IAS Policy

Hi,

I've created 2 rules in Remote Access Policies, one is Grant Remote Access
Permission and the other is Denied Remote Access Permission.

So far all the users is able to connect the PPTP vpn but recently I tried
to block certain user to connect so I have created a Local Group call Denied
Access and created a policy call Denied Access Policy & add the Denied Access
group to the condition list. This policy is set to Denied Remote Access
Permission(The order is set to 1).

Then I tried to add myself to this Denied Access group but I still able to
get connected. I checked the log file and it show that I'm using the Denied
Access Policy. (FYI, my account under AD is granted Allow Access in Dial In
tab).

May I know why the policy is not restricted me to connect the vpn(RAS)?

Thanks.

I've found out the problem for the policy: the AD dial-in properties of the
user or computer account overrides the remote access policy.

Btw, is there anyway to deny the user remote access other than change the
permission to Denied Access in AD?

Thanks.


"ultraman" wrote:

> Hi,
>
> I've created 2 rules in Remote Access Policies, one is Grant Remote Access
> Permission and the other is Denied Remote Access Permission.
>
> So far all the users is able to connect the PPTP vpn but recently I tried
> to block certain user to connect so I have created a Local Group call Denied
> Access and created a policy call Denied Access Policy & add the Denied Access
> group to the condition list. This policy is set to Denied Remote Access
> Permission(The order is set to 1).
>
> Then I tried to add myself to this Denied Access group but I still able to
> get connected. I checked the log file and it show that I'm using the Denied
> Access Policy. (FYI, my account under AD is granted Allow Access in Dial In
> tab).
>
> May I know why the policy is not restricted me to connect the vpn(RAS)?
>
> Thanks.

The usual method is to make membership of a particular group a condition
for access in the policy. Users who are not in that group will be denied
access.

ultraman wrote:
> I've found out the problem for the policy: the AD dial-in properties
> of the user or computer account overrides the remote access policy.
>
> Btw, is there anyway to deny the user remote access other than change
> the permission to Denied Access in AD?
>
> Thanks.
>
>
> "ultraman" wrote:
>
>> Hi,
>>
>> I've created 2 rules in Remote Access Policies, one is Grant
>> Remote Access Permission and the other is Denied Remote Access
>> Permission.
>>
>> So far all the users is able to connect the PPTP vpn but recently
>> I tried to block certain user to connect so I have created a Local
>> Group call Denied Access and created a policy call Denied Access
>> Policy & add the Denied Access group to the condition list. This
>> policy is set to Denied Remote Access Permission(The order is set to
>> 1).
>>
>> Then I tried to add myself to this Denied Access group but I still
>> able to get connected. I checked the log file and it show that I'm
>> using the Denied Access Policy. (FYI, my account under AD is granted
>> Allow Access in Dial In tab).
>>
>> May I know why the policy is not restricted me to connect the
>> vpn(RAS)?
>>
>> Thanks.