1
00:00:02,440 --> 00:00:04,900
The last thing I would suggest doing though,

2
00:00:04,900 --> 00:00:08,240
however, is double‑click on this policy that we just created,

3
00:00:08,240 --> 00:00:11,590
and you'll notice here that there is an option to

4
00:00:11,590 --> 00:00:14,750
ignore user account dial‑in properties.

5
00:00:14,750 --> 00:00:17,250
I suggest you check this box.

6
00:00:17,250 --> 00:00:22,150
It is possible to defer to the Active Directory user

7
00:00:22,150 --> 00:00:26,000
account to deny or allow access to the VPN.

8
00:00:26,000 --> 00:00:30,520
There is an option on the Dial‑in properties tab of a user account in

9
00:00:30,520 --> 00:00:33,420
Active Directory that allows you to control it there.

10
00:00:33,420 --> 00:00:36,150
The problem with that is that it obviously doesn't scale very well.

11
00:00:36,150 --> 00:00:38,650
If you want to selectively add and remove users,

12
00:00:38,650 --> 00:00:40,840
you have to go find the user and check the box.

13
00:00:40,840 --> 00:00:44,380
It's best to just create a group, put the users in the group.

14
00:00:44,380 --> 00:00:45,990
If they're not in the group, they don't get access,

15
00:00:45,990 --> 00:00:47,220
and you don't have to worry about it.

16
00:00:47,220 --> 00:00:52,250
Selecting this option will save you some pain in the future if somehow

17
00:00:52,250 --> 00:00:55,310
another administrator inadvertently checked that box,

18
00:00:55,310 --> 00:00:57,600
and now all of a sudden one of your users can't connect,

19
00:00:57,600 --> 00:00:59,940
and it's because we didn't check this box.

20
00:00:59,940 --> 00:01:02,830
So go ahead and check this box and then click OK.

21
00:01:02,830 --> 00:01:03,400
And finally,

22
00:01:03,400 --> 00:01:06,070
we'll enable auditing on the NPS server so that we can

23
00:01:06,070 --> 00:01:08,120
record all of the authentication events,

24
00:01:08,120 --> 00:01:11,040
both success and failure.

25
00:01:11,040 --> 00:01:11,780
So to do that,

26
00:01:11,780 --> 00:01:14,230
we're going to run an auditpol command, the command that you see

27
00:01:14,230 --> 00:01:17,710
there on your screen. I've copied and pasted here.

28
00:01:17,710 --> 00:01:20,840
So the command is an auditpol command. We're going to set the

29
00:01:20,840 --> 00:01:25,480
subcategory of Network Policy Server to enable auditing for

30
00:01:25,480 --> 00:01:28,240
both success and failure events.

31
00:01:28,240 --> 00:01:29,800
Once that's done,

32
00:01:29,800 --> 00:01:31,990
it will help tremendously with our troubleshooting in the

33
00:01:31,990 --> 00:01:34,380
future. If a user is denied access,

34
00:01:34,380 --> 00:01:38,440
we can go into the security event log and find detailed information

35
00:01:38,440 --> 00:01:42,140
about why the authentication request was rejected.

36
00:01:42,140 --> 00:01:44,780
So one last critical bit of information for you.

37
00:01:44,780 --> 00:01:48,910
If you've installed NPS on a Windows Server 2019 server,

38
00:01:48,910 --> 00:01:53,320
there is a bug that exists only in Windows Server 2019 that

39
00:01:53,320 --> 00:01:57,230
prevents NPS from working correctly out of the box.

40
00:01:57,230 --> 00:02:01,170
This is not an issue on Server 2016 and earlier. It is

41
00:02:01,170 --> 00:02:03,630
not an issue in Windows Server 2022.

42
00:02:03,630 --> 00:02:06,760
It only affects Windows Server 2019.

43
00:02:06,760 --> 00:02:11,040
That bug has not been fixed to this day, and so if you're

44
00:02:11,040 --> 00:02:14,100
running NPS on Windows Server 2019,

45
00:02:14,100 --> 00:02:25,040
you will have to run the following command: sc.exe sidtype IAS unrestricted.

46
00:02:25,040 --> 00:02:32,000
And once that's done, you'll need to reboot the server and everything will work according to plan.