Add-DAClient

Add-DAClient

Adds one or more client computer security groups (SGs) to the DirectAccess (DA) deployment, adds one or more DA client Group Policy Objects (GPOs) in one or more domains, adds one or more SGs of down-level clients to the DA deployment in a multi-site deployment, or adds one or more down-level DA client GPOs in one or more domains in a multi-site deployment.

구문

Parameter Set: ClientSGGpo
Add-DAClient [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-GpoName <String[]> ] [-PassThru] [-SecurityGroupNameList <String[]> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: ClientDownlevelSGGpo
Add-DAClient [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-DownlevelGpoName <String[]> ] [-DownlevelSecurityGroupNameList <String[]> ] [-EntrypointName <String> ] [-PassThru] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

자세한 설명

The Add-DAClient cmdlet adds one or more client computer security groups (SGs) to the DirectAccess (DA) deployment, adds one or more DA client Group Policy Objects (GPOs) in one or more domains, adds one or more SGs of down-level clients to the DA deployment in a multi-site deployment, or adds one or more down-level DA client GPOs in one or more domains in a multi-site deployment.

The client SG and GPO parameters are treated as independent entities. The basic paradigm is that client GPOs can be created independent of the SGs and the represented domains. Every SG that is added to the DA deployment is added in all current client GPOs. Therefore all GPOs always contain all SGs even if all the corresponding domains are not represented in all the SGs.

There will never be a scenario where an SG is present only in some of the GPOs. If this happens, then it means that the state of the configuration is bad.

Extending this paradigm, adding clients to an SG is a pure SG level operation which can be accomplished using AD cmdlets, such as the Add-ADGroupMember cmdlet.

Although AD cmdlets are already available for the addition of SGs and GPOs, the additional capabilities of this cmdlet are justified as follows.
-- When an SG is added it is added in all Client GPOs. If user does not have permissions to edit a GPO, then the SG is not added to any of the Client GPOs in any of the domains. When using the AD cmdlet, the user would have to carefully ensure that it is run for each of the domains and it is difficult to handle the case where the user does not have permissions on some domains.
-- When a GPO is added all SGs are added in the GPO and DA client specific policies are created. This cmdlet takes care of the conditions where the GPO is created if not already present. If the GPO is already present, then it is merely edited

The following are additional behavior notes for the cmdlet.
-- At least one client GPO is always present. The Install-RemoteAccess cmdlet always creates a GPO even if there are no SGs added. There is never a case where there are no client GPOs. However, if this situation occurs, then adding an SG without specifying a domain or GPO is not allowed. A GPO can still be added alone, but only when there is no client GPO already present in that domain.
-- If DA is configured to be deployed only on laptops and notebooks, then when a domain or GPO is added, a WMI filter to enforce this policy is created in that domain and applied to all the SGs. If the user does not have the permissions to create a filter in a domain, then a GPO is not created in that domain and a non-terminating error is issued.
-- When adding a new GPO, if it is already present in the domain, then it is merely configured with the list of SG and DA client specific policies. Essentially, it is brought into the DA deployment. If it is not present, then it is created first.
-- Attempting to re-add a domain or specify the same GPO name for the domain again will result in no changes being made.
-- Attempting to add a new GPO in a domain that already consists of a client GPO will result in no action being taken and the display of a non-terminating error.
-- Attempting to add SGs in even a single GPO without the correct permissions will result in the cmdlet terminating the processing of the entire list of SGs that were specified. However, the cmdlet still processes the list of GPOs that have been specified.
-- Attempting to create or configure one of the specified GPOs without the correct permissions will result in the cmdlet proceeding with the processing of the remaining GPOs.
-- In a multi-site deployment.
---- Clients that are added can connect to all the sites.
---- A separate set of parameters is available for adding down-level clients. Additional information can be found under parameter description.
-- If multi-site has not been deployed, attempting to add down-level GPOs or SGs using the DownlevelGpoName and DownlevelSecurityGroupNameList parameters will display an error.

매개 변수

-AsJob

-CimSession<CimSession[]>

원격 세션에서 또는 원격 컴퓨터에서 cmdlet을 실행합니다. New-CimSession 또는 Get-CimSession cmdlet의 출력과 같은 컴퓨터 이름이나 세션 개체를 입력합니다. 기본값은 로컬 컴퓨터의 현재 세션입니다.

-ComputerName<String>

Specifies the IPv4 or IPv6 address, or host name, of the computer on which the Remote Access server computer specific tasks should be run.

-DownlevelGpoName<String[]>

Specifies the name to be used when creating the down-level client GPO in the specified domain or represents the domain in which a down-level client GPO with the default name should be created. GPO is specified in the format DOMAIN\GPO_NAME. Domain is specified in the format DOMAIN. This parameter can be used to create the multiple GPOs in multiple domains in one run, so the list of names of the GPOs can be provided. These GPOs correspond to the down-level SGs added using the DownlevelSecurityGroupNameList parameter.
If this parameter contains only the domain name, then the following default GPO name is used.
-- <domain> client policy for <DirectAccess connection friendly name>-<entry point name>.
A list of GPOs can be specified.
This parameter is applicable only in case of multi-site deployment.

-DownlevelSecurityGroupNameList<String[]>

Specifies the names of one or more down-level client SGs that are not already part of the DA deployment. Specified in DOMAIN\SG_NAME format.
These down-level clients can then connect only to the site specified in the EntrypointName parameter.
This parameter is only applicable in case of a multi-site deployment.

