存取權限Access Permission

適用於:Windows Server(以每年次管道)、Windows Server 2016Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016

上的存取權限已設定概觀索引標籤上的每個的網路原則的網路原則 Server (NPS)。Access permission is configured on the Overview tab of each network policy in Network Policy Server (NPS).

這項設定可讓您設定的原則,授權或拒絕的存取權的使用者如果連接要求,以符合的條件和的網路原則約束。This setting allows you to configure the policy to either grant or deny access to users if the conditions and constraints of the network policy are matched by the connection request.

存取權限設定影響下列動作:Access permission settings have the following effect:

  • 權限授與Grant access. 存取會授與連接要求是否符合的條件與中原則設定的限制。Access is granted if the connection request matches the conditions and constraints that are configured in the policy.
  • 拒絕Deny access. 存取如果連接要求符合的條件與中原則設定的限制。Access is denied if the connection request matches the conditions and constraints that are configured in the policy.

存取權限授與或拒絕也根據您的設定的每個使用者 account 撥號屬性。Access permission is also granted or denied based on your configuration of the dial-in properties of each user account.

注意

其中一個 Active Directory 使用者與電腦或 [本機使用者和群組 Microsoft Management Console (MMC) 嵌入式管理單元,視您是否有 Active Directory 設定帳號和屬性,撥號屬性,例如®安裝 Domain Services (AD DS)。User accounts and their properties, such as dial-in properties, are configured in either the Active Directory Users and Computers or the Local Users and Groups Microsoft Management Console (MMC) snap-in, depending on whether you have Active Directory® Domain Services (AD DS) installed.

使用者 account 設定的網路存取權限上的使用者帳號撥號屬性的設定、覆寫原則的網路存取權限設定。The user account setting Network Access Permission, which is configured on the dial-in properties of user accounts, overrides the network policy access permission setting. 當使用者 account 網路存取權限設定為控制透過 NPS 的網路原則選項,網路存取權限原則判斷使用者是否授與或無法存取。When network access permission on a user account is set to the Control access through NPS Network Policy option, the network policy access permission setting determines whether the user is granted or denied access.

注意

在 Windows Server 2016 的預設值的網路存取權限在 AD DS 使用者 account 撥號屬性控制 NPS 的網路原則透過In Windows Server 2016, the default value of Network Access Permission in AD DS user account dial-in properties is Control access through NPS Network Policy.

當 NPS 計算設定的網路原則對連接要求時,它會執行下列動作:When NPS evaluates connection requests against configured network policies, it performs the following actions:

  • 如果不符合的條件的第一個原則,NPS 評估的下一步原則,並持續此程序,直到或找出符合的所有原則都評估相符項目。If the conditions of the first policy are not matched, NPS evaluates the next policy, and continues this process until either a match is found or all policies have been evaluated for a match.
  • 符合的條件與原則的限制,如果 NPS 授與或拒絕存取權,根據原則中的存取權限設定的值。If the conditions and constraints of a policy are matched, NPS either grants or denies access, depending on the value of the Access Permission setting in the policy.
  • 如果不符合的條件的原則相符項目,但原則中的限制,NPS 請求連接。If the conditions of a policy match but the constraints in the policy do not match, NPS rejects the connection request.
  • 如果不符合的條件的所有原則、NPS 請求連接。If the conditions of all policies do not match, NPS rejects the connection request.

忽略撥號屬性 account 使用者Ignore user account dial-in properties

您可以設定 NPS 的網路原則來選取或清除 [略過的帳號撥號屬性忽略使用者 account 撥號屬性核取方塊,在概觀索引標籤的網路原則。You can configure NPS network policy to ignore the dial-in properties of user accounts by selecting or clearing the Ignore user account dial-in properties check box on the Overview tab of a network policy.

通常時 NPS 執行連接要求的授權,它就會檢查使用者帳號,並將值設定的網路存取權限,可能會影響是否使用者授權連上網路的撥號屬性。Normally when NPS performs authorization of a connection request, it checks the dial-in properties of the user account, where the network access permission setting value can affect whether the user is authorized to connect to the network. 當您設定的帳號撥號屬性忽略期間授權 NPS 時,網路原則設定判斷使用者是否會授與網路的存取權。When you configure NPS to ignore the dial-in properties of user accounts during authorization, network policy settings determine whether the user is granted access to the network.

撥號的屬性帳號包含下列動作:The dial-in properties of user accounts contain the following:

  • 網路存取權限Network access permission
  • 本機號碼Caller-ID
  • 回呼選項Callback options
  • 靜態 IP 位址Static IP address
  • 靜態路徑Static routes

若要支援多種連接 NPS 提供驗證與授權,可能必須停用的使用者 account 撥號屬性處理。To support multiple types of connections for which NPS provides authentication and authorization, it might be necessary to disable the processing of user account dial-in properties. 這可以的案例中,特定撥號屬性就不需要的支援。This can be done to support scenarios in which specific dial-in properties are not required.

範例、本機號碼、回呼、靜態 IP 位址,和屬性的設計網路的存取伺服器撥打 client 靜態路由 (NAS),不是為可連接到 wireless 存取點。For example, the caller-ID, callback, static IP address, and static routes properties are designed for a client that is dialing into a network access server (NAS), not for clients that are connecting to wireless access points. Wireless 存取點 NPS RADIUS 郵件中收到這些設定,可能無法處理,這可能會造成 wireless client 會中斷。A wireless access point that receives these settings in a RADIUS message from NPS might not be able to process them, which can cause the wireless client to be disconnected.

當 NPS 提供驗證和撥號中的,您組織的網路存取透過 wireless 存取點的使用者的授權時,您必須設定撥號屬性,以支援任一撥號連接 \(來設定撥號 properties) 或 wireless 連接 \(由不設定撥號 properties\)。When NPS provides authentication and authorization for users who are both dialing in and accessing your organization network through wireless access points, you must configure the dial-in properties to support either dial-in connections (by setting dial-in properties) or wireless connections (by not setting dial-in properties).

您可以撥號屬性處理有時候帳號,以便使用 NPS \ (例如撥號-in),並在撥號屬性處理其他案例中停用 \(例如 802.1 X wireless 與驗證 switch)。You can use NPS to enable dial-in properties processing for the user account in some scenarios (such as dial-in) and to disable dial-in properties processing in other scenarios (such as 802.1X wireless and authenticating switch).

您也可以使用忽略使用者 account 撥號屬性來管理網路存取控制透過群組和原則的網路上的存取權限設定。You can also use Ignore user account dial-in properties to manage network access control through groups and the access permission setting on the network policy. 當您選取 [忽略使用者 account 撥號屬性核取方塊,帳號網路存取權限會略過。When you select the Ignore user account dial-in properties check box, network access permission on the user account is ignored.

這個設定只缺點是,您無法使用的其他使用者 account 撥號屬性本機號碼、回呼、靜態 IP 位址,以及靜態路徑。The only disadvantage to this configuration is that you cannot use the additional user account dial-in properties of caller-ID, callback, static IP address, and static routes.

如需 NPS 的詳細資訊,請查看的網路原則 Server (NPS)For more information about NPS, see Network Policy Server (NPS).