Step 4: Testing Isolation with a Computer That Does Not Have the Domain Isolation Rule

Updated: December 7, 2009

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

To simulate a computer that is not part of the domain, remove the GPO from CLIENT1, and try to connect again.

To remove the GPO from CLIENT1

  1. On MBRSVR1, switch to Group Policy Management.

  2. Under MyClientComputers, right-click Domain Isolation, and then click Link Enabled to disable the link.

In the next procedure, you refresh the GPO on CLIENT1 and try to communicate with MBRSVR1.

To test the modified GPO on CLIENT1

  1. On CLIENT1, at an Administrator: Command Prompt, run gpupdate /force. Wait until the command finishes.

  2. At the command prompt, run telnet mbrsvr1. The connection fails because it never receives a reply to its request. Because MBRSVR1 requires authentication, and CLIENT1 cannot supply it, all incoming packets are dropped.

In the next procedure, you restore the GPO to the client so that the correct rule is in place for later steps.

To reapply the GPO to CLIENT1

  1. On MBRSVR1, under MyClientComputers, right-click Domain Isolation, and then click Link Enabled.

  2. If you want, you can repeat the previous procedure "To test the modified GPO on CLIENT1" to confirm that you can connect again. This time the connection succeeds.

Next topic: Step 5: Creating Exemption Rules for Computers that are Not Domain Members