Here’s a quick tip which may save you some time configuring Network Policies on Windows Server 2008 NPS.
It turns out you can’t have a Condition which matches both a User Group and Machine Group in Active Directory.
The fix? Add “Windows Groups” as the condition – and add both groups to that!
Simple when you know how – just wish I’d known that two days ago!
the groups have ‘or’ in the middle, so you wont quantify both, just one….
Use a windows group for the user authentication and a machine group for your machine account, seems to work. Adding them both to a windows group just does one or the other.
I came across this blog post and I’m bumping into similar issues. I cannot figure out how to allow users in a VPN Users group to connect, but to deny access if they aren’t in the Domain Computers group.
I’d also like to be able to disable VPN access if the machine is a member of a group. I tried setting that up with a Windows group and and DENY policy, but the allow policy seems to let them connect anyway.
Machine group in NPS is ignored and to my knowledge does work at all.