Tuesday, October 12, 2004

msNPAllowDialin, script and mixed-mode domains

As you may know (kb252398 and KB257341) you cannot grant dial-in access to a user simply by setting the msNPAllowDialin property on the user object in Active Directory. For some reason this attribute must be synchronized with information in the userParameters blob – sic!

Instead of chasing a way to make this happen, simply ask your Windows Server 2003 IAS server to ignore the dial-in attribute and stick to group membership or whatever you feel like. This is done by setting Ignore-User-Dialin-Properties on the remote access policy. For more information click here and read the section called Ignoring the dial-in properties of user accounts.

1 comment:

Homerotrix said...

Max Concurrent connection per user
Is there a way using IAS to limit the number of logins a single user can make at the same time?

I can easily do this with Steel Belted Radius but it is too expensive for me.
Posted: 03/24/2008 @ 09:22 PM (PDT)

same sh...