Dial-in properties of a user account

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Dial-in properties of a user account

In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition; the user account for a stand-alone server or server running Active Directory contains a set of dial-in properties that are used when allowing or denying a connection attempt made by a user. On a stand-alone server, you can set the dial-in properties on the Dial-in tab in the user account in Local Users and Groups. On a server running Active Directory, you can set the dial-in properties on the Dial-in tab in the user account in Active Directory Users and Computers. On these servers, you cannot use the Windows NT 4.0 User Manager for Domains administrative tool.

The dial-in properties for a user account are:

  • Remote Access Permission (Dial-in or VPN)

    You can use this property to set remote access permission to be explicitly allowed, denied, or determined through remote access policies. In all cases, remote access policies are used to authorize the connection attempt. If access is explicitly allowed, remote access policy conditions, user account properties, or profile properties can still deny the connection attempt. The Control access through Remote Access Policy option is only available on user accounts in a Windows 2000 native domain, a Windows server 2003 domain, or for local accounts on stand-alone servers running Windows 2000, Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.

    By default, the Administrator and Guest accounts on a stand-alone server or in a Windows 2000 native domain are set to Control access through Remote Access Policy. In a Windows 2000 mixed domain, they are set to Deny access. New accounts that are created on a stand-alone server or in a Windows 2000 native domain are set to Control access through Remote Access Policy. New accounts that are created in a Windows 2000 mixed domain are set to Deny access.

    For more information, see Domain and forest functionality.

  • Verify Caller ID

    If this property is enabled, the server verifies the caller's phone number. If the caller's phone number does not match the configured phone number, the connection attempt is denied.

    Caller ID must be supported by the caller, the phone system between the caller and the remote access server, and the remote access server. On a computer running the Routing and Remote Access service, caller ID support consists of call answering equipment that provides caller ID information and the appropriate Windows Server 2003, Standard Edition ; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition driver to pass the information to the Routing and Remote Access service.

    If you configure a caller ID phone number for a user, and you do not have support for the passing of caller ID information from the caller to the Routing and Remote Access service, the connection attempt is denied.

  • Callback Options

    If this property is enabled, the server calls the caller back during the connection process. The phone number that is used by the server is set by either the caller or the network administrator.

  • Assign a Static IP Address

    You can use this property to assign a specific IP address to a user when a connection is made.

  • Apply Static Routes

    You can use this property to define a series of static IP routes that are added to the routing table of the server running the Routing and Remote Access service when a connection is made. This setting is designed for user accounts that a router running Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition uses for demand-dial routing. For more information, see One-way initiated demand-dial connections.

For information about configuring dial-in properties for a user account, see Configure dial-in user properties.

Support for ignoring the dial-in properties of user accounts

In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition; you can configure a RADIUS attribute to ignore the dial-in properties of user and computer accounts in the profile properties of a remote access policy. To support multiple types of connections for which IAS provides authentication and authorization, it might be necessary to disable the processing of user account dial-in properties. This can be done to support scenarios in which specific dial-in properties are not required.

For example, the caller-ID, callback, static IP address, and static routes properties are designed for a client that is dialing into a network access server (NAS). These settings are not designed for wireless access points. A wireless access point that receives these settings in the RADIUS message from the IAS server might be unable to process them, which could cause the wireless client to become disconnected. When IAS provides authentication and authorization for users who are both dialing in and accessing the organization network through wireless technology, the dial-in properties must be configured to support either dial-in connections (by setting dial-in properties) or wireless connections (by not setting dial-in properties).

You can use IAS to enable the processing of dial-in properties for user and computer accounts in some scenarios (such as dial-in), and to disable the processing of dial-in properties for user and computer accounts in other scenarios (such as wireless and authenticating switch). This is done by configuring the Ignore-User-Dialin-Properties attribute on the Advanced tab of the profile settings for a remote access policy. For more information, see Add RADIUS attributes to a remote access policy.

The Ignore-User-Dialin-Properties attribute is set to the following:

  • To enable the processing of dial-in properties for a user account, delete the Ignore-User-Dialin-Properties attribute or set it to False. For example, for a remote access policy that is designed for dial-in connections, no additional configuration is required.

  • To disable the processing of dial-in properties for a user account, set the Ignore-User-Dialin-Properties attribute to the value of True. For example, this is set for the remote access policy that is used for wireless or authenticating switch connections. When the dial-in properties of the user account are ignored, remote access permission is determined by the setting in the remote access policy.

Notes

  • For a user account in a Windows NT 4.0 domain or a Windows 2000 mixed domain:

    • Only the dial-in properties named Remote Access Permission (Dial-in or VPN) (Allow access and Deny access options) and Callback Options are available.

    • You can use the Windows NT 4.0 User Manager for Domains administrative tool to grant or deny dial-in access and set callback options.

  • If a user account is in a Windows 2000 native domain, the callback number can be up to 128 characters in length. If a user account is on a stand-alone remote access server, in a Windows NT 4.0 domain, or in a Windows 2000 mixed domain, the callback number can contain 24 through 48 characters. This is due to the compressed format for storing callback numbers.

  • When a remote access server running Windows NT 4.0 uses a Windows 2000 native domain to obtain the dial-in properties of a user account, the Control access through Remote Access Policy remote access permission setting is retrieved as Deny access. Callback settings are retrieved correctly.

    For more information, see Domain and forest functionality.

  • A remote access server running Windows NT 4.0 cannot use remote access policies. If you upgrade this remote access server with the Routing and Remote Access Service (RRAS) and configure it for RADIUS authentication, you can use the remote access policies of an IAS server. Alternately, you can upgrade this remote access server with a member of the Windows 2000 server family; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition.

  • User accounts upgraded to Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; or Windows Server 2003, Datacenter Edition that were configured with dial-in permission enabled are set to Allow access. Those that were configured with dial-in permission disabled are set to Deny access.

  • It is possible to ignore all of the user or computer account properties. For more information, see the section "Ignoring the dial-in properties of user accounts" in New features for IAS.

  • In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition; computer accounts also have dial-in properties and are similar to user accounts. This new feature allows computers to be authenticated as if they were users, and is used when an IEEE 802.1x Ethernet client uses EAP-TLS and an installed computer certificate to authenticate itself to an Ethernet switch.

  • The Ignore-User-Dialin-Properties attribute disables the use of all dial-in properties for the user account. Specific dial-in properties cannot be selectively disabled.