This all starts with installing UAG for the first time. We just bought it, we ran the trial for 3 months running preSP1, now we purchased it and am installing it on new servers running fresh installs of 2008 R2 SP1. It all starts when we try to activate and apply the DirectAccess settings. The script fails at exporting the firewall settings. It creates an empty .wfw file. I exported the script and tried it in powershell using different servers. They all failed the same way. I eventually tried to export the firewall policy using the Windows Advanced Firewall control panel applet/gui, it failed, says that I don't have sufficient privilege. Next I tried netsh advfirewall export %tmp%\da.wfw, failed. Next I figured I would try the netsh command on my Windows 7 64 Ent SP1 workstation. Same error. I ended up trying 2 Windows 7 machines, both with the same error as the servers. I took one of the workstations and removed all of our GPO's on it by placing it in an OU with blocked inheritance. I ran gpupdate /force and rebooted. It let me export the policy using the netsh command. Now I am onto something, or am I? My servers are in an OU with blocked inheritance too and have no GPO's linked other than our default policy, which in itsself only has permissions for users who need to run as batch. I am stumped. Please help. I cannot find anyone else experiencing this issue anywhere around the english speaking internet.- Ryechz

Hi, Do you use domain admin account? If so, please run the netsh command from a command prompt with elevated permissions. To start a command prompt with elevated permissions, find the icon or Start menu entry that you use to start a command prompt session, right-click it, and then click Run as administrator. If the problem continues, I would like to confirm the following information: 1. If the server is in an OU with blocked inheritance and has no GPO's linked other than default domain policy, can the firewall policy be exported? 2. Is there any error in event log when the script fails? 3. You can use Process Monitor to check what happens when the process fails. Meanwhile, as this problem is related to UAG DirectAccess, please also ask in the UAG forum. Community members there may have idea about this problem. Forefront Edge Security – DirectAccess, UAG and IAG http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag Regards, Bruce

Sorry for posting on the wrong thread. I figured out the issue. It was the Default Policy GPO that was causing the issue. I am still looking for the root cause, but have found that if I removed its link from the OU the exporting of the firewall works fine. My Default Policy GPO contains settings for user passwords, it turns off anytime upgrade, RIS, and it sets specified service accounts to have run as batch user permissions. I am going to duplicate the policy, then remove each setting one at a time while testing the export to see if I can nail down the culprit. I think it is the run as batch settings would be my guess.- Ryechz

Hi ryechz, Thanks for your update. We usually avoid making changes to the Default Domain Policy. Instead, create a new GPO, link it to the domain, and configure its settings as needed. Because any settings you configure will be inherited by all computer and user accounts in all OUs in the domain. Also, configuring several polices in one GPO will make troubleshooting harder. So, wherever possible configure policy at the OU level and not at the domain level, and use domain GPOs only for configuring account policy for the domain. Hope this helps. Regards, Bruce