Home > Archive > 70-216 > September 2003 > RAS Policy ordering





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author RAS Policy ordering
nero64

2003-09-13, 6:16 am

The MS book doesn't explain this too well.

If you are dialing in do all the RAS policies apply in the list. Just say the first policy contains your windows group and you are allowed access. However just say the first policy says you can't dial in between certain times, but a second policy changes the times you can dial in. Does this then apply.

I am very confused on this subject.
jeff_j_black

2003-09-13, 10:20 am

I'm glad you asked that. It made me sit down and look again.
Chapter 7 - Remote Access Server
From the Windows 2000 Server Internetworking Guide.

If I understand it correctly:
The first policy that matches is applied.

If there is no policy or no policy matches, then no access.

Say for example, you have the following in this order:
1) 'admins' '24x7' 'access granted'.
2) 'time of day' '6am-8am' 'no access'.
3) 'dial-up-group' '24x7' 'access granted'.
Results:
Administrator would be able to dial in at any time.
All other users are denied access from 6am-8am.
The 'dial-up-group' has access 24x7 with the exception of the hours of 6am-8am, because that policy would apply first.

Lets shuffle them a bit.
If you put #2 ahead of #1, then admins would not have access 6am-8am.
If you put #2 behind #3, then both admins and dial-up would have 24x7 access.

One of the caveats I believe is that built in groups can not be used.
jeff_j_black

2003-09-13, 10:39 am

It seems to me the best analogy would be asking ladies to dance with you.

If one says no you ask the next one. (condition)
The first one to say yes,(condition) and she asks her friends if they think you know how to dance (permissions) and she likes the way you dance (profile), you get to dance.
If they all say no, you don't dance. (condition)
If they all know you can't dance, they all say no. (permissions)
If they don't dance the same way you do they say no. (profile)
Policies are evaluated in this manner.
If you meet the conditions and have the permissions and your attempt meets the profile then you connect.

Make sure to spend some time examining the dialogue boxes in RRAS snap-in.
nero64

2003-09-13, 11:52 pm

Ok thanks for taking the time to explain that Jeff. It makes it a bit clearer. I even got a tough RAS policy ordering question in the 215 exam and i think i got it wrong. In a way it works like OU filtering.
Tech Ranger

2003-09-21, 10:24 pm

It's weird that Microsoft made something so basic like RRAS to be one of the most difficult to grasp of its technologies.
Sponsored Links





Free Braindumps | MCSE braindumps software forum

Copyright 2003 - 2008 examnotes.net