Solved

how to enable dial in access for multiple users in active directory

Posted on 2006-11-19
9
2,874 Views
Last Modified: 2008-01-09
Ok I have a server running Server 2003, I have just finished configuring it for users to dial in and authenticate.  My problem is that I have a lot of users already added to active directory, and instead of having to go one by one into their properties and click the dial in tab and tell it allow access, I would like to know if it is possible to allow access to all the users at once, maybe via a command line or something.

Can anyone out there help me?  Thanks
0
Comment
Question by:stangrrrr2
  • 5
  • 4
9 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
You should be able to allow all users access by changing the RRAS policy. To do so  open the RRAS (Routing and Remote Management Service) management console, expand your server name, click on Remote Access Policies, in the right hand window right click on "connections to Microsoft Routing and Remote Access Server" and choose properties, at the bottom of the 'page' select "Grant Remote Access Permission". Leaving at the default "deny..." requires individually changing each account"
However, the default on a user profile is "control access through Remote Access Policy". If this has been changed to "deny access", I think it will override the policy change.
0
 

Author Comment

by:stangrrrr2
Comment Utility
Is that still applicable if we're using IAS?  The control access through Remote Access Policy selection is greyed out because I have not configured Routing and Remote Access under that snap-in for fear of it making changes to what I have done so far.  I'm still wet behind the ears with Server 03 and I'm real happy to have it working correctly so far.

I have been trying to make the changes by using admodify.net but after I make the change to allow on the dial in tab and click go, the changes dont stick.  There are no errors in the .xml log file it creates and it seems like it thinks it has worked correctly, but to get back on track can I use the method listed above without messing up the configuration in IAS?
0
 

Author Comment

by:stangrrrr2
Comment Utility
The policy you mentioned reminded me that I had saw it under the IAS snap-in and I can edit the same policy there (same by name at least, i dont know if it changes the same option or options), but it does not change the settings on the accounts already in active directory.  I prefer to enable and disable access through the dial in tab as I think that will make it the easiest on me when I have to disable access for the accounts that get delinquent on a month by month basis.

I am really wanting to be able to make it as quick and easy as possible as I have one more server that I will be setting up for dial up access with about 2000 users on it and once each month I have to disable accounts that do not pay and if there is any way i could make it quick and/or automated, thats what i'm after.  This server only has about 700 users and I am using this one as "practice" so I can set up the other server as quickly as possible.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Hi stangrrrr2. You are right you should get the same results using the same policy in IAS. Basically setting up IAS allows RRAS to "pass the buck" to it.
I'm sure some scripting fellow could create a way for you to efficiently make the "allow access" change, but I haven't seen any utilities to do so. Also there is no group policy allowing you to control that. You can create a user template which you could use for future users you add, but it doesn't help you now. The only suggestion I could make is if most of your users are allowed access, enable the policy, and then manually select those you want to deny access.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
Seems it can be scripted but I can't seem to find a clean simple version suitable for your purpose. If you would like to have a look 3/5th of the way down the page on this link has information pertaining to doing so with a couple of scripts. The first one is actually from a Microsoft site and is quoted on a dozen different sites:
http://eggheadcafe.com/ng/microsoft.public.windows.server.general/post353724.asp

This may be of some help too. From MS site ( http://www.microsoft.com/technet/itsolutions/network/ias/iasfaq.mspx#EOBAC )
"IAS in Windows Server 2003 allows you to ignore the dial-in properties of user and computer accounts during connection attempt processing. To enable this feature, set the Ignore-User-Dialin-Properties RADIUS attribute to True. For more information, see"; http://technet2.microsoft.com/WindowsServer/en/library/2a041150-42f9-4a60-ab18-6de8ab231ee71033.mspx?mfr=true
0
 

Author Comment

by:stangrrrr2
Comment Utility
bleh, i give up.  evidently there's some sort of bug with allowing access on the dial in tab through all these scripting methods.  i guess i'll have to do it manually.  i never really understood why some people were so anti-windows but after migrating 3 servers from nt to 03 i can now understand where they're coming from

thanks for your help
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Very welcome stangrrrr2, sorry we couldn't come up with a better solution.

>>"migrating 3 servers from nt to 03 "
Big jump, which usually requires a fair amount of manual "tweaking". Been there, done that, and it's not fun....unless time is not a factor.

>>"i never really understood why some people were so anti-windows "
I agree there are lots problems or issues, but have you found something better that is as versatile, the customer is happy with, and support is available.  :-)  I'm still searching.

Thanks stangrrrr2, good luck with it.
--Rob
0
 

Author Comment

by:stangrrrr2
Comment Utility
"I agree there are lots problems or issues, but have you found something better that is as versatile, the customer is happy with, and support is available.  :-)  I'm still searching."

Oh I'm not knocking it by any means, it beats trying to figure out the 101 flavors of linux by a long shot.

It's not all bad I guess, I did learn some stuff I didn't know by reading what you shared with me so thanks for that, and have a good turkey day and all that stuff   :)
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I'm in Canada, we already had our Turkey day, but thanks and enjoy yours !
--Rob
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

The HP utility "HP Lights-Out Online Configuration Utility for Windows Server 2003/2008" could be of great use when it comes to remotely configure a HP servers ILO WITHOUT rebooting the server. We would only need to create and run scripts using thiā€¦
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video discusses moving either the default database or any database to a new volume.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now