Windows Authentication - Active Directory/Group Policy

Windows authentication into SchoolProtect is handled through an agent (called Netsweeper Workstation Agent or WAgent) that is installed on the devices and runs as a service. Group Policy or Intune are used to push the correct policy setting to associate users with the appropriate filtering policy.

Note: this authentication method replaces the legacy 'AD Link' tool that was previously used. The new tool works with both on-premise AD or Entra ID joined devices.

Active Directory - Group Policy Steps

Download and extract LGfL Netsweeper Workstation Agent ADMX. This zip contains 4 files:
- Netsweeper Workstation Agent MSI
- Netsweeper Workstation Agent INTUNEWIN
- Wagent.admx
- Wagent.adml
Deploy the MSI installer. This needs to be completed once:
1. Copy the Netsweeper Workstation Agent MSI file to \\<domain controller>\NETLOGON
2. Open Group Policy Management Console
3. Create a new Group Policy Object linked to your domain (top-level) and give it a name such as 'SchoolProtect Agent Installation'
4. Edit the GPO and open Computer Configuration > Policies > Software Settings
5. Right-click Software installation and choose New > Package
6. Locate the Netsweeper Workstation Agent MSI within NETLOGON and assign it.
Add the ADMX definition. This needs to be completed once:
1. Copy wagent.ADMX into the main PolicyDefinitions folder and wagent.ADML into the en-US folder located here - \\<domain controller>\sysvol\<domain name>\Policies\PolicyDefinitions. You may need to set up the Group Policy Central Store if this folder does not exist.
Create the per-policy configuration. This needs to be completed for each filtering policy you wish to define:
1. Open Group Policy Management Console
2. Create new Group Policy Object and give it a name such as 'SchoolProtect Staff' or relevant name for the target OU/SchoolProtect policy
3. Edit the GPO and open User Configuration > Administrative Templates > LGfL > SchoolProtect Netsweeper Workstation Agent Config
4. Press enable and enter the config provided from Step 6 of SchoolProtect steps, will start with '-S -w https://wsx' to target the relevant group

Testing

Once these steps are completed, force a GPUpdate and reboot to trigger the MSI install:

Sign into a PC and ensure Workstation Agent is installed:
1. This can be done by looking for ‘Wagent’ in Task Manager or hovering over the icon bar on bottom right.
Visit http://wsblock.co.uk and check the username listed is the currently logged in user and the policy group name matches the item you targeted in the GPO.

Troubleshooting

If you have performed the steps above and wsblock is not showing the username and you are still on an IP policy please check the follow

Ensure Workstation Agent is installed:
1. This can be done by looking for ‘Wagent’ in Task Manager or hovering over the icon bar on bottom right.
2. Check the GPO is targeting all devices and check RSoP to see if it has attempted to run.
If the agent is installed but hover over gives you the message 'Could not assign user to group' or 'Netsweeper Workstation Agent':
1. Check the registry to see if there is an entry within HKEY_CURRENT_USER\Software\Policies\Netsweeper\Netsweeper Workstation Agent\NS_WAGENT_ARGS
2. If there is no entry, check the user is targeted by that GPO
3. In the rare case the registry key is there and agent is showing the 'could not assign' error and no authentication happens, restart the WAgent service in task manager. If this resolves the issue you may need to create a delayed start GPO for the agent.
If the agent is installed but not showing on the task bar:
1. Check for the service within Administrative Tools > Services for a service called wagent. If no agent exists, its not been installed.
2. If service is there, check its startup type. If this is set to manual, change it to automatic. If this resolves the issue, this may require you to configure a change in Group Policy to set the service to automatic start for all.
If the agent reports "Console session inactive. Not reporting user to ip address" this suggests you are connected via a remote connection rather than physically connected. You would need to remote with a console session or physically log in to the machine.