RRAS Policy getting ignored

[William]

Hello all.

I have setup a policy in the RRAS console to allow members
of our "Remote Clients" Windows group to VPN into our RRAS
server. I have double-checked all of the settings in the
policy config dialog to make sure all said 'grant access',
etc. But, when I add a user to the "Remote Clients" group,
they still cannot dialin. They get a "649: User does not
have permission to dial-in" error. I realize that I could
go into the user's property box and select "Allow dial-in",
but I REALLY don't want to have to do that. I am about to
add fifty new users to the domain, and I seriously don't
want to have to go into each individual user's settings and
apply this. Also, I have a script that other admins can,
from anywhere on the domain, add users, and I'd like to
have them all ready to VPN in. I have tried restarting the
RRAS service, nothing. I've followed the instructions to
the T, and I just don't see why this isn't working.

 

[Steven Umbach]

Verify that your group is a global security group for the domain and that the
account in the group you are using to try access does indeed have it's account
configured to use remote access policy and does not have not allowed selected
for dial in permissions.

The user/computer also has to comply with the profile settings of the Remote
Access Policy once a policy is matched. Keep in mind that the first policy that
matches a user will be applied and if the default policy is ahead of your policy
the user will be denied access since the default policy has deny configured for
the policy. Therefore if you have more than one policy, their listed order is
important and you want to order them from specific to general. It might be worth
a try to use just the default policy with allow selected to see if that works
and if it does then work on fine tuning your custom policy. --- Steve