Question on Remote Access policies

hi,

I wonder if someone can show me where i'm going wrong:

In my scenario users management is delegated to a different group to RRAS
server management. Access policies created by RRAS administrators should be
authoritive. It is currently possible for user admins to select "allow
access" on the user accounts. To my understanding this means that the Remote
Access Policy "Properties" are ignored, but that the "Policy Profile" should
be respected.

What I'm trying to achieve is a situation where users have to be amember of
a specific group to get VPN access, regardless of the setting in their user
account.

I wonder what is the best / correct way to do this?

thanks in advance
ewan

"If you are managing authorization by group, set the remote access
permission on the user account to Control access through Remote Access
Policy and create remote access policies that are based on different types
of connections and group membership."

http://www.microsoft.com/technet/pro...bbad43494.mspx

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

hi,

the solution below would work, if I was responsible for managing the user
accounts. As I obvioulsy didn't make clear in my original post, this is not
the case; the user account management is delegated to other administrators.
These administrators are not responsible for the RRAS policies. The
administrators who are responsible for these policies need to be able to have
the final say on what conditions allow access.
For this reason I need a way of handling (in my case blocking) users that
attempt to VPN, and have "Allow Access" set in their user account, unless
they are also a member of the remote access global group.
regards
ewan

"Todd J Heron" wrote:

> "If you are managing authorization by group, set the remote access
> permission on the user account to Control access through Remote Access
> Policy and create remote access policies that are based on different types
> of connections and group membership."
>
> http://www.microsoft.com/technet/pro...bbad43494.mspx
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
>

Sounds like you have a "people issue" to work out.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

;-) no comment, but is this a technically achieveable scenario, or is there
nothing that can be done to handle this situation?

"Todd J Heron" wrote:

> Sounds like you have a "people issue" to work out.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
>

I know of no way to achieve what you want via Microsoft tools without
suggesting third-party. I could suggest that if you went to a third-party
dial-in solution where you have complete control over it you could turn off
authentication to AD and use the solution's built-in RADIUS options to
authenticate the users regardless of what the user's AD account said. I
doubt this is what you want to hear though.

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

your guess is correct, but at least now i know how much weight to apply to
the "people issue" ;-)

thx
ewan

"Todd J Heron" wrote:

> I know of no way to achieve what you want via Microsoft tools without
> suggesting third-party. I could suggest that if you went to a third-party
> dial-in solution where you have complete control over it you could turn off
> authentication to AD and use the solution's built-in RADIUS options to
> authenticate the users regardless of what the user's AD account said. I
> doubt this is what you want to hear though.
>
> --
> Todd J Heron, MCSE
> Windows Server 2003/2000/NT; CCA
> ----------------------------------------------------------------------------
> This posting is provided "as is" with no warranties and confers no rights
>
>