Network Policy Server (NPS) uses network policies, formerly named remote access policies, and the dial-in properties of user accounts to determine whether a connection request should be authorized to connect to the network.

You can use this procedure to configure a new network policy in either the NPS snap-in or the Routing and Remote Access Service snap-in.

Performing authorization

When NPS performs the authorization of a connection request, it compares the request with each network policy in the ordered list of policies, starting with the first policy, and then moving down the list of configured policies. If NPS finds a policy whose conditions match the connection request, NPS uses the matching policy and the dial-in properties of the user account to perform authorization. If the dial-in properties of the user account are configured to grant access or control access through network policy and the connection request is authorized, NPS applies the settings that are configured in the network policy to the connection.

If NPS does not find a network policy that matches the connection request, the connection request is rejected unless the dial-in properties on the user account are set to grant access.

If the dial-in properties of the user account are set to deny access, the connection request is rejected by NPS.

Key settings

When you use the New Network Policy wizard to create a network policy:

  • The value that you specify in Network connection method is used to automatically configure the Policy Type condition:

    • If you keep the default value of Unspecified, the network policy that you create is evaluated by NPS for all network connection types that are using any kind of network access server (NAS).

    • If you specify a network connection method, NPS evaluates the network policy only if the connection request originates from the type of network access server that you specify.

      For example, if you specify Remote Desktop Gateway, NPS evaluates the network policy only for connection requests that originate from Remote Desktop Gateway (RD Gateway).

  • On the Access Permission page, you must select Access granted if you want the policy to allow users to connect to your network. If you want the policy to prevent users from connecting to your network, select Access denied. If you want access permission to be determined by user account dial-in properties in Active Directory® Domain Services (AD DS), you can select the Access is determined by User Dial-in properties check box.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.

To add a network policy
  1. Open the NPS console, and then double-click Policies.

  2. In the console tree, right-click Network Policies, and click New. The New Network Policy wizard opens.

  3. Use the New Network Policy wizard to create a policy.


Table Of Contents