Apply Policies to Users and Groups

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

If you are controlling remote client access by means of groups, you must determine which groups the policies that you create will apply to. If you are using nested groups, make sure that policies configured for the parent group do not conflict with policies configured for the nested group.

If you are controlling remote client access by means of the access-by-user administrative model, you must establish the criteria that you use to determine whether the policy is applied; for example, you can use the client name, client IP address, access server IP address, or any other condition attribute.

Two of the attributes, NAS-Port-Type and Tunnel-Type, deserve special mention because they are used to support VPN, wireless, and authenticating switch access clients:

• The NAS-Port-Type attribute. This attribute allows you to specify the type of physical port that is used by the access server originating the request.

• The Tunnel-Type attribute. This attribute allows you to specify the type of tunnel that the access server can create. You can specify either Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP).

For a detailed list of condition attributes, see "Connection request policies" in Help and Support Center for Windows Server 2003 and the Networking Collection of the Windows Server 2003 Technical Reference (or see the Networking Collection on the Web at https://www.microsoft.com/reskit).