration\Policies\Windows Settings\Security Settings\Network Access Protection\NAP Client Configuration\Enforcement Clients.

    noteNote
    If you are running Windows Server 2008 on your computer, and you want to enable the Wireless Eapol enforcement client, see step 4.

  2. In details pane, right-click the enforcement client you want to enable, and then click Enable.

    noteNote
    For the VPN enforcement method, if your client computer is running Windows 7, be sure to enable EAP Quarantine Enforcement Client. If your client computer is running Windows XP or Windows Vista, be sure to enable Remote Access Quarantine Enforcement Client.

    The following table lists NAP enforcement client name changes between Windows Server 2008 and Windows Server 2008 R2:

     

    Windows Server 2008 Windows Server 2008 R2

    DHCP Quarantine Enforcement Client

    DHCP Quarantine Enforcement Client

    IPSec Relying Party

    IPSec Relying Party

    TS Gateway Quarantine Enforcement Client

    RD Gateway Quarantine Enforcement Client

    EAP Quarantine Enforcement Client

    EAP Quarantine Enforcement Client

    Remote Access Quarantine Enforcement Client

    Remote access enforcement client for Windows XP and Windows Vista

    Wireless EAPOL enforcement client for Windows XP

  3. In Group Policy Management Editor tree, right-click NAP Client Configuration, and then click Apply.

  4. To enable the Wireless Eapol enforcement client on computers running Windows XP with SP3, open Computer Configuration\Policies\Administrative Templates\Windows Components\Network Access Protection, double-click Allow the Network Access Protection client to support the 802.1x Enforcement Client component, click Enabled, and then click OK.

  5. Close the Group Policy Management Editor.

Use the following procedure to enable security filtering on the NAP client GPO.

  1. On a domain controller or member server with the Group Policy Management feature installed, click Start, click Run, type gpmc.msc, and then press ENTER.

  2. In Group Policy Management console tree, click the name of the GPO that you created in the first procedure, NAP GPO.

  3. In the details pane, under Security Filtering, click Authenticated Users, click Remove, and then click OK.

  4. Click Add, type the name of a NAP client security group that you have created (for example, Vista NAP Clients), and then click OK.

    For more information, see Configure NAP Client Security Groups.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft