On my Windows 2000 Native domain, I want to prevent service accounts from being able to connect via our MS VPN. (Via a Win2000 RAS server.)
Say my AD structure is like this:
- MyDomain
- MyUsers
- MyServiceAccts
I want to have AD users in the MyServiceAccts OU, but don't want them to be able to connect to the VPN.
My Remote Access Policy is set to "Allow Access If Dial-In Permission Is Allowed", and all my user accounts have "Control access through remote access policy" set.
I can see how to restrict it by user group, but not by OU.
Any ideas?
Cheers,
Ben
Best Answer
In the VPN settings in RRAS, you can change the policy to check that users are a member of a domain security group. Then you can simply add users and groups to give access. Everyone else is denied.
OUs are organisation units. Security groups allow access to resources. They serve different purposes. Sometimes it would be nice to treat OUs and groups the same but they arn't and it usually means that you are using them in a way that isn't as MS intended (which usually causes other problems later)
I'm not in front of an RRAS server so I can't detail the exact options, but I'll update this answer later if nobody else comes up with the steps.
Addn: Create a security group. Make sure users have 'Control access through Remote Access Policy' option selected on their Dial-in tab in Users and Computers. In Routing and Remote Access add a new remote access policy, and add to that conditions NAS-Port-Type matches 'Virtual (VPN)' to apply this to VPN connections and Windows-Groups matches 'DOMAIN\Group' substituting your domain and the new group.