Add-DAClient

Add-DAClient

Adds one or more client computer security groups (SGs) to the DirectAccess (DA) deployment, adds one or more DA client Group Policy Objects (GPOs) in one or more domains, adds one or more SGs of down-level clients to the DA deployment in a multi-site deployment, or adds one or more down-level DA client GPOs in one or more domains in a multi-site deployment.

構文

Parameter Set: ClientSGGpo
Add-DAClient [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-GpoName <String[]> ] [-PassThru] [-SecurityGroupNameList <String[]> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: ClientDownlevelSGGpo
Add-DAClient [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-DownlevelGpoName <String[]> ] [-DownlevelSecurityGroupNameList <String[]> ] [-EntrypointName <String> ] [-PassThru] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

詳細説明

The Add-DAClient cmdlet adds one or more client computer security groups (SGs) to the DirectAccess (DA) deployment, adds one or more DA client Group Policy Objects (GPOs) in one or more domains, adds one or more SGs of down-level clients to the DA deployment in a multi-site deployment, or adds one or more down-level DA client GPOs in one or more domains in a multi-site deployment.

The client SG and GPO parameters are treated as independent entities. The basic paradigm is that client GPOs can be created independent of the SGs and the represented domains. Every SG that is added to the DA deployment is added in all current client GPOs. Therefore all GPOs always contain all SGs even if all the corresponding domains are not represented in all the SGs.

There will never be a scenario where an SG is present only in some of the GPOs. If this happens, then it means that the state of the configuration is bad.

Extending this paradigm, adding clients to an SG is a pure SG level operation which can be accomplished using AD cmdlets, such as the Add-ADGroupMember cmdlet.

Although AD cmdlets are already available for the addition of SGs and GPOs, the additional capabilities of this cmdlet are justified as follows.
-- When an SG is added it is added in all Client GPOs. If user does not have permissions to edit a GPO, then the SG is not added to any of the Client GPOs in any of the domains. When using the AD cmdlet, the user would have to carefully ensure that it is run for each of the domains and it is difficult to handle the case where the user does not have permissions on some domains.
-- When a GPO is added all SGs are added in the GPO and DA client specific policies are created. This cmdlet takes care of the conditions where the GPO is created if not already present. If the GPO is already present, then it is merely edited

The following are additional behavior notes for the cmdlet.
-- At least one client GPO is always present. The Install-RemoteAccess cmdlet always creates a GPO even if there are no SGs added. There is never a case where there are no client GPOs. However, if this situation occurs, then adding an SG without specifying a domain or GPO is not allowed. A GPO can still be added alone, but only when there is no client GPO already present in that domain.
-- If DA is configured to be deployed only on laptops and notebooks, then when a domain or GPO is added, a WMI filter to enforce this policy is created in that domain and applied to all the SGs. If the user does not have the permissions to create a filter in a domain, then a GPO is not created in that domain and a non-terminating error is issued.
-- When adding a new GPO, if it is already present in the domain, then it is merely configured with the list of SG and DA client specific policies. Essentially, it is brought into the DA deployment. If it is not present, then it is created first.
-- Attempting to re-add a domain or specify the same GPO name for the domain again will result in no changes being made.
-- Attempting to add a new GPO in a domain that already consists of a client GPO will result in no action being taken and the display of a non-terminating error.
-- Attempting to add SGs in even a single GPO without the correct permissions will result in the cmdlet terminating the processing of the entire list of SGs that were specified. However, the cmdlet still processes the list of GPOs that have been specified.
-- Attempting to create or configure one of the specified GPOs without the correct permissions will result in the cmdlet proceeding with the processing of the remaining GPOs.
-- In a multi-site deployment.
---- Clients that are added can connect to all the sites.
---- A separate set of parameters is available for adding down-level clients. Additional information can be found under parameter description.
-- If multi-site has not been deployed, attempting to add down-level GPOs or SGs using the DownlevelGpoName and DownlevelSecurityGroupNameList parameters will display an error.

パラメーター

-AsJob

-CimSession<CimSession[]>

リモート セッションまたはリモート コンピューターでコマンドレットを実行します。New-CimSession コマンドレットや Get-CimSession コマンドレットの出力など、コンピューター名またはセッション オブジェクトを入力します。既定値は、ローカル コンピューターで実行中の現在のセッションです。

-ComputerName<String>

Specifies the IPv4 or IPv6 address, or host name, of the computer on which the Remote Access server computer specific tasks should be run.

-DownlevelGpoName<String[]>

Specifies the name to be used when creating the down-level client GPO in the specified domain or represents the domain in which a down-level client GPO with the default name should be created. GPO is specified in the format DOMAIN\GPO_NAME. Domain is specified in the format DOMAIN. This parameter can be used to create the multiple GPOs in multiple domains in one run, so the list of names of the GPOs can be provided. These GPOs correspond to the down-level SGs added using the DownlevelSecurityGroupNameList parameter.
If this parameter contains only the domain name, then the following default GPO name is used.
-- <domain> client policy for <DirectAccess connection friendly name>-<entry point name>.
A list of GPOs can be specified.
This parameter is applicable only in case of multi-site deployment.

-DownlevelSecurityGroupNameList<String[]>

Specifies the names of one or more down-level client SGs that are not already part of the DA deployment. Specified in DOMAIN\SG_NAME format.
These down-level clients can then connect only to the site specified in the EntrypointName parameter.
This parameter is only applicable in case of a multi-site deployment.

