Server 2012 R2 Group policy management with older Domain servers

Similar Messages

• Adding Internet shortcut favourites using Server 2012 R2 Group Policy Manager

  Hi there,
  I wonder could someone help me!
  Up on to recently we have been using the User Policies/Windows Settings/Internet Explorer Maintenance/URLs/Favourites and Links Group policy in Windows Server 2008 R2 but now within Server 2012 R2 that option doesn’t seem to be available.
  If I however click on the GPO that is currently in place that has favourites specified and click on the Setting tab it generates the report showing the old /Internet Explorer Maintenance/URLs/Favourites and Links Group policy but with I click Edit on the
  GPO it doesn’t show me the /Internet Explorer Maintenance/URLs/Favourites and Links Group policy to allow me to add more favourites.
  From reading online I see that that /Internet Explorer Maintenance/URLs/Favourites and Links Group policy has been dropped in Server 2012 with the IEAK but this seems to need to be downloaded and installed I assume on a DC which I’m reluctant to do.
  I notice there something called the Policy Preferences Administrators tool that should allow me to set favourites but I’m not sure how to use that or even where to get it – it is a feature in Server 2012?
  Sorry for all of the info above!  All I want to do is within Server 2012 R2 edit an existing Windows 2008 R2 group policy and add new shortcuts to that policy so they are pushed out.
  Any help or guidance would be greatly appreciated!
  Thanks,
  Bonemister  

  Hi Frank,
  Thanks very much for your reply!
  Ok, method 1 seems to be a good way for what I am looking to achieve in terms of providing shortcuts, however, could you clarify a couple of things for me please: -
  Does method 1 create a shortcut within Internet Explorer that is accessible by all users when they click on the favourites tab or is it a desktop shortcut?
  At present there are no shortcuts specified within User Configuration -> Preferences -> Windows Settings -> Shortcuts so I presume the current shortcuts are currently still being delivered via the settings within IEM. 
  If that is the case I don’t then want to remove the IEM from the GP reporting tools. The question is, can I keep the current policy that seems to be delivering our shortcuts and just use
  User Configuration -> Preferences -> Windows Settings -> Shortcuts to add any new shortcuts that we need – would there be any issue with having both GPOs operating or would there be any issues introducing shortcuts alongside the IEM
  settings?
  Thanks again for your help!
  Bonemister
  Method #1, is more of a problem-fix, rather than a solution-for-how-to-do-it-from-now-on. This method would only really be needed, if you have a dysfunctional IEM-GPO, causing issues.
  GPP is the way you need to adopt, because even Windows7 is affected by the IEM-removal if you upgrade IE to IE10 or newer (regardless of the Windows Server version you are using).
  The recommendation is that you create some new GPOs for transitioning away from IEM over to GPP, test those, and then deploy those and remove your older GPOs that were using IEM, this would complete your transition away from IEM.
  Don
  (Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable.
  This helps the community, keeps the forums tidy, and recognises useful contributions. Thanks!)

• Renamed Domain - Clients Still "joined" to old domain, can't open Group Policy Management on Server

  Performed a Domain Rename as per the following instructions:
  http://www.bauer-power.net/2011/05/renaming-windows-domain-with-rendom.html#.U4OZRPmSyTM
  and then after these issues I have gone through the related technet articles starting here:
  http://technet.microsoft.com/en-us/library/cc794793(v=ws.10).aspx
  specifically the Fix Group Policy Objects and Links.
  But still I have the following issues:
  At least for group policy clients believe they are on the old domain - despite even having renamed the computers with the new domain name.
  When I perform a gpresult the output file shows as being connected to the old Domain - despite manually going into computer properties and renaming the computer with the new domain name...
  CN=Allister Wade,OU=Users,OU=Home,DC=NEWDOMAIN,DC=local
  Last time Group Policy was applied: 27/05/2014 at 5:36:31 AM
  Group Policy was applied from:      finch.newdomain.local
  Group Policy slow link threshold:   500 kbps
  Domain Name:                        OLDDOMAIN
  Domain Type:                        WindowsNT 4
  On the server I cannot open Group Policy Management on the single Domain Controller as it is looking for a DC on the old Domain:
  Even though it has listed the new domain in the root of the management console when I attempt to expand it out I am prompted:
  "The specified domain controller could not be contacted. This affects the following domain in the console.
  Domain: olddomain.local
  The error was:
  The specified domain either does not exist or could not be contacted."
  I can select to remove the domain from the console but this does nothing - as said it already shows the new domain in the console.
  Far as I am aware the clients should not even of needing renaming or changing the domain, but were having authentication issues before I did this. Not sure what I have done wrong here..?

