Remove-DAClient
Remove-DAClient
Removes one or more client computer security groups (SGs) from the DirectAccess (DA) deployment, removes one or more DA client Group Policy Objects (GPOs) from domains, removes one or more SGs of down-level clients (down-level clients can connect only to the specified site) from the DA deployment in a multi-site deployment, and removes one or more down-level DA client GPOs from domains in a multi-site deployment.
구문
Parameter Set: ClientSGGpo
Remove-DAClient [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-DomainName <String[]> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-PassThru] [-SecurityGroupNameList <String[]> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]
Parameter Set: ClientDownlevelSGGpo
Remove-DAClient [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-DownlevelDomainName <String[]> ] [-DownlevelSecurityGroupNameList <String[]> ] [-EntrypointName <String> ] [-InformationAction <System.Management.Automation.ActionPreference> {SilentlyContinue | Stop | Continue | Inquire | Ignore | Suspend} ] [-InformationVariable <System.String> ] [-PassThru] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>] [ <WorkflowParameters>]
자세한 설명
The Remove-DAClient cmdlet removes one or more client computer security groups (SGs) from the DirectAccess (DA) deployment, removes one or more DA client Group Policy Objects (GPOs) from domains, removes one or more SGs of down-level clients (down-level clients can connect only to the specified site) from the DA deployment in a multi-site deployment, and removes one or more down-level DA client GPOs from domains in a multi-site deployment.
The basic paradigm is that all client GPOs always point to all SGs even if the domains to which these GPOs belong are not represented in the SGs. There will never be a scenario where an SG is present only in some of the GPOs. If this happens, then the state of the configuration is bad. A user can remove client GPOs independent of the SGs and the domains these SGs represent. Every SG that is removed from the DA deployment is removed in all client GPOs currently present.
When this paradigm is extended to clients being removed from an SG we see that it is a pure SG level operation which can be accomplished using Active Directory (AD) cmdlets (such as Remove-ADGroupMember).
Although AD cmdlets are already available for the removal of SGs and GPOs, the additional capabilities of this cmdlet are justified as follows.
-- When an SG is removed it is removed in all GPOs. If user does not have permissions to edit a GPO, then the SG is not removed from any of the domains. When using the AD cmdlet, the user would have to carefully ensure that it is run for each of the domains and it is difficult to handle the case where the user does not have permissions on some domains.
-- When a GPO is removed all SGs in the GPO are removed and DA client specific policies are deleted. This cmdlet takes care of the conditions where the GPO is removed at the time of deletion. If the GPO was already present when adding it to the DA deployment, then only the DA related policies and settings are deleted and the GPO is left intact.
The following are additional behavior notes for the cmdlet.
-- The user is not allowed to delete all client GPOs and SGs. At least one of each should be present always.
-- Attempting to remove SGs in even a single GPO with the correct permissions results in the cmdlet terminating the processing of the entire list of SGs that were specified. However, This cmdlet still processes the list of domains that the user might have specified in the cmdlet.
-- Attempting to create, remove, or configure a client GPO in one of the specified domains without the correct permissions will result in a non-terminating error for that domain but the cmdlet proceeds with the processing of the remaining domains.
매개 변수
-CimSession<CimSession[]>
원격 세션이나 원격 컴퓨터에서 cmdlet을 실행합니다. 컴퓨터 이름이나 New-CimSession 또는 Get-CimSession cmdlet의 출력과 같은 세션 개체를 입력하세요. 기본값은 로컬 컴퓨터 상의 현재 세션입니다.
별칭 |
Session |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-ComputerName<String>
Specifies the IPv4 or IPv6 address, or host name, of the computer on which the Remote Access server computer specific tasks should be run.
별칭 |
Cn |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-DomainName<String[]>
Specifies the list of domains in which client GPOs need to be removed. A domain is specified in the DOMAIN format.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
True (ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-DownlevelDomainName<String[]>
Specifies the list of domains in which client GPOs need to be removed. A domain is specified in the DOMAIN format.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
True (ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-DownlevelSecurityGroupNameList<String[]>
Specifies the names of one or more down-level client SGs that are part of the DA deployment which need to be removed. This parameter is specified in DOMAIN\SG_NAME format.
