We have a domain that allows remote access and VPN connections from the outside. Workstations on our domain are not allowed to create or use a VPN. Outside computers have no problem creating a VPN. We now have a laptop that has joined the domain and must travel and be able to remote in through a VPN. The laptop will only allow the laptop local or domain admin account to create or use the VPN. All other user accounts on the laptop are not allowed to use the connection or create one, even if added to the local machines admin group. The domain user of the laptop has already been added to the "Network Configuration Operator" group as well but has had no effect. A policy on the domain must be preventing this but I can't be sure which one and need to avoid opening a gaping hole in our security. Can anybody help with this?
Not sure I fully understand the question. When the VPN connection is created on the workstation/laptop, you are given the option to allow anyone or just the creator to use the VPN.
As far as the domain is concerned, access is controlled by user rather than by device. You can control access by using the Access allowed or denied option on the users dial-up tap of their profile. If you would like more centralized control you can create a group of allowed users and control it with a policy in the RRAS console.
The only accounts allowed to create the VPN connection on the laptop (or any other workstation on the domain) are the domain admin accounts or the local machine administrator account. The connection is given the setting of "allow anybody to connect that uses this computer". When any account logs in (local or domain) that is not an administrator the launching of the connection is blocked and an "access denied" message appears with a note that it generally means you are logged in as a guest (which is not the case).
Currently, remote access into our network is controlled by the setting "control access through remote access policy" on the user's dial-up tab. We have policies in place for gorup membership, etc... in RRAS. I toggled a user setting on the dial-up tab to "Allow" instead of through remote policy and the same blocking occurs. The error message states you don't have "permission" to use this connection but I still believe it's actually a domain policy pertaining to "rites". As I stated earlier, a machine at home (not joined to the domain) can create and use a VPN connection to our network if the proper login is used. This is why I think it is actually a default domain policy passed down to the machine when it joins the domain. Adding the user to the admin group of the local machine fails to allow the use of the connection but a login "with" the administrator account of the local machine allows it. That eliminates "permissions" and points to "rites" in my mind.
>>"The only accounts allowed to create the VPN connection on the laptop " One of the disadvantages of the Windows VPN is anybody on an unknown computer can create the VPN connection. The only thing blocking them from access is an acceptable user name and password. If they know that, they can access, unless you can assign restrictions such as the IP from which they connect.
For additional security you are better using an IPSec VPN solution that requires pass phrases or better still certificates, in order to connect. Also with most you can control installation of the VPN client.
