Managing Network Policies
Applies To: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
This section provides information about how to manage NPS network policies.
After NPS authenticates users or computers connecting to your network, it performs authorization to determine whether to grant the user or computer permission to connect.
Authorization is performed when NPS checks the dial-in properties of user accounts in Active Directory and when NPS evaluates the connection request against the network policies configured in the NPS console.
In the Active Directory Users and Computers snap-in, on the Dial-in tab of user account properties, the Network Access Permission setting is used by NPS to make authorization decisions, as follows:
If the value of Network Access Permission is Deny access, the user is always denied access to the network by NPS, regardless of any settings in network policy.
If the value of Network Access Permission is Allow access, the user is allowed network access unless there is a network policy that explicitly denies access to the user.
If the value of Network Access Permission is Control access through NPS Network Policy, NPS makes authorization decisions based solely on network policy settings.
For ease of administration of network access, it is recommended that the Network Access Permission setting is always set to Control access through NPS Network Policy.By default, if your forest functional level is Windows Server 2008, when you create a user account, the value of Network Access Permission is set to Control access through NPS Network Policy.
You can also specify connection settings in an NPS network policy that are applied after the connection is authenticated and authorized. For example, you can define IP filters for the connection that specify the network resources to which the user has permission to connect.
An ordered list of rules
When you configure multiple network policies in NPS, the policies are an ordered list of rules. NPS evaluates the policies in listed order from first to last. If there is a network policy that matches the connection request, NPS uses the policy to determine whether to grant or deny access to the user or computer connection.
When you order the network policies in the NPS console, ensure that rules created in one policy do not unintentionally counteract the rules in a different policy.
For example, a member of the Domain Users group might also be a member of the Wireless Users group that is created (by you or by another administrator) in Active Directory. Perhaps your organization has limited wireless resources, so members of the Domain Users group are denied access when connecting through wireless access points; however, members of the Wireless Users group are granted access when connecting by wireless. If the network policy that denies wireless access to Domain Users is evaluated before the Wireless Users policy is evaluated, NPS denies access to members of the Wireless Users group when they attempt to connect by wireless — even though your intention is to grant them access.
The solution to this problem is to move the Wireless Users network policy higher in the list of policies in the NPS console so that it is evaluated before the Domain Users policy is evaluated. In this circumstance, when a member of the Wireless Users group attempts to connect, NPS evaluates the Wireless Users policy first and then authorizes the connection. When NPS receives a wireless connection attempt from a member of the Domain Users group that is not also a member of the Wireless Users group, the connection attempt does not match the Wireless Users policy, so that policy is not evaluated by NPS. Instead, NPS moves down to the Domain Users wireless policy, and then denies the connection to the member of the Domain Users group.
The following objectives are part of managing NPS network policies: