Removing Direct Access (Powershell)

Microsoft introduced Direct Access with Windows Server 2008 (R2) for use with Windows 7 Enterprise and Windows 8 Enterprise edition clients, it can also be used on Windows 10.

Direct Access is a VPN-like technology that allows clients to connect intranet services (including applications and file shares) via a secure connection over internet, controlled via group policies (GPOs). The best way to control these GPOs is to use a security group for the devices that require Direct Access.

But what happens if you need to remove Direct Access, e.g. for fault finding? This week I found out how as I had to remove it from a device.

First remove the device from the security group that is giving it Direct Access GPOs.

Then run a group policy update (in Powershell type gpupdate /force), a log off/on or a reboot may then be required. This should stop the group policies from applying, however it does leave traces of Direct Access behind.

The bits Direct Access seems to leave behind are DNS polices under the registry path:

HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig

As always; if you are making changes in the registry be careful and make a back up before editing it.

To view them in Powershell:

Set-Location -Path ‘HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig’

Get-Item .

To remove them:

Remove-Item -Path ‘HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig\*’ -Recurse

Or for Powershell to get the items and show them as it deletes them. The Recurse option makes Powershell drill down into subfolders; so be careful how it is used.

$path = Set-Location -Path ‘HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig’
Get-Item .
Get-ChildItem -path $path
Remove-Item -Path ‘HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig\*’ -Recurse

Direct Access Powershell Commands

Some other Powershell Direct Access commands that may prove helpful when fault finding in Direct Access are;

Get-DAConnectionStatus

Get-DAClientExperienceConfiguration

Get-NetIPHttpsState

Get-NetIPHttpsConfiguration

Resolve-DnsName

Get-DnsClientNrptPolicy

Log File

Direct Access can generate log files which may be helpful when diagnosing issues. These log files can be found under the following path;

%SystemDrive%\Users\%Username%\AppData\Local\Temp\ %COMPUTERNAME%-%Date% %Time%-DirectAccess Logs.html

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.