Solved

how to enable dial in access for multiple users in active directory

Posted on 2006-11-19
9
2,950 Views
Last Modified: 2008-01-09
Ok I have a server running Server 2003, I have just finished configuring it for users to dial in and authenticate.  My problem is that I have a lot of users already added to active directory, and instead of having to go one by one into their properties and click the dial in tab and tell it allow access, I would like to know if it is possible to allow access to all the users at once, maybe via a command line or something.

Can anyone out there help me?  Thanks
0
Comment
Question by:stangrrrr2
  • 5
  • 4
9 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17976253
You should be able to allow all users access by changing the RRAS policy. To do so  open the RRAS (Routing and Remote Management Service) management console, expand your server name, click on Remote Access Policies, in the right hand window right click on "connections to Microsoft Routing and Remote Access Server" and choose properties, at the bottom of the 'page' select "Grant Remote Access Permission". Leaving at the default "deny..." requires individually changing each account"
However, the default on a user profile is "control access through Remote Access Policy". If this has been changed to "deny access", I think it will override the policy change.
0
 

Author Comment

by:stangrrrr2
ID: 17976571
Is that still applicable if we're using IAS?  The control access through Remote Access Policy selection is greyed out because I have not configured Routing and Remote Access under that snap-in for fear of it making changes to what I have done so far.  I'm still wet behind the ears with Server 03 and I'm real happy to have it working correctly so far.

I have been trying to make the changes by using admodify.net but after I make the change to allow on the dial in tab and click go, the changes dont stick.  There are no errors in the .xml log file it creates and it seems like it thinks it has worked correctly, but to get back on track can I use the method listed above without messing up the configuration in IAS?
0
 

Author Comment

by:stangrrrr2
ID: 17976624
The policy you mentioned reminded me that I had saw it under the IAS snap-in and I can edit the same policy there (same by name at least, i dont know if it changes the same option or options), but it does not change the settings on the accounts already in active directory.  I prefer to enable and disable access through the dial in tab as I think that will make it the easiest on me when I have to disable access for the accounts that get delinquent on a month by month basis.

I am really wanting to be able to make it as quick and easy as possible as I have one more server that I will be setting up for dial up access with about 2000 users on it and once each month I have to disable accounts that do not pay and if there is any way i could make it quick and/or automated, thats what i'm after.  This server only has about 700 users and I am using this one as "practice" so I can set up the other server as quickly as possible.
0
NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

 
LVL 77

Expert Comment

by:Rob Williams
ID: 17976666
Hi stangrrrr2. You are right you should get the same results using the same policy in IAS. Basically setting up IAS allows RRAS to "pass the buck" to it.
I'm sure some scripting fellow could create a way for you to efficiently make the "allow access" change, but I haven't seen any utilities to do so. Also there is no group policy allowing you to control that. You can create a user template which you could use for future users you add, but it doesn't help you now. The only suggestion I could make is if most of your users are allowed access, enable the policy, and then manually select those you want to deny access.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 17976711
Seems it can be scripted but I can't seem to find a clean simple version suitable for your purpose. If you would like to have a look 3/5th of the way down the page on this link has information pertaining to doing so with a couple of scripts. The first one is actually from a Microsoft site and is quoted on a dozen different sites:
http://eggheadcafe.com/ng/microsoft.public.windows.server.general/post353724.asp

This may be of some help too. From MS site ( http://www.microsoft.com/technet/itsolutions/network/ias/iasfaq.mspx#EOBAC )
"IAS in Windows Server 2003 allows you to ignore the dial-in properties of user and computer accounts during connection attempt processing. To enable this feature, set the Ignore-User-Dialin-Properties RADIUS attribute to True. For more information, see"; http://technet2.microsoft.com/WindowsServer/en/library/2a041150-42f9-4a60-ab18-6de8ab231ee71033.mspx?mfr=true
0
 

Author Comment

by:stangrrrr2
ID: 17979951
bleh, i give up.  evidently there's some sort of bug with allowing access on the dial in tab through all these scripting methods.  i guess i'll have to do it manually.  i never really understood why some people were so anti-windows but after migrating 3 servers from nt to 03 i can now understand where they're coming from

thanks for your help
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17982346
Very welcome stangrrrr2, sorry we couldn't come up with a better solution.

>>"migrating 3 servers from nt to 03 "
Big jump, which usually requires a fair amount of manual "tweaking". Been there, done that, and it's not fun....unless time is not a factor.

>>"i never really understood why some people were so anti-windows "
I agree there are lots problems or issues, but have you found something better that is as versatile, the customer is happy with, and support is available.  :-)  I'm still searching.

Thanks stangrrrr2, good luck with it.
--Rob
0
 

Author Comment

by:stangrrrr2
ID: 17982409
"I agree there are lots problems or issues, but have you found something better that is as versatile, the customer is happy with, and support is available.  :-)  I'm still searching."

Oh I'm not knocking it by any means, it beats trying to figure out the 101 flavors of linux by a long shot.

It's not all bad I guess, I did learn some stuff I didn't know by reading what you shared with me so thanks for that, and have a good turkey day and all that stuff   :)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 17982500
I'm in Canada, we already had our Turkey day, but thanks and enjoy yours !
--Rob
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
So you have two Windows Servers and you have a directory/folder/files on one that you'd like to mirror to the other?  You don't really want to deal with DFS or a 3rd party solution like Doubletake. You can use Robocopy from the Windows Server 200…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question