Modifying User Dial-In Properties to Work with Remote Access Policies
You can edit a user's dial-in properties by opening the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in and double-clicking the user whose properties you want to edit. At the Properties page, which Web Figure A shows, click the Dial-in tab. When a user tries to connect to your network through the VPN, Internet Authentication Service (IAS) first checks the Remote Access Permission (Dial-in or VPN) setting. If the account is set to Allow access or Deny access, IAS responds accordingly and doesn't process the account's remote access policies. To ensure that IAS uses the remote access policies you've set up, select Control access through Remote Access Policy. If that setting is disabled for user accounts in your domain, it means that your domain is still running in mixed mode to support Windows NT Server domain controllers (DCs). After you switch the domain to native mode, Windows lets you select Control access through Remote Access Policy.

To eliminate any chance of individual user accounts being configured to allow or deny remote access improperly, you can define an IAS attribute called Ignore-User-Dialin-Properties, which causes IAS to ignore the user-level dial-in remote access permission and use your remote access policies exclusively to control remote access permission. Ignore-User-Dialin-Properties is available only on IAS servers running Windows Server 2003. You must define Ignore-User-Dialin-Properties for each remote access policy on which you want to ignore the user-level remote access permission. To do so, in the Internet Authentication Service snap-in double-click the desired policy. Click Profile, then select the Advanced tab. Click Add, then select the Ignore-User-Dialin-Properties attribute. In the Boolean Attribute Information dialog box that Web Figure B shows, change the attribute value to True and click OK. The remote access policy will no longer look at the user-level remote access permissions or any of the other dial-in properties when it processes connection attempts. Repeat the process for the other policies.