-EntrypointName<String>

Specifies the identity of a site in a multi-site deployment to which down-level clients are added, such as these clients can only connect to the specified site. If this parameter is not specified, then the site to which the computer on which the cmdlet is run is used (the user may or may not be specifying a computer name). If both this parameter and the ComputerName parameter are specified and the computer name does not belong to the site represented by the name of the entry point, then the entry point takes precedence and the authentication type is configured for it.

-GpoName<String[]>

Specifies the name to be used when creating the client GPO in the specified domain or represents the domain in which a client GPO with the default name should be created. GPO is specified in the format DOMAIN\GPO_NAME. Domain is specified in the format DOMAIN. If this parameter contains only the domain name, then the following default GPO name is used.
-- <domain> client policy for <DirectAccess connection friendly name>.
A list of GPOs can be specified.

-PassThru

作業中の項目を表すオブジェクトを返します。既定では、このコマンドレットによる出力はありません。

-SecurityGroupNameList<String[]>

Specifies the list of client SGs that are to be added to the DA deployment. Each SG is specified in DOMAIN\SG_NAME format.

-ThrottleLimit<Int32>

このコマンドレットを実行するために確立できる最大同時操作数を指定します。このパラメーターを省略するか、値として 0 を入力した場合、Windows PowerShell® では、コンピューターで実行している CIM コマンドレットの数に基づいて、コマンドレットに対する最適なスロットル制限を計算します。スロットル制限は現在のコマンドレットのみに適用され、セッションまたはコンピューターには適用されません。

-Confirm

コマンドレットを実行する前に、ユーザーに確認を求めます。

-WhatIf

コマンドレットを実行するとどのような結果になるかを表示します。コマンドレットは実行されません。

<CommonParameters>

このコマンドレットは次の共通パラメーターをサポートします。-Verbose、-Debug、-ErrorAction、-ErrorVariable、-OutBuffer、-OutVariable.詳細については、以下を参照してください。 about_CommonParameters (https://go.microsoft.com/fwlink/p/?LinkID=113216)。

入力

入力型は、コマンドレットにパイプできるオブジェクトの型です。

• None

出力

出力型は、コマンドレットによって生成されるオブジェクトの型です。

• Microsoft.Management.Infrastructure.CimInstance#DAClient

  Microsoft.Management.Infrastructure.CimInstance オブジェクトは、Windows Management Instrumentation (WMI) オブジェクトを表示するラッパー クラスです。シャープ記号 (#) の後のパスは、基になる WMI オブジェクトの名前空間とクラス名です。
  The output object contains the following properties:
  -- The list of client SGs present in the DA deployment.
  -- The list of client GPOs present in the DA deployment.
  -- The status of force tunnel.
  -- The Name Resolution Policy Table (NRPT) object (for force tunnel properties).
  -- The status of the policy to deploy DA only on laptops and notebooks and not on all computers in the domain.
  -- The status of whether appropriate policies should be deployed on down-level clients (Windows® 7) to enable them to connect to the Windows Server 2012 DA server.
  If multi-site is enabled, then the following additional properties are present:
  -- The name of the entry point (identity of a site) to which down-level clients are added.
  -- The name of the down-level client GPO.
  -- The list of SGs of down-level clients.

例

EXAMPLE 1

This example will add the SGs corp.contoso.com\DirectAccessLaptopClients and corp.contoso.com\DirectAccessMobileClients to DA configuration. corp .contoso.com/DirectAccess Client Settings is the DA Client GPO configured at the time of DA installation.
Two new SGs DirectAccessLaptopClients and DirectAccessMobileClients are created and DA Connectivity is provisioned for these SGs. This cmdlet will add the SGs to DA configuration. This essentially means that the existing Client GPO configuration corp.contoso.com/DirectAccess Client Settings will be filtered on the two SGs.
This cmdlet will only provision Windows® 8 clients. Down-level clients have to be provisioned separately.

PS C:\> Add-DAClient -SecurityGroupNameList 'corp.contoso.com\DirectAccessLaptopClients','corp.contoso.com\DirectAccessMobileClients' -PassThru

EXAMPLE 2

This example will provision DA for the domain child.corp.contoso.com which is the child of corp.contoso.com. This will create a GPO named child.corp.contoso.com/DirectAccess Client Settings, using default naming convention). This cmdlet makes sure that all the SGs present in DA Client configuration are added to this GPO.

PS C:\> Add-DAClient -GPOName 'child.corp.contoso.com' -PassThru

EXAMPLE 3

This example provisions DA for clients present in the domain child.corp.contoso.com enabling them to connect to site 2-Edge-Site.
2-Edge-Site is the site configured for the child domain. A new GPO (DownlevelClientsGPO) can be added to the DiretAccessConfiguration. This GPO is filtered on DownlevelClients SG which contains Windows® 7 clients in the child domain. Note: The Windows® 7 clients can only connect access the site specified in the EntrypointName parameter.

PS C:\> Add-DAClient -DownlevelSecurityGroupNameList 'child.corp.contoso.com\DownlevelClients' -DownlevelGPOName 'child.corp.contoso.com\DownLevelClientsGPO' -EntrypointName '2-Edge-Site' -PassThru

関連トピック

Get-DAClient

Remove-DAClient

Set-DAClient

Add-ADGroupMember