  Client's NSLookup shows "UnKnown" as DNS Server so thought to check DNS out.
  This is result of dcdiag /test:DNS.
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
     Home Server = finch
     * Identified AD Forest. 
     Done gathering initial info.
  Doing initial required tests
     Testing server: Default-First-Site-Name\FINCH
        Starting test: Connectivity
           ......................... FINCH passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\FINCH
        Starting test: DNS
           DNS Tests are running and not hung. Please wait a few minutes...
           ......................... FINCH passed test DNS
     Running partition tests on : ForestDnsZones
     Running partition tests on : DomainDnsZones
     Running partition tests on : Schema
     Running partition tests on : Configuration
     Running partition tests on : NEWDOMAIN
     Running enterprise tests on : NEWDOMAIN.local
        Starting test: DNS
           Test results for domain controllers:
              DC: finch.NEWDOMAIN.local
              Domain: NEWDOMAIN.local
                 TEST: Delegations (Del)
                    Error: DNS server: finch.olddomain.local. IP:<Unavailable>
                    [Missing glue A record]
           Summary of test results for DNS servers used by the above domain
           controllers:
              DNS server: 203.12.160.35 (<name unavailable>)
                 1 test failure on this DNS server
                 PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 203.12.160.35               
           Summary of DNS test results:
                                              Auth Basc Forw Del  Dyn  RReg Ext
              Domain: NEWDOMAIN.local
                 finch                        PASS PASS PASS FAIL PASS PASS n/a  
           ......................... NEWDOMAIN.local failed test DNS

• Group Policy Management | No such interface supported

  Running Windows Server 2008 R2 as a Domain Controller and when I open Group Policy Management, click on a GPO, then click on the Settings tab, it pops up an error message that says "No such interface supported".  I've found several articles
  that talk about registering .dll files and I've done that and nothing.  I've uninstalled GPMC and reinstalled and that didn't fix anything.  Can anyone help resolve this?

  Hi Jason,
  Before going further, do we have other domain controllers? If yes, does GPMC work correctly on these domain controller? GPMC reports the error "No Such interface supported" normally is due to a missing or corrupted Windows component.
  Besides, do we update the server to the latest? If not, we can update the server to the latest and then reinstall the GPMC to see if the issue persists.
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards
  Frank Shen

• Unable to see Remote App and Desktop Connection in Group Policy Management Editor

  I am unable to see the Remote App and Desktop Connection in Group Policy Management Editor on my 2012 R2 DC. I am therefore not able configure the connection URL in Access RemoteApp and desktops in our Windows 8.1 client environment.
  Within the Group Policy Under User Configuration, Administrative Templates, Windows Components all I see is:-
  RD Gateway
  Remote Desktop Connection Client
  Remote Desktop Session Host
  But NOT
  Remote App and Desktop Connection
  Which I need. Is there anyway of adding this?

  > I am unable to see the Remote App and Desktop Connection in Group Policy
  > Management Editor on my 2012 R2 DC. I am therefore not able configure
  > the connection URL in Access RemoteApp and desktops in our Windows 8.1
  > client environment.
  http://gpsearch.azurewebsites.net/#8113
  Do you use a central store for ADMX? Is this central store out of date?
  (Means "still contains ADMX from W7/2008R2")
  Martin
  Mal ein
  GUTES Buch über GPOs lesen?
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  And if IT bothers me - coke bottle design refreshment :))

• WMI Filters Folder NOT Found in Group Policy Management Console.