-EntrypointName<String>

Specifies the identity of a site in a multi-site deployment to which down-level clients are added, such as these clients can only connect to the specified site. If this parameter is not specified, then the site to which the computer on which the cmdlet is run is used (the user may or may not be specifying a computer name). If both this parameter and the ComputerName parameter are specified and the computer name does not belong to the site represented by the name of the entry point, then the entry point takes precedence and the authentication type is configured for it.

-GpoName<String[]>

Specifies the name to be used when creating the client GPO in the specified domain or represents the domain in which a client GPO with the default name should be created. GPO is specified in the format DOMAIN\GPO_NAME. Domain is specified in the format DOMAIN. If this parameter contains only the domain name, then the following default GPO name is used.
-- <domain> client policy for <DirectAccess connection friendly name>.
A list of GPOs can be specified.

-PassThru

작업하고 있는 항목을 나타내는 개체를 반환합니다. 기본적으로 이 cmdlet은 출력을 생성하지 않습니다.

-SecurityGroupNameList<String[]>

Specifies the list of client SGs that are to be added to the DA deployment. Each SG is specified in DOMAIN\SG_NAME format.

-ThrottleLimit<Int32>

이 cmdlet을 실행하도록 설정할 수 있는 최대 동시 작업 수를 지정합니다. 이 매개 변수가 생략되거나 값 0이 입력되면 Windows PowerShell®은 컴퓨터에서 실행 중인 CIM cmdlet의 수에 따라 cmdlet에 대한 최적의 제한 한도를 계산합니다. 제한 한도는 현재 cmdlet에만 적용되며 세션이나 컴퓨터에는 적용되지 않습니다.

-Confirm

cmdlet을 실행하기 전에 확인 메시지가 표시됩니다.

-WhatIf

cmdlet이 실행될 경우 결과 동작을 표시합니다. cmdlet이 실행되지 않습니다.

<CommonParameters>

이 cmdlet은 일반 매개 변수 -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer 및 -OutVariable을 지원합니다. 자세한 내용은 다음을 참조하세요. about_CommonParameters(https://go.microsoft.com/fwlink/p/?LinkID=113216).

입력

입력 유형은 cmdlet에 파이프할 수 있는 개체의 유형입니다.

• None

출력

출력 유형은 cmdlet이 내보내는 개체의 유형입니다.

• Microsoft.Management.Infrastructure.CimInstance#DAClient

  Microsoft.Management.Infrastructure.CimInstance 개체는 WMI(Windows Management Instrumentation) 개체를 표시하는 래퍼 클래스입니다. 파운드 기호(#) 뒤에 오는 경로는 기본 WMI 개체의 네임스페이스 및 클래스 이름을 제공합니다.
  The output object contains the following properties:
  -- The list of client SGs present in the DA deployment.
  -- The list of client GPOs present in the DA deployment.
  -- The status of force tunnel.
  -- The Name Resolution Policy Table (NRPT) object (for force tunnel properties).
  -- The status of the policy to deploy DA only on laptops and notebooks and not on all computers in the domain.
  -- The status of whether appropriate policies should be deployed on down-level clients (Windows® 7) to enable them to connect to the Windows Server 2012 DA server.
  If multi-site is enabled, then the following additional properties are present:
  -- The name of the entry point (identity of a site) to which down-level clients are added.
  -- The name of the down-level client GPO.
  -- The list of SGs of down-level clients.

예제

EXAMPLE 1

This example will add the SGs corp.contoso.com\DirectAccessLaptopClients and corp.contoso.com\DirectAccessMobileClients to DA configuration. corp .contoso.com/DirectAccess Client Settings is the DA Client GPO configured at the time of DA installation.
Two new SGs DirectAccessLaptopClients and DirectAccessMobileClients are created and DA Connectivity is provisioned for these SGs. This cmdlet will add the SGs to DA configuration. This essentially means that the existing Client GPO configuration corp.contoso.com/DirectAccess Client Settings will be filtered on the two SGs.
This cmdlet will only provision Windows® 8 clients. Down-level clients have to be provisioned separately.

PS C:\> Add-DAClient -SecurityGroupNameList 'corp.contoso.com\DirectAccessLaptopClients','corp.contoso.com\DirectAccessMobileClients' -PassThru

EXAMPLE 2

This example will provision DA for the domain child.corp.contoso.com which is the child of corp.contoso.com. This will create a GPO named child.corp.contoso.com/DirectAccess Client Settings, using default naming convention). This cmdlet makes sure that all the SGs present in DA Client configuration are added to this GPO.

PS C:\> Add-DAClient -GPOName 'child.corp.contoso.com' -PassThru

EXAMPLE 3

This example provisions DA for clients present in the domain child.corp.contoso.com enabling them to connect to site 2-Edge-Site.
2-Edge-Site is the site configured for the child domain. A new GPO (DownlevelClientsGPO) can be added to the DiretAccessConfiguration. This GPO is filtered on DownlevelClients SG which contains Windows® 7 clients in the child domain. Note: The Windows® 7 clients can only connect access the site specified in the EntrypointName parameter.

PS C:\> Add-DAClient -DownlevelSecurityGroupNameList 'child.corp.contoso.com\DownlevelClients' -DownlevelGPOName 'child.corp.contoso.com\DownLevelClientsGPO' -EntrypointName '2-Edge-Site' -PassThru

관련 항목

Get-DAClient

Remove-DAClient

Set-DAClient

Add-ADGroupMember