Remote Access policy question.

I'm reviewing for the 291 exam and came across a question I didn't really get. It involves a question about dail-up remote acess polices and the way multiple policies are applied. Basically, it seems that policies must be applied in a certain order to obtain the desired result if certain restrictions apply to some groups but not to all. I don't recall reading anything about the order in which these policies must be applied. I then assumed policies would be applied from least to most restrictive, but that didn't seem to fit the answer the book gave for the order. I went back to the chapter and couldn't really find any good info on that either. So, does anyone have a quick guide to the reasoning behind the order of application for remote acess policies?

Find more posts tagged with

Comments

dynamik

http://technet2.microsoft.com/windowsserver/en/library/fc353fbb-4df4-4b36-b14a-20cbbad434941033.mspx?mfr=true

Are you using the MS Press book? If so, which question? I'll take a look at it.

royal

I remember this question. It's something about if they're domain admin and some are enterprise admin, etc... I don't remember the exact question though.

Remote Access Policies apply from top down. Once there is a match, that's it. So if you have the following Remote Access Policies:
Policy 1
Policy 2
Policy 3

User A matches policy 1. User A applies only Policy 1.
User B does not match Policy 1 but does match Policy 2. That user will apply Policy 2 and Policy 3 won't get checked.

sprkymrk

royal wrote:

I remember this question. It's something about if they're domain admin and some are enterprise admin, etc... I don't remember the exact question though.

Remote Access Policies apply from top down. Once there is a match, that's it. So if you have the following Remote Access Policies:
Policy 1
Policy 2
Policy 3

User A matches policy 1. User A applies only Policy 1.
User B does not match Policy 1 but does match Policy 2. That user will apply Policy 2 and Policy 3 won't get checked.

Correct.

That should not to be confused with policy conditions. You can use "AND" inside your policies to make sure multiple conditions match. Such as:

Windows-Group matches "domain\RAS Users" AND
Client-IP-Address matches "192.168.10.*"

JayrodEF

Ah hah. That makes sense. And now that you mention it I do recall reading about that but I wasn't able to find it again obviously. Thanks for the link and all the help!