Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3369
  • Last Modified:

how to enable dial in access for multiple users in active directory

Ok I have a server running Server 2003, I have just finished configuring it for users to dial in and authenticate.  My problem is that I have a lot of users already added to active directory, and instead of having to go one by one into their properties and click the dial in tab and tell it allow access, I would like to know if it is possible to allow access to all the users at once, maybe via a command line or something.

Can anyone out there help me?  Thanks
0
stangrrrr2
Asked:
stangrrrr2
  • 5
  • 4
1 Solution
 
Rob WilliamsCommented:
You should be able to allow all users access by changing the RRAS policy. To do so  open the RRAS (Routing and Remote Management Service) management console, expand your server name, click on Remote Access Policies, in the right hand window right click on "connections to Microsoft Routing and Remote Access Server" and choose properties, at the bottom of the 'page' select "Grant Remote Access Permission". Leaving at the default "deny..." requires individually changing each account"
However, the default on a user profile is "control access through Remote Access Policy". If this has been changed to "deny access", I think it will override the policy change.
0
 
stangrrrr2Author Commented:
Is that still applicable if we're using IAS?  The control access through Remote Access Policy selection is greyed out because I have not configured Routing and Remote Access under that snap-in for fear of it making changes to what I have done so far.  I'm still wet behind the ears with Server 03 and I'm real happy to have it working correctly so far.

I have been trying to make the changes by using admodify.net but after I make the change to allow on the dial in tab and click go, the changes dont stick.  There are no errors in the .xml log file it creates and it seems like it thinks it has worked correctly, but to get back on track can I use the method listed above without messing up the configuration in IAS?
0
 
stangrrrr2Author Commented:
The policy you mentioned reminded me that I had saw it under the IAS snap-in and I can edit the same policy there (same by name at least, i dont know if it changes the same option or options), but it does not change the settings on the accounts already in active directory.  I prefer to enable and disable access through the dial in tab as I think that will make it the easiest on me when I have to disable access for the accounts that get delinquent on a month by month basis.

I am really wanting to be able to make it as quick and easy as possible as I have one more server that I will be setting up for dial up access with about 2000 users on it and once each month I have to disable accounts that do not pay and if there is any way i could make it quick and/or automated, thats what i'm after.  This server only has about 700 users and I am using this one as "practice" so I can set up the other server as quickly as possible.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Rob WilliamsCommented:
Hi stangrrrr2. You are right you should get the same results using the same policy in IAS. Basically setting up IAS allows RRAS to "pass the buck" to it.
I'm sure some scripting fellow could create a way for you to efficiently make the "allow access" change, but I haven't seen any utilities to do so. Also there is no group policy allowing you to control that. You can create a user template which you could use for future users you add, but it doesn't help you now. The only suggestion I could make is if most of your users are allowed access, enable the policy, and then manually select those you want to deny access.
0
 
Rob WilliamsCommented:
Seems it can be scripted but I can't seem to find a clean simple version suitable for your purpose. If you would like to have a look 3/5th of the way down the page on this link has information pertaining to doing so with a couple of scripts. The first one is actually from a Microsoft site and is quoted on a dozen different sites:
http://eggheadcafe.com/ng/microsoft.public.windows.server.general/post353724.asp

This may be of some help too. From MS site ( http://www.microsoft.com/technet/itsolutions/network/ias/iasfaq.mspx#EOBAC )
"IAS in Windows Server 2003 allows you to ignore the dial-in properties of user and computer accounts during connection attempt processing. To enable this feature, set the Ignore-User-Dialin-Properties RADIUS attribute to True. For more information, see"; http://technet2.microsoft.com/WindowsServer/en/library/2a041150-42f9-4a60-ab18-6de8ab231ee71033.mspx?mfr=true
0
 
stangrrrr2Author Commented:
bleh, i give up.  evidently there's some sort of bug with allowing access on the dial in tab through all these scripting methods.  i guess i'll have to do it manually.  i never really understood why some people were so anti-windows but after migrating 3 servers from nt to 03 i can now understand where they're coming from

thanks for your help
0
 
Rob WilliamsCommented:
Very welcome stangrrrr2, sorry we couldn't come up with a better solution.

>>"migrating 3 servers from nt to 03 "
Big jump, which usually requires a fair amount of manual "tweaking". Been there, done that, and it's not fun....unless time is not a factor.

>>"i never really understood why some people were so anti-windows "
I agree there are lots problems or issues, but have you found something better that is as versatile, the customer is happy with, and support is available.  :-)  I'm still searching.

Thanks stangrrrr2, good luck with it.
--Rob
0
 
stangrrrr2Author Commented:
"I agree there are lots problems or issues, but have you found something better that is as versatile, the customer is happy with, and support is available.  :-)  I'm still searching."

Oh I'm not knocking it by any means, it beats trying to figure out the 101 flavors of linux by a long shot.

It's not all bad I guess, I did learn some stuff I didn't know by reading what you shared with me so thanks for that, and have a good turkey day and all that stuff   :)
0
 
Rob WilliamsCommented:
I'm in Canada, we already had our Turkey day, but thanks and enjoy yours !
--Rob
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now