mardi 24 avril 2012 10:30
I am having problems getting VPN connections to work for power users, details below:
- Client machines are domain computers (2003 domain funct lvl), running Win7 pro
- Users are domain users, with power user, and network configuration, local machine membership.
- UAC has been turned off (as vpn connection dont even show with it on, for admins or PU's)
- This is using the windows builtin vpn software.
- The vpn server is linux running pptp (but that part works fine)
I can configure the vpn, either as admin or as power user. Making sure to select the allow all users option. And when logged in as admin I can make a successful connection.
I have eventually got the vpn connection showing to power users (initially it would not show on the "network" task bar icon). But when clicked it gives no response.
If I go to Network and sharing centre\Change adapter settings, I can see the vpn connection (even when it was not visible on the network icon (as above)), selecting and clicking connect from there, results in the following errors:
First: Network Connections: Your user account does not have permission to use this connection. Usaully, this is because you are logged in as a guest.
error 5: Access is denied
After "ok" that message, I get:
Error Connecting: You do not have sufficient privileges for configuring connection properties. Contact your administrator.
Obviously the machine is off the domain network when I try to make the connection, but the account is a domain account. I have looked through both local and domain policies but dont see anything obvious to either allow or block this.
Any help would be appreciated, as the last thing I want to do is have to give all our vpn users admin rights.
Toutes les réponses
jeudi 26 avril 2012 02:01Modérateur
By default, members of Power User have no more user rights or permissions than a standard user account. The Power Users group in previous versions of Windows was designed to give users specific administrator rights and permissions to perform common system tasks. In this version of Windows, standard user accounts inherently have the ability to perform most common configuration tasks, such as changing time zones. For legacy applications that require the same Power User rights and permissions that were present in previous versions of Windows, administrators can apply a security template that enables the Power Users group to assume the same rights and permissions that were present in previous versions of Windows.
I suggest testing issue by using Standard User directly.
Meanwhile, if the machines are in domain environment, VPN connection may be affected by domain controller.
TechNet Community Support
mercredi 2 mai 2012 14:14
incase anyone else is looking for an answer to this. Either a GPO or as Kim indicates a security template can be used to enable this. Either one require the same setting change:
computer configuration/windows settings/security settings/system services/Remote access connection manager: set to manual and domain users added to the acl for this service with "start/stop/pause" rights.
- Marqué comme réponse Darren-L mercredi 2 mai 2012 14:14