Remote Access Policies

With earlier versions of Windows NT remote access, authorization was based on a check-box ("Grant dial-in permission to user") option in the User Manager, or in the remote access administration utility. You could specify callback options on a per-user basis as well. In Windows 2000, authorization is granted based on the dial-in properties of a user account and the remote access policies, which are both stored in Active Directory and replicated throughout the network.

Remote access policies are a set of conditions and connection settings that give administrators more flexibility in authorizing connection attempts. Windows 2000 RRAS and IAS both use remote access policies to determine whether to accept or deny connection attempts. With remote access policies, you can grant or deny authorization by the time of day and day of the week, by the Windows 2000 group to which the remote access user belongs, by the type of connection being requested, and by dial-up networking or a VPN connection requests. You can configure settings that limit the maximum session time, specify the authentication and encryption methods, set Bandwidth Allocation Protocol (BAP) policies, and detect a "slow network," thereby assigning policies for software installation, logon script processing, and group policy inheritance if a slow network is detected.

It is important to recognize that Windows 2000 Active Directory group policies and remote access policies offer much more flexibility to the administrator and the users than prior versions of Windows NT. However, implementing them requires a bit of time and effort to understand their implications and their affect on remote access users and groups.

For information, refer to Chapter 9, "Group Policies."