Managing VPN access with an Active Directory security group
Recently, a member of my team complained about not being able to VPN into our network. My first thought was "user error" even though VPNing is one of the easiest things in the world to do (I can even do it on my iPhone). Then I suggested sending a note to the help desk before I realized that we are in the business of managing things like this, I should be able to figure it out.
Knowing that AD security groups manage most everything (you can quote me on that), I immediately went to our AD self service portal to see what security group memberships I had that he didn't. And there was the answer: a security group called "Access from home." Turns out two members of my team weren't members. Since this was a semi-private group owned by our CEO of all people, each of them requested to join the group, our CEO approved the subsequent workflow and that night they were able to access the network via VPN. Success.
OK, so how do you do manage VPN access with an AD security group? I assumed it was a group policy object (GPO). But assuming would be wrong. I found the answer on our friend Technet, in the middle of a long article titled Setting Up VPN-based Remote Access in a Test Lab. Not all of it applies to my discussion here, just the part on configuring IAS1 as a RADIUS server.
Skipping lots of steps that you will have to follow to actually do this (and are contained in that link), I got right to the heart of the matter, policy configuration
Selecting the group you want this VPN policy to apply to:
And the end result of the policy, an Active Directory security group controlling what users can VPN into the network.
My team members can now VPN from home and I now know one more use for the incredible Active Directory security group.