In Windows 2000, you can choose from among three models for administering remote access permissions and connection settings:
An essential part of planning for remote access is determining which models you can use and deciding on an appropriate one. There is enough variation among the models that attempting to mix them is a recipe for confusion. No matter which model you choose, plan on thoroughly testing your chosen access policies to make sure that you're getting the results you intend.
In the access-by-user administrative model, remote access permissions are determined by the remote access permissions on the Dial-In tab of the Properties window for the user account. To enable or disable remote access permission for individual users, set Remote Access Permission to either Allow Access or Deny Access, as in Windows NT Server. This administrative model is by far the simplest, and it works very well when the number of remote users is small and the access uncomplicated.
If remote access permission for the user account is set to either Allow Access or Deny Access, the remote access permission setting on the remote access policy is effectively overridden. Access by user can be administered with multiple policies, but doing so can be complicated because a connection attempt might be rejected even when the remote access permission on the user account is set to Allow Access. If a connection attempt matches the conditions of a policy but does not match the profile settings or does not match any of the remote access policies, the connection attempt is rejected, as shown in Figure 31-6. In the access-by-user administrative model, you can control access in three ways:
The access-by-user administrative model can be used on a stand-alone remote access server, a remote access server on a Windows 2000 native-mode domain, a remote access server on a Windows 2000 mixed-mode domain, or a remote access server on a Windows NT 4 domain.
The access-by-user model resembles the administrative model of Windows NT 4. Individual user accounts are set to Allow Access or Deny Access. The default policy in Routing and Remote Access, Allow Access If Dial-In Permission Is Enabled, is in place with the following settings:
But wait! If Deny Remote Access Permission is selected, isn't remote access permission denied? No; it means basically nothing in this scenario. Access is determined solely by the settings in the Properties window for the individual user account. Figure 31-6 shows the progression of a connection under the access-by-user administrative model.
Figure 31-6. Progression of a connection attempt when administering access by user.
In the access-by-policy administrative model for a Windows 2000 mixed-mode domain, the remote access permission on every user account is set to Allow Access, the default remote access policy is deleted or demoted, and separate remote access policies are created to define the types of connections that are allowed. On a remote access server running Windows 2000 that is a member of a Windows 2000 mixed-mode domain, the Control Access Through Remote Access Policy option is not available for remote access permission on the user account. If a connection attempt corresponds to the conditions of a policy (subject to the profile and user account dial-in settings), the connection is accepted.
TIP
The access-by-policy administrative model also applies to a remote access server running Windows 2000 that is a member of a Windows NT 4 domain.
In the access-by-policy administrative model for a Windows 2000 mixed-mode domain, you can control access in three ways:
If you do not delete the default remote access policy, Allow Access If Dial-In Permission Is Enabled, all users can obtain a remote access connection.
TIP
The access-by-policy administrative model for mixed-mode domains can be used with Windows NT servers running Routing and Remote Access if the Windows NT servers are configured as RADIUS clients to a Windows 2000 Internet Authentication Service (IAS) server. A Windows NT server running RAS cannot use access by policy. You must upgrade the server to Windows NT RRAS (or to Windows 2000) to employ the remote access policy authorization.
To allow connections for users by group membership, all user accounts must have Remote Access Permission on the Dial-In tab set to Allow Access. To set up the access by groups, the administrator makes the following settings:
In this case, the Grant Remote Access Permission option means what it says. Figure 31-7 shows the progression of a connection attempt when a remote user dials in and access is controlled by group membership.
Figure 31-7. Progression of a connection attempt when administering access by group membership.
Perhaps it would be easier in your situation to specify who isn't allowed access than to specify who is. For example, employees in production might have user accounts on the network but have no need for dial-in access. In this case, you will need to make the following settings:
Figure 31-8. Configuring the dial-in constraints to deny access to a group.
Figure 31-9 shows the logic of the connection attempt when access is denied by group membership.
Figure 31-9. Progression of a connection attempt when the policy is to deny access by group membership.
In a Windows 2000 native-mode domain, you can use the access-by-policy administrative model, which has the following settings:
These settings mean that the Remote Access Permission setting on the remote access policy determines whether remote access permission is allowed or denied. Figure 31-10 shows the progression of a connection attempt in a native-mode domain.
Figure 31-10. Progression of a connection attempt when administering access by policy in a native-mode domain.
In the access-by-policy administrative model for a Windows 2000 native-mode domain, you can control access in three ways:
NOTE
If you use the access-by-policy administrative model for a native-mode domain, don't add remote access policies, and don't change the default remote access policy (Allow Access If Dial-In Permission Is Enabled), then no users are allowed remote access. By default, the remote access permission on the default remote access policy is set to Deny Remote Access Permission. If you change the setting to Grant Remote Access Permission, all users are allowed remote access.
The access-by-policy administrative model for a Windows 2000 native-mode domain also applies to stand-alone remote access servers that are not members of a domain. You can't use the access-by-policy administrative model for a Windows 2000 native-mode domain if you have Windows NT 4 RAS or RRAS or IAS servers because a native-mode domain by definition has no Windows NT servers.
TIP
If you use the access-by-policy administrative model for a Windows 2000 native-mode domain and you do not use groups to specify which users get access, verify that the Guest account is disabled and that its remote access permission is set to Deny Access.
In a native-mode domain, setting access by policy requires that all user accounts have the Control Access Through Remote Access Policy option selected on the Dial-In tab of the user account's Properties window. To allow access by specified groups, the administrator must do the following:
Figure 31-11 shows the progression of a connection attempt with this policy setting.
Figure 31-11. Progression of a connection attempt when the policy is to allow access by group membership in a native-mode domain.
In a native-mode domain, you can easily reverse the criteria just described and deny access based on group membership. This policy also requires that all user accounts have the Control Access Through Remote Access Policy option selected on the Dial-In tab of the user account's Properties window. As in the mixed-mode domain, two policies are needed, one to reject members of a specified group and another to allow a connection made by anyone else. Follow this procedure to deny access based on group membership:
Figure 31-12 shows the logical progression when a connection attempt is made with these settings in effect.
Figure 31-12. Progression of a connection attempt when access is controlled by groups in a native-mode domain.
REAL WORLD Windows NT 4 Remote Access in a Windows 2000 Domain
In a Windows 2000 domain, a server running Windows NT 4 and either RAS or RRAS can't authenticate the credentials of domain accounts unless it (the Windows NT server) is also a domain controller. A Windows NT server that is not a domain controller does not have permission to read Active Directory and therefore can validate only local accounts. This same restriction applies when you have a remote access server (running Windows NT or Windows 2000) in a Windows NT domain that needs to validate user accounts in a trusted Windows 2000 domain.
The recommended solution in the first case is to upgrade the Windows NT server to a domain controller or to Windows 2000. In the second situation, the best answer is to upgrade the Windows NT domain to Windows 2000.
However, you can loosen the normal Active Directory security so that the remote access server can read the user account properties. Open a command prompt window on a domain controller and type net localgroup "pre–Windows 2000 Compatible Access" everyone /add. This will add the special identity Everyone to the pre–Windows 2000 Compatible Access group so that the remote access server can use NTLM (NT LAN Manager) security to read the domain user accounts.