Plan the User Accounts

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, the user account for a stand-alone server or server running Active Directory contains a set of dial-in properties that are used when performing authorization (allowing or denying a connection attempt made by a user). On a stand-alone server, you can set the dial-in properties on the Dial-in tab in the user account in the Local Users and Groups dialog box. On a server running Active Directory, you can set the dial-in properties on the Dial-in tab in the user account in the Active Directory Users and Computers snap-in. On these servers, you cannot use the Windows NT 4.0 User Manager for Domains administrative tool.

In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition, you can configure a RADIUS attribute to ignore the dial-in properties of user and computer accounts in the profile properties of a remote access policy. To support multiple types of connections for which IAS provides authentication and authorization, it might be necessary to disable the processing of user account dial-in properties. This can be done to support scenarios in which specific dial-in properties are not required and is accomplished by configuring the Ignore-User-Dialin-Properties attribute on the Advanced tab of the profile settings for a remote access policy.

Computer accounts also have dial-in properties that are similar to user accounts. Therefore computers can be authenticated as if they were users when an IEEE 802.1X Ethernet client uses EAP-TLS and an installed computer certificate to authenticate itself to an Ethernet switch. Note that the Ignore-User-Dialin-Properties attribute disables the use of all dial-in properties for the user account. Specific dial-in properties cannot be individually disabled.

For more information about planning user accounts, see "Dial-in properties of a user account" in Help and Support Center for Windows Server 2003.