Share via

Adding multiple groups under conditions in NPS Network Policies.

Anonymous
2024-07-02T05:46:01+00:00

NPS authentication is not happening If I add multiple groups under conditions in NPS Network policies. However, it is working fine if I add only one group. Any chance to add multiple groups?

Windows for business Windows Server Networking Network connectivity and file sharing

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2025-01-10T23:14:02+00:00

    One way I did this was by adding the groups simultaneously to the condition instead of separately.

    When adding the user groups, add them both at this step instead of one at a time. Below you can see that the policy automatically put in an "OR" operator between the two groups.

    Hope this helps!

    1 person found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-07-02T15:19:22+00:00

    Hello,

    In Network Policy Server (NPS), when you configure conditions in a network policy, you can specify multiple groups to allow or deny network access to users or computers. However, sometimes you may run into problems when configuring multiple groups, especially when you connect the conditions using "AND" logic. This is because NPS follows strict logic rules when evaluating policies.

    If you add multiple groups to a network policy in NPS, and authentication fails, it may be because NPS is interpreting the conditions you set literally. For example, if you have the following conditions:

    • The user belongs to group A.
    • The user belongs to group B.

    If the NPS policy is configured this way, only users who belong to both group A and group B will be authenticated. If the user belongs to only one of the groups, they will not meet the conditions, so NPS will deny authentication.

    In order to add multiple groups and make authentication work, you need to make sure that the NPS policy correctly reflects your intent. Here are some possible solutions:

    1. If your goal is to allow users to authenticate as long as they belong to any of the groups, you need to make sure that the conditions in the policy are connected using "OR" logic. This may require creating multiple conditions or using different policies to cover all cases.
    2. Another approach is to create separate network policies for each group. Each policy has a condition that the user must belong to a specific group. You can then use priorities to determine which policy is adopted in case of conflict.
    3. Review the NPS log files and events in Windows Event Viewer for details on what NPS does when it processes authentication requests. This may provide clues as to why some users are denied access.

    Best regards

    Zunhui

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-07-03T08:20:39+00:00

    Thanks for your prompt response. I am adding a group like first-year students and second-year students. These members belong to a group "student" which I have not added. Now, I have created policies for first-year and second-year students separately. I want to create a single policy to allow those two groups.

    0 comments
  3. Anonymous
    2025-01-28T01:14:18+00:00

    Thank you so much, it worked for me.

    0 comments