Your network contains an Active Directory domain named contoso.com. The domain contains a server named
Server1 that runs Windows Server 2012 R2.
You enable and configure Routing and Remote Access (RRAS) on Server1.
You create a user account named User1.
You need to ensure that User1 can establish VPN connections to Server1.
What should you do?
A.
Modify the members of the Remote Management Users group.
B.
Add a RADIUS client.
C.
Modify the Dial-in setting of User1.
D.
Create a connection request policy.
Explanation:
Access permission is also granted or denied based on the dial-in properties of each user account.
http://technet.microsoft.com/en-us/library/cc772123.aspx
C.
https://technet.microsoft.com/en-us/library/cc738142(v=ws.10).aspx
I verified in lab that this (C) works.
But there’s one thing I don’t get, as MS states:
“If the value of Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user.”
https://technet.microsoft.com/de-de/library/Cc732724%28v=WS.10%29.aspx
When setting up RRAS you get a default NPS network policy that denies access via RRAS servers. I don’t get why this does not override the dial-in properties according to that Technet article…the strange thing is that the policy is applied in any way according to log file, if access is granted or denied (when switching dial-in properties back to control through nps policy) the policy just applies.
I did similar NPS testing yesterday and Deny policies were overriding dial-in properties, but appearently this is not the case for that default deny policy, which makes me kinda mad.
any ideas??
The setting to Allow “Dial-In”, is in the ADUC user object properties. It is somewhat comparable to GPO’s and how more granular options will overwrite less-granular options. My Sybex book for 70-411 did state this, but I don’t have a link for you to reference to. Dig into it a bit, but I’m pretty sure this is the case.