  We have a Small Business Server 2011 Standard Edition install that is Hosting a Domain that was migrated to it from Windows Server 2003 Standard Edition. All seems to be working. We have a few problems that we are trying to work on one at a time when this
  issue was brought to light.
  We were trying to push the installation of a client software via group policy and in the process to have it pushed by the server, we had to configure several wmi filters in the group policy management in the SBS 2011.  We opened the console and found
  that the WMI Filters Folder is nowhere to be found.
  We would like to find out what can be the cause and resolution of this problem.  I would like to find out how to get the WMI Filters folder back in the Management Console and be able to create the filters that will help us deploy the client software
  we need to provide to our users using the group policies.
  Has anyone experienced this problem.  Can we just go into the group policy management console and create the object and then import the default filters into that object we created.  The filters were exported from another sbs 2011 standard edition
  install that has the wmi filters folder in the GPMC.
  Need help on this situation.  Have very little experience in troubleshooting GPO's and GPMC's issues.
  Thank you
  JFM

  Hi,
  >>I need to find out if there is a way to get the WMI Filters Object Folder back or find a way to recreate it.
  Based on the description, we can use LDP.exe to check if the following object is missing in Active Directory:
  CN=Windows2003Update, CN=DomainUpdates, CN=System, DC=domain, DC=com
  Regarding how to use LDP.exe to view AD object, the following article can be referred to as reference.
  How to Use Ldp.exe to View Entire Directory Tree and Locate the Microsoft Exchange Container
  http://support.microsoft.com/kb/252335
  If the object is missing, we can follow the solutions described in the following article to check if the object was deleted and we need to restore it if this is true.
  Step 2: Restore a Deleted Active Directory Object
  https://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx
  If the object is there, we can check if proper access permissions have been configured for it.
  If the object is missing but not deleted, this may be related to the migration process. If this is true, we can ask for suggestions in the following SBS forum.
  Small Business Server
  https://social.technet.microsoft.com/Forums/en-US/home?forum=smallbusinessserver
  In addition, regarding migrating Active Directory to SBS 2011 Standard, the following articles can be referred to for more information.
  Prepare your Source Server for Windows SBS 2011 Standard migration
  https://technet.microsoft.com/en-us/library/gg615494.aspx
  SBS 2011 Standard Migrations – Keys to Success
  http://blogs.technet.com/b/sbs/archive/2011/07/01/sbs-2011-standard-migrations-keys-to-success.aspx
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• What is the differents between Policies and Preferences in Group policy Management Editor

  What is the differents between Policies and Preferences in Group policy Management Editor?

  Policies: If you delete a policy in GPO it deletes its registry files form the clients. Policies don't tattoo the registry. Policies Settings are permanent as long policy is in effect i.e. Desktop Backgrond. Policies are applied at Computer
  Startup, User logon and Manual and automatic refresh. Takes Precedence over Preferences.
  Preferences: Even if you delete a policy form Preferences tab the registry files will still available on the systems. Preferences tattooed the registry if you want to remove the registry entries you have to do it manually. Preferences exampl
  is i.e. mapped drive. Settings applied with preferences are not grayed out. Not available in Local GPO.
  Usefull for
  Desktop Icons/Shortcuts
  Url
  Drive Map
  File Copy, Update, delete
  Thanks

• Group Policy Management Console Failes to open when one Domain Controller is powered down

  Hi All,
  This was an accidental discovery, but here's my dilemma. I have a site with 2 domain controllers(Windows 2008 R2), and if I shut down my second domain controller, when I try to open the Group Policy Management  Console on the 1st domain controller,
  it fails to open and I get the following error, "The specified domain either does not exist or could not be contacted" with 3 options to "retry", "choose another domain controller", or remove.   If I go to chose another domain
  controller and select the 1st domain controller it still fails.  Unless the 2nd DC is turned on, I have no issues opening the GP management console. Not sure, why this is happening, I've done it in the pass without issue.
  Any help would be appreciated.
  Thanks

  Well it seems that some how the PDC emulator is set to be the 2nd DC instead of the 1st DC on the 1st DC which explains why the failure after the 2nd DC went down. Why or should I say how could the PDC get switched from the primary DC without human intervention.
  Does the PDC automatically switch for any reason?

