Authorization by User and Group

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

When designing your authorization scheme, you must determine whether you want to manage authorization by user or by group.

Authorization by user

If you are managing authorization by user, set the network access permission on the user or computer account to either Grant access or Deny access and, optionally, create different network policies based on different types of connections.

For example, you might want to create one network policy that is used for virtual private network (VPN) connections and a different network policy that is used for wireless connections.

Important

Managing authorization by user is recommended only when you have a small number of user or computer accounts to manage.

If you are managing authorization by user, the basic process used by Network Policy Server (NPS) to authorize a connection request occurs as follows:

  1. If NPS finds that the connection request matches all of the conditions of the network policy, it checks the network access permission setting of the user account:

    • If the network access permission setting of the user account is set to grant access, NPS applies the network policy and user account connection settings to the connection, which is granted.

    • If the network access permission setting of the user account is set to deny access, NPS rejects the connection request.

  2. If the connection request does not match all conditions of the first network policy, NPS processes the next network policy.

  3. If the connection request does not match all conditions of any network policy, NPS rejects the connection request.

Authorization by group

If you are managing authorization by group, set the network access permission on the user account to Control access through NPS Network Policy and create network policies that are based on different types of connections and on Windows group membership.

For example, you might want to create one network policy for dial-up connections for employees (members of the Employees group that you have created in Active Directory Domain Services (AD DS)) and a different network policy for dial-up connections for contractors (members of the Contractors group that you have created in AD DS).

If you are managing authorization by group, the basic process used by NPS to authorize a connection request occurs as follows:

  1. If NPS finds that the connection request matches all of the conditions of the network policy, it checks the Access Permission setting of the network policy.

    • If the Access Permission setting is configured to grant access, NPS applies the network policy and user account connection settings to the connection, which is granted.

    • If the Access Permission setting is configured to deny access, NPS rejects the connection request.

  2. If the connection request does not match all conditions of the first network policy, NPS processes the next network policy.

  3. If the connection request does not match all conditions of any network policy, NPS rejects the connection request.