Configure Router Groups

Updated: April 30, 2010

Applies To: Windows Server 2008, Windows Server 2008 R2

Adding demand-dial router user accounts to an Active Directory group reserved for demand-dial routers simplifies administration by letting you centrally manage the list of demand-dial routers on your network. If you decide to manage authorization by group rather than by each router’s individual user account, you must set the network access permission on each calling router’s user account to Control access through NPS Network Policy, and then use Network Policy Server (NPS) to create a network policy based on connection type and group membership.

For example, if multiple calling routers will use a VPN connection, you can create an Active Directory global group called VPN-Routers, and then add the user account of each calling router to that group.

Then, create a network policy with two conditions:

  • Set NAS-Port-Type to Virtual (VPN). A network access server (NAS) is a server that accepts point-to-point connections from a calling router, or other remote client, and then functions as a gateway to the network for the calling router.

  • Set Windows-Group to VPN-Routers.

Finally, configure the constraints for the network policy, selecting an authentication method and encryption strength.