Configuring a Network Policy to Grant Access
Applies To: Windows Server 2008
When you add a new network policy to the Network Policy Server (NPS) configuration, the default value of Access Permission is Deny access, and the default value of Ignore user account dial-in properties is false, or not selected. These settings have the following effect on the way in which NPS evaluates the policy and authorizes the connection request:
Access Permission. When the value of Access Permission is Deny access, all connection requests that match the network policy are denied.
Ignore user account dial in properties. When this setting is not selected, NPS checks the dial-in properties of the user account in Active Directory while performing authorization. These properties affect how NPS authorizes the connection request. For example, if the Network Access Permission setting in user account dial-in properties is set to Deny access, NPS denies the connection request.
In some circumstances, this configuration of network policy is appropriate, but in other circumstances, you might want the network policy to allow rather than deny access, or you might want to configure the policy so that NPS ignores the dial-in properties of user accounts.
Commands for Access Permission configuration
To manually configure the Access Permission settings in the NPS console, obtain the properties of the network policy and then click the Overview tab. You can also configure these settings by using the following commands at the netsh nps prompt and in scripts and batch files.
add np. This command allows you to add a new network policy to the NPS server configuration.
set np. This command allows you to modify an existing network policy.
With these commands, you can configure Access Permission settings by using the parameters profileid and profiledata.
The following table provides the details for each attribute.
| NPS console setting | Attribute name | profileid | profiledata |
|---|---|---|---|
Access Permission |
NP-Allow-Dial-in |
0x100f |
True | False |
Ignore user account dial-in properties |
Ignore-User-Dial-in-Properties |
0x1005 |
True | False |
Example
The following example adds a network policy named "Example network policy" to the NPS configuration. The parameters profileid = "0x1005"profiledata = "True" add the attribute Ignore-User-Dial-in-Properties to the network policy and configure NPS not to check user account dial-in properties in Active Directory if the connection request matches this network policy. In addition, the parameters profileid = "0x100f"profiledata = "True" add the attribute NP-Allow-Dial-In to the network policy with a value of Grant Access, so that all connection requests that match the network policy are granted if the user or computer is authenticated.
add np name = "Example network policy" state = "enable" processingorder = "2" policysource = "0" conditionid = "0x1006" conditiondata = "0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00" profileid = "0x1005" profiledata = "True" profileid = "0x100f" profiledata = "True" profileid = "0x1009" profiledata = "0x3" profiledata = "0x4" profiledata = "0x9" profiledata = "0xa" profileid = "0x1fc8" profiledata = "TRUE" profileid = "0x7" profiledata = "0x1" profileid = "0x6" profiledata = "0x2"