Windows PPTP VPN restrictive access per user

Situation: Client needing a PPTP VPN solution that will allow for different groups of users to access different subnets. Ex: Group1 can only access, group2 can only access, etc. Using a VPN Client (cisco vpn client) on end users computers is not an option because they may have other VPN clients on their computers as they work for multiple organizations. SSL VPN would be great, but too pricey since there are hundreds of remote users.
     I've looked at a Windows VPN server since we're wanting the end users to use built-in VPN capabilities within the OS. Is there a way to assign different users access to different subnets? Or even assign different users different DHCP scopes? If I can get group1 to use DHCP scope1 and group2 to use DHCP scope2, then I can control subnet access on the backend via access-lists.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I have never tried it, but there is an option in Active Directory to assign a Static IP under the Remote Access Permissions. This article has details under "Assign a Static IP Address " I'm not sure using a Windows server is going to give you the control you are looking for easily.

The other option is to user a Firewall that allows you to control access by user group. For example I have locations with a WatchGuard XTM firewall. The firewall has user groups that all allow for PPTP VPN to the firewall. The firewall also has LAN access rules based on those user groups. So all groups are allowed to authenticate to the firewall, but then the network access is granted by group to the various subnets. The licensing for PPTP users is much less than SSL. Check out WatchGuard XTM units or a similar firewall that can control network access by group.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rob WilliamsCommented:
RRAS can filter based on the IP from which a user is connecting but it is "not pretty" and time consuming, assuming you knew all the connecting IP's.  These restrictions are usually controlled using NTFS permissions, or limiting to which servers a user can connect under the "log on to" tab in the user's profile.  This specifies to which computers and/or servers a user can access.  Similar restrictions can be applied using group policy.  Alternatively as suggested you can use a VPN appliance with more control.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.