• Is it possible to uninstall IE 11 from Windows Server 2012 R2 and replace it with the latest version of IE 10?

  Is it possible to uninstall IE 11 from Windows Server 2012 R2 and replace it with the latest version of IE 10? We have a remote desktop farm setup with 2012 R2 servers and we are publishing some web links that only work with IE10. As a result, we need to
  downgrade the remote desktop servers to IE10. I have a feeling that this isn't possible, but if I could get a definitive answer, I would greatly appreciate it, thank you!

  Hi,
  Agreed with DonPick.
  Internet Explorer 11 is preinstalled with Windows 8.1 and Windows Server 2012 R2.
  More information regarding Internet Explorer 11, please check:
  Internet Explorer 11 - FAQ for IT Pros
  http://msdn.microsoft.com/en-us/library/dn268945.aspx
  Best regards
  Michael Shao
  TechNet Community Support

• No longer see "Internet Explorer Maintenance" in Group Policy Management Console

  I am trying to configure Internet Explorer favorites on a GPO that I have already constructed.  I had already successfully created the GPO many months ago and wanted to go back and check on some things.
  However in the GPMC when I navigate to User Configuration-->Policies-->Windows Settings, I no longer see "Internet Explorer Maintenance" listed.  This is where I had previously configured Internet Explorer favorites.
  I uninstalled and reinstalled GPM using these instructions
  http://www.addictivetips.com/windows-tips/how-to-install-the-group-policy-management-in-windows-7/ but this did not help.
  Previously I had two Windows XP computers in the OU that this GPO was applied to.  I had no problems at all configuring it and getting the rules and favorites to apply to these two computers.  I just recently upgraded one of the computers to Windows
  7 and used the same machine name for the computer.  The computer gets some of the rules applied to it but not all.  In particular the IE favorites are not being applied which led me to check the policy in the GPMC.  However, as stated before
  I cannot even see "Internet Explorer Maintenance" which has me confused on what to do next.  Please help.

  Am 29.03.2013 14:15, schrieb FuFighter:
  > <?xml version="1.0" encoding="utf-8"?>
  > <Shortcut clsid="{4F2F7C55-2790-433e-8127-0739D1CFA327}"
  > userContext="1" name="Google" status="Google" image="0"
  > changed="2013-03-29 13:00:44"
  > uid="{648046B5-4019-4F32-8F0E-E691EA54E125}"><Properties pidl=""
  > targetType="URL" action="C" comment="" shortcutKey="0" startIn=""
  > arguments="" iconIndex="0" targetPath="http://www.google.com"
  > iconPath="" window=""
  > shortcutPath="%CommonFavoritesDir%\Google"/></Shortcut>
  I'm too tired at the moment to check all you already did, so just let me
  ask some further questions on that item:
  This is a user or a computer item? If it is a user item and "run in
  logged on users context" is checked, I believe it will fail, because a
  non administrator cannot add all users favorites.
  I'm unaware whether all users favorites works at all - never used it...
  For further clarification, I'd enable GPP debug logging:
  http://blogs.technet.com/b/askds/archive/2008/07/18/enabling-group-policy-preferences-debug-logging-using-the-rsat.aspx
  NO THEY ARE NOT EVIL, if you know what you are doing:
  Good or bad GPOs?
  Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!

• Windows 7 Policy missing from Group Policy Management

  Hey all,
  I have 2 SBS 2008 clients that have Windows 7 Policy missing from Group Policy Management. I noticed that they have XP, Vista, and 8, but not 7.
  I came across this when I started to deploy some new support software. I deployed my package, the XP, Vista, and 8 policies as well as the "Windows SBS Client Policy" and workstation, but  Win 7 workstations do not get the software package
  and this is at both sites.
  I personally have SBS008 have tested this and same issue, XP, Vista, 8, 8.1, even my 10 get the software, but my Windows 7 does not.
  Do you have any ideas? I have attached a screenshot so you can see what I am talking about.

