Understanding Remote Access Properties of a User Account
Updated: April 30, 2010
Applies To: Windows Server 2008, Windows Server 2008 R2
In Windows Server 2008 R2 and Windows Server 2008, the user account for a stand-alone server or a server running Active Directory contains a set of remote access properties that are used when allowing or denying a connection attempt made by a user. On a stand-alone server, you can set the remote access properties by using the Dial-in tab on the user account in Local Users and Groups. On a server running Active Directory, you can set the remote access properties by using the Dial-in tab on the user account in Active Directory Users and Computers.
The remote access properties for a user account are:
Network Access Permission
Use this property to set network access permission to be explicitly allowed, denied, or determined by using Network Policy Server (NPS) network policies. If access is explicitly allowed, other user account properties can still deny the connection attempt.
Verify Caller ID
Use this property to cause the RRAS server to verify the caller's phone number. If the caller's phone number does not match the configured phone number, the connection attempt is denied.
Caller ID must be supported by the caller, the phone system between the caller and the remote access server, and the remote access server. On an RRAS server, caller ID support consists of call answering equipment that provides caller ID information and the appropriate Windows device driver to pass the information to the Routing and Remote Access service.
If you configure a caller ID phone number for a user and you do not have support for the passing of caller ID information from the caller to the Routing and Remote Access service, the connection attempt is rejected.
If this property is enabled, the server calls the caller back during the connection process. The phone number that is used by the server is set by either the caller or the network administrator.
Assign a Static IP Address
You can use this property to assign a specific IP address to a user when a connection is made. This address is used instead of DHCP or static range addresses configured on the server.
Apply Static Routes
You can use this property to define a series of static IP routes that are added to the routing table of the server running the Routing and Remote Access service when a connection is made. This setting is designed for use in user accounts that an RRAS router uses for demand-dial routing. For more information, see Demand-dial Routing Example in the RRAS Design Guide.
Support for ignoring the remote access properties of user accounts
To support multiple types of connections for which NPS provides authentication and authorization, it might be necessary to disable the processing of user account dial-in properties. In Windows Server 2008 R2 and Windows Server 2008, you can configure a Remote Authentication Dial-In User Service (RADIUS) attribute to ignore the dial-in properties of user and computer accounts in settings of a remote access network policy. This can be done to support scenarios in which specific dial-in properties are not required.
For example, the caller-ID, callback, static IP address, and static routes properties are designed for a client that is dialing into a remote access server. These settings are not designed for wireless access points. A wireless access point that receives these settings in the RADIUS message from the NPS server might not be able to process them, which can cause the wireless client to become disconnected. When NPS provides authentication and authorization for users who are both dialing in and accessing the organization network by using wireless technology, the dial-in properties must be configured to support either dial-in connections (by setting dial-in properties) or wireless connections (by not setting dial-in properties).
You can use NPS to enable the processing of dial-in properties for user and computer accounts in some scenarios (such as dial-in), and to disable the processing of dial-in properties for user and computer accounts in other scenarios (such as wireless and authenticating switch). To do this, configure the Ignore user account dial-in properties setting on the Overview tab of the policy settings for a remote access network policy. For more information, see “Access Permission” in NPS Help.