Do you want to achieve exam success? Well if you are planning on taking exam 70-291 or 70-293, don’t be surprised when you are faced with questions about remote access policies. If you want to thoroughly prepare yourself to answer these questions, you need to spend some time understanding how remote access policies are evaluated.

First thing you need to remember is that elements of a remote access policy are evaluated in a specific order. The three policy elements are evaluated in the following order:

• Conditions
• Permissions
• Profile

With this in mind, when a user attempts to establish a remote access connection, the Remote Access Server (RAS) will first evaluate the connection attempt against the conditions of the policy. If the connection attempts does not meet the

When a remote access user attempts a connection, the RAS server first evaluates the connection attempt against the conditions of the remote access policy. If the connection attempt does not meet the conditions of the remote access policy, the connection attempt is denied. For example, if the conditions of the policy specify that the remote access user must be a member of the Sales group, this condition must be met or the connection attempt is denied. If multiple policies exist, they are evaluated in the order that they appear within the Remote Access Policies container until the conditions of a policy are met.

If the connection attempt meets the conditions, the policy evaluation process continues. The permissions of the policy and the permissions configured for the user account are evaluated. If the Dial-in permissions for the user account is set to Deny access, the connection attempt is rejected (regardless of whether the policy permissions grant access). If the policy permission is set to Deny access, the connection attempt will be rejected. If the policy is used to control access, the connection attempt is granted or denied based on the permissions configured in the policy.

If the user has been granted remote access permission, the policy evaluation process continues. Next, the profile of the remote access policy is evaluated. If the settings match the connection attempt, remote access is permitted.

To try and make sense of all this, the following steps outline the entire policy evaluation process:

1. A user attempts to establish a connection. The connection attempt is evaluated against the conditions of the remote access policy. If multiple policies exist, the first policy in the list is evaluated.
2. If the conditions do not meet the conditions of the first policy, the conditions of each policy are evaluated until a match is found.
3. If the connection attempt does not match the conditions of any policy, it is rejected. If the connection attempt does match the conditions of a policy, the evaluation process continues and the permissions of this policy are evaluate.
4. If the user’s account properties grant access, the profile settings are evaluated. If the user’s account properties deny access, the connection attempt is rejected.
5. If access is controlled through the policy permission, access is either granted or denied based on the permission settings.
6. If the user’s account properties grant access or if the policy permissions grant access, the profile settings of the policy and the properties of the user account are evaluated.
7. If the connection attempt matches both the account settings and the policy profile settings, the connection attempt is granted.
8. If the connection attempt does not match the account settings and the policy profile settings, the connection attempt is rejected.

Knowing how this entire process occurs will not only help in answering remote access related exam questions but it will also help you in the real world when you are troubleshooting policy related problems. Now that you hopefully have a grasp on policy evaluation, you should be ready to create your own remote access policy and I’ll discuss this in a later article.