  Hi,
  Similar query answered :
  https://social.technet.microsoft.com/Forums/en-US/d6a6e3fa-fb15-4bcc-a5ca-449f69eeee5d/sbs-2008-missing-client-policy-for-windows-7?forum=smallbusinessserver
  https://www.microsoft.com/en-us/download/details.aspx?id=25250
  I hope that will help.
  Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• Using Windows 8.1 With Older Domain Controllers

  Is there any document that would specify types of incompatibility we might expect when using Windows 8.1 with older domain controllers, either Windows 2000 or Windows 2003?    
  I assume at minimum that these older domain controllers would not have group policies that are able to support the full security policy feature set of Windows 8.1?    For such cases, how do we configure security policy on those 8.1 domain member
  computers?   Would we use LocalGPO.wsf to import a local security policy, then join the computer to the domain to override just the settings that are supported by the domain controller and windows 8.1 in common?
  Will

  Hi,
  You could refer to below guide to complete your migration process:
  Step-By-Step: Active Directory Migration from Windows Server 2003 to Windows Server 2012 R2
  http://blogs.technet.com/b/canitpro/archive/2014/04/02/step-by-step-active-directory-migration-from-windows-server-2003-to-windows-server-2012.aspx
  Meanwhile, about the details how to migrate the doamin controller, I would like to suggest you consult Windows Server Forum for more professional help:
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserverDS
  Karen Hu
  TechNet Community Support

• Automate SQL 2012 policy management with powershell

  Hello.
  I´m trying to automate policy management via Powershell and I´m running into some problems. What I want to do is register a SQL 2012 server to a group in a CMS server and then import a pre defined policy into that server. The first part where I register
  the client server is no problem but I cant figure out how to import the policy.
  Has anyone else run into this problem?
  Regards.
  /Niklas

  Of course!
  First thing you need to do if it is not already done is to register the CMS server. 
  Set-Location "SQLSERVER:\SQLRegistration\Central Management Server Group"
  New-Item -Name $CMSServer -ItemType registration -Value "server=$CMSServer;integrated security=true"
  Second you want to register the client server into a CMS server group.
  Set-Location "SQLSERVER:\SQLRegistration\Central Management Server Group\$CMSServer\SQL Server Group"
  New-Item -Name $serverToRegister.Replace("\","`$") -ItemType registration -Value "server=$serverToRegister;integrated security=true"
  When this is done I want to create my policy and schedule on all my target machines. I defined my policies directly in my powershell script so if
  you want to import the exported policies you probably need to extract information from the XML files.
  This example creates a schedule called hisec that executes daily at 1 am.
  $createSchedulecommand = @"
  DECLARE @start_date varchar(8) = convert(varchar(8), DATEADD(day,-1,GETDATE()), 112)
  EXEC msdb.dbo.sp_add_schedule  @schedule_name = N'hisec',
  @enabled = 1, @freq_type = 4, @freq_interval = 1, @active_start_date = @start_date,
  @active_start_time = 010000; "@ 
  Invoke-Sqlcmd -Query $createSchedulecommand -ServerInstance $targetInstanceName -Database "msdb" 
  Next thing is to create my policy. This example checks if XPCmdShell is enabled.
  $createPolicyCommand = @"
  DECLARE @object_SET_id int
  EXEC msdb.dbo.sp_syspolicy_add_object_SET
  @object_SET_name=N'hisec_ObjectSET',
  @facet=N'IServerSecurityFacet',
  @object_SET_id=@object_SET_id OUTPUT;
  DECLARE @target_SET_id int
  EXEC msdb.dbo.sp_syspolicy_add_target_SET
  @object_SET_name=N'hisec_ObjectSET',
  @type_skeleton=N'Server',
  @type=N'SERVER',
  @enabled=True,
  @target_SET_id=@target_SET_id OUTPUT;
  GO
  DECLARE @uid varchar(40)
  SET @uid = (select schedule_uid from msdb..sysschedules where name = 'hisec')
  DECLARE @policy_id int
  EXEC msdb.dbo.sp_syspolicy_add_policy
  @name=N'hisec',
  @condition_name=N'ServerSecurity',
  @policy_category=N'',
  @description=N'',
  @help_text=N'',
  @help_link=N'',
  @schedule_uid=@uid,
  @EXECution_mode=4,
  @is_enabled=True,
  @policy_id=@policy_id OUTPUT,
  @root_condition_name=N'',
  @object_SET=N'hisec_ObjectSET';
  GO
  Invoke-Sqlcmd -Query $createPolicyCommand -ServerInstance $targetInstanceName
  -Database "msdb"
  Hope this can help you somehow.