These down-level clients can connect only to the site specified in the EntryPointName parameter.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
True (ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-EntrypointName<String>
Specifies the identity of a site in a multi-site deployment from which down-level clients are removed (these clients can only connect to the specified site). If this parameter is not specified, then the site to which the computer on which the cmdlet is run is used (the ComputerName parameter may or may not be specified). If both this parameter and the ComputerName parameter are specified and the computer name does not belong to the site represented by the entry point name then this parameter takes precedence and the authentication type is configured for it.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
True (ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-InformationAction<System.Management.Automation.ActionPreference>
별칭 |
infa |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-InformationVariable<System.String>
별칭 |
iv |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-PassThru
작업 중인 항목을 나타내는 개체를 반환합니다. 기본적으로 이 cmdlet은 출력을 생성하지 않습니다.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-SecurityGroupNameList<String[]>
Specifies a list of client SGs that are part of the DA deployment which need to be removed. The name of the SG is in DOMAIN\SG_NAME format.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
True (ByPropertyName) |
와일드카드 문자 허용 여부 |
false |
-ThrottleLimit<Int32>
Cmdlet을 실행하도록 설정할 수 있는 동시 작업의 최대 수를 지정합니다. 이 매개 변수를 생략하거나 값으로 0 을 입력하면 Windows PowerShell®은 컴퓨터에서 실행 중인 CIM cmdlet의 수에 따라 cmdlet에 대한 최적의 스로틀 제한을 계산합니다. 스로틀 제한은 현재 cmdlet에만 적용되고, 세션이나 컴퓨터에는 적용되지 않습니다.
별칭 |
none |
필수 여부 |
false |
위치 |
named |
기본값 |
none |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-Confirm
cmdlet을 실행하기 전에 확인 메시지를 표시합니다.
필수 여부 |
false |
위치 |
named |
기본값 |
false |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
-WhatIf
cmdlet이 실행되는 경우 발생할 결과를 보여 줍니다. cmdlet은 실행되지 않습니다.
필수 여부 |
false |
위치 |
named |
기본값 |
false |
파이프라인 입력 허용 여부 |
false |
와일드카드 문자 허용 여부 |
false |
<CommonParameters>
이 cmdlet은 -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, -OutVariable 등의 일반 매개 변수를 지원합니다. 자세한 내용은 TechNet의 about_CommonParameters(https://go.microsoft.com/fwlink/p/?LinkID=113216)
<WorkflowParameters>
입력
입력 형식은 cmdlet으로 파이프할 수 있는 개체의 형식입니다.
- None
출력
출력 형식은 cmdlet 실행 시 출력되는 개체의 형식입니다.
Microsoft.Management.Infrastructure.CimInstance#DAClient
Microsoft.Management.Infrastructure.CimInstance개체는 WMI(Windows Management Instrumentation) 개체를 표시하는 래퍼 클래스입니다. 파운드 기호(#) 뒤의 경로는 기본 WMI 개체에 대한 네임 스페이스 및 클래스 이름을 제공합니다.
The DAClient object contains the following properties:
-- The list of client security groups present in the DA deployment.
-- The list of client GPOs present in the DA deployment.
-- The status of force tunnel.
-- The NRPT object (for force tunnel properties).
-- The status of the policy to deploy DA only on laptops and notebooks and not on all of the computers in the domain.
-- The status of whether appropriate policies should be deployed on down-level clients (Windows? 7) to enable them to connect to the Windows Server 2012 DA Server.
If multi-site is enabled, then the following additional properties are present:
-- The name of the entry point (identity of a site) to which down-level clients are added.
-- The name of the down-level client GPO.
-- The list of security groups of down-level clients.
예
EXAMPLE 1
This example removes the DirectAccessMobileClients SG from the DA deployment. The use of the cmdlet to restrict users and laptops in DirectAccessMobileClients SG from accessing the corporate resources of our Contoso firm is demonstrated here.
PS C:\> Remove-DAClient -SecurityGroupNameList 'corp.contoso.com\DirectAccessMobileClients'
EXAMPLE 2
This example displays the deployment that contains two domains viz.corp.contoso.com and child.corp.contoso.com and the cmdlet removes the DA client GPO in child.corp.cotoso.com domain. This cmdlet automatically locates the client GPO in the domain and removes it.
PS C:\> Remove-DAClient -DomainName "child.corp.contoso.com"
EXAMPLE 3
This example removes DA for client computers present in domain named child.corp.contoso.com at site 2-Edge-Site. This is accomplished by removing the client SG DownlevelClients which contains the Windows? 7 clients and the domain named child.corp.contoso.com.
PS C:\> Remove-DAClient -DownLevelSecurityGroupNameList 'child.corp.contoso.com\DownlevelClients' -DownlevelDomainName 'child.corp.contoso.com' -EntrypointName '2-Edge-Site' -PassThru
관련 항목
Remove-ADGroupMember