Direct Access Trial Deployment?

---

Hello, ran across this practice question and wanted to think through it with others.

Your network contains one Active Directory domain named lab.local. You complete a trial deployement of DirectAccess for a test group called "LAB\Test Computers". The trial is now complete and you need to enable Direct Access for all computers in the domain.

A. From Windows PowerShell, run the Set-DAClient cmdlet.
B. From Windows PowerShell, run the Set-DirectAccess cmdlet.
C. From Active Directory Users and Computers, modify the membership of the Windows Authorization Access Group.
D. From Group Policy Management, modify the security filtering of an object named Direct Access Client Setting Group Polcy.

So "A" doesn't seem to be correct as the "Set-DaClient" seems to only be used to change other unrelated settings like "Force Tunneling". "B" doesn't seem to work as "set-DirectAccess' doesn't appear to be a valid cmlet.

I can't decide if "C" or "D" is the correct answer.. Based on my research it appears that a security group must be used to execute the recommended Microsoft deployment.

Because the group "LAB\Test Computers" was used to deploy the current solution, I imagine this group would need to be swapped out for a different group either on the security filtering tab of the GPO or somewhere in the Direct Access config.. Anyone out there with a bit more experience with this role able to comment?

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/directaccess/single-server-wizard/da-basic-configure-s1-infrastructure

Hey @Adam-Tyler ,

The correct answer would be D.

Your process of elimination is spot on.

A) The Set-DAClient cmdlet is used to configure Force tunneling, support for down-level clients, and support for remote computers only

B) Set-DirectAccess is not a valid cmdlet.

C) The security group named 'Windows Authorization Access Group' is used to grant access to the tokenGroupsGlobalAndUniversal attribute on User objects. You can see this attribute on the properties of a user account if you enable advanced view, go to the attribute editor tab, and change the filter to include constructed attributes. Enterprise domain controllers are members of this group.

D) The 'Direct Access Client Settings' GPO is one of two GPOs created when you deploy DirectAccess, This policy sets the configuration for DirectAccess clients. Settings like firewall rules, NRPT settings, connection security settings, and more. It is linked to the domain, and then security filtering is used to determine who can apply the policy.

So your logic is correct. To limit the DirectAccess trial to LAB\Test Computers, they would have used security filtering. The DirectAccess deployment wizard has a step where you chose 'one or more security groups that contain client computers that will be enabled for DirectAccess'. They would have removed the security group 'LAB\Domain Computers' (the default), and added the security group 'LAB\Test Computers'. Now that the trial is over, that needs to be changed. You can edit this setting in the Remote Access Management console, or you can edit the security filtering directly on the GPO in the Group Policy Management console.

Thank you Mike for that complete answer.

Regards,
Adam Tyler