• Server 2012: Remote desktop licence manager not issuing licences

  Hi,
  I am battling with an problem which i cannot seem to resolve and no other forums actually come to a conclusion on how to resolve this problem!
  I have a windows server 2012 server which is NOT part of a domain.
  I have installed Remote Desktop Services and also installed the Remote Desktop License manager and i just cannot get the license manager to issue cals when users connect remotely via RDP
  I have installed an extra two CAL's and tried using them as both a "Per User" and also "Per Device" but still does not work.
  I have now run out of my grace period and cannot connect to the server at all
  I have also tried changing some gpo's with no luck, 
  Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing
  "Use the specified RD license servers" = myservername
  "Set the Remote Desktop licensing mode" = Per User
  How can i fix this?
  Thanks

  Hi,
  Thank you for posting in Windows Server Forum.
  Have you seen that you have activated RDS License server before installing CAL?
  Please check that the License Server should be part of ‘Terminal Server License’ group in Active Directory Domain Services. You can also configure RD License server manually by powershell commmand. Please check below article for information.
  RD Licensing Configuration on Windows Server 2012
  http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx
  In addition, please install below Hotfix and verify the result.
  No RDS license when you connect to an RDS farm in Windows Server 2012
  http://support.microsoft.com/kb/2916846
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• How to do Server 2012 R2 Network Policy Server MAC Authentication without adding ad users?

  I have a Network Policy Server running on Server 2012 R2.  I have set it up to do certificate and PEAP authentication for our 802.1x wireless authentication
  and that works great.
  Now I want to add a policy to this server so I can also do MAC address authentication our unauthenticated open wireless ssid so i can assign roles based on the
  mac address.  I got our Aruba controller setup to send the mac address to the radius server, but the radius server just denies access because I am not sure how to get it to use themsNPCallingStationID attribute. 
  I have found several ways do to this included adding active directory users for every single MAC address with the mac address as the username and password.  I
  do not want to do that.  This is not an option.
  I have also found several posts about using ieee802Device.  I can't find a way to get that to work.
  I also found a suggestion to use msNPCallingStationID ad attribute.  I can easily set this for each user as their mac addresses but how do I configure the
  NPS server to use this attribute to authenticate this?
  If you have any other ideas on how to get MAC authentication to work, I would greatly appreciate it!
  Thank you for your assistance!

  Hi,
  I think you may have some misunderstand about the MAC address Authorization, MAC address authorization is based on the MAC address of the network adapter installed in
  the access client computer. Like ANI authorization, MAC address authorization uses the Calling-Station-ID attribute instead of user name and password or certificate-based credentials to identify the user during the connection attempt.
  MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network
  Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names, therefore you need
  add the MAC address as the computer user name and password,
  To use the MAC address as user name and password is Cisco® switch require condition, about your switch device please ask your hardware vendor.
  If you want to combine the MAC address MAC filtering and
   EAP Authentication, you can refer the following related article:
  Enhance your 802.1x deployment security with MAC filtering
  http://blogs.technet.com/b/nap/archive/2006/09/08/454705.aspx
  More information:
  MAC Address Authorization
  http://technet.microsoft.com/en-us/library/dd197535(v=ws.10).aspx
  Authorization by User and Group
  http://technet.microsoft.com/en-us/library/dd197615(v=ws.10).aspx
  The similar thread:
  NPS: Override User-Name and User Identity Attribute
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/6dd983f9-973f-4d23-be0c-032d3a1592d0/nps-override-username-and-user-identity-attribute?forum=winserverNAP
  The related third party article:
  Configuring IEEE 802.1x Port-Based Authentication
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3550/software/release/12-2_25_see/configuration/guide/3550SCG/sw8021x.html#wp1170569
  MAC Filters with Wireless LAN Controllers (WLCs) Configuration Example
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/91901-mac-filters-wlcs-config.html#backinfo
  Hope this helps.