Configure Active Directory User Accounts and Groups

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Note

  • If you plan to use local accounts, do not perform these steps. Instead, use the Demand-Dial Interface Wizard to create a user account for the calling router locally on the answering router.

Each calling router must have a user account, which the answering router uses to authenticate the calling router. If you have more than one calling router and if you joined your routers to the Active Directory domain, you can add each router user account to an Active Directory group to simplify administration.

Use the following procedures to accomplish these tasks:

  • Create Active Directory user accounts for routers.

  • Add router user accounts to an Active Directory group.

Create Active Directory User Accounts for Routers

If you plan to use Active Directory user accounts for demand-dial routers, you manually create an Active Directory user account for each calling router (you can use the Demand-Dial Interface Wizard to create the user account only if you use a local user account).

To create an Active Directory user account for a router

  1. Open the Active Directory Users and Computers snap-in, and create a user account for the calling router (for a two-way connection, create a user account for the calling router in both sites). The name of the account must match the name of a corresponding demand-dial interface on the remote router.

  2. To ensure that connectivity occurs, clear the User must change password at next logon check box and select the Password never expires check box on the Account tab on the property sheet for the user account object.

  3. On the user account Dial-in tab, select one of the following options:

    • Allow access. This option overrides the grant or deny remote access permission setting specified on the Properties page of any associated remote access policy.

    • Control access through Remote Access Policy. This option ensures that the grant or deny remote access permission setting specified on the Properties page of any associated remote access policy is used.

Add Router User Accounts to an Active Directory Group

If you use Active Directory user accounts for demand-dial routers, you can add the router user accounts to a group to simplify administering them and to simplify configuring remote access policies.

To add router user accounts to a group

  1. Open the Active Directory Users and Computers snap-in, create an Active Directory group to contain the user accounts of the calling routers. Use an appropriate name, such as BranchOfficeRouters.

  2. Add the user accounts of the calling routers to the group.