Create an IPsec NAP Exemption Group
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
To exempt computers from NAP health checks when you use NAP with IPsec enforcement, you can autoenroll members of a security group with NAP exemption certificates. To autoenroll exempted computers, create a NAP exemption certificate template and grant enroll and autoenroll permissions to the IPsec NAP exemption group created in this procedure. For more information, see Create Health Certificate Templates.
Membership in the local Domain Admins group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Create a NAP exemption group and add member computers
Use the following procedure to create a NAP exemption group.
To create a NAP exemption group
On a domain controller, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
In the Active Directory Users and Computers console tree, right-click the domain name (for example, Woodgrovebank.local), point to New, and then click Group.
Under Group Name, type IPsec NAP Exemption, and then click OK.
Leave the Active Directory Users and Computers console open for the following procedure.
To add computers to the IPsec NAP exemption group
In the Active Directory Users and Computers console tree, click the domain name (for example, Woodgrovebank.local).
In the details pane, right-click IPsec NAP Exemption, and then click Properties.
Click the Members tab, click Add, click Object Types, select Computers, and then click OK.
Under Enter the object names to select, type the name of the computer or group you want to exempt, and then click OK twice.
Close the Active Directory Users and Computers console.