Always On VPN Deployment Guide

Поділитися
Вставка
  • Опубліковано 29 гру 2024

КОМЕНТАРІ • 145

  • @divv8079
    @divv8079  3 роки тому +18

    At 1:43:19 I say we're done. But I actually forgot to do the security filtering for the "Set Always On VPN Device Tunnel" GPO. As it is now, this GPO would apply on all domain computers. What you likely want to do is only have that GPO applied to computers that are a member of our "VPN Computers" group. This isn't something that breaks the deployment but is more a matter of housekeeping.
    The way to implement this is identical to the way we did the security filtering for the "Set Always On VPN User Tunnel" GPO, just adding "VPN Computers" instead of "VPN Users", you would also want to add "Authenticated Users" in the Delegation tab (yes, domain computers are a member of "Authenticated Users").

    • @Morfiy1
      @Morfiy1 Рік тому

      In the context of Microsoft Group Policy within the Active Directory, computer security groups are not containers. The containers for Group Policy are organizational units (OUs) and domains. Computer security groups are used to grant access rights to resources for computers, but they do not influence Group Policy deployment. Group Policy settings are configured at the OU or domain level and are applied to users and computers within those OUs or domains.

    • @Schyz
      @Schyz 11 місяців тому +1

      You probably want to do the same with the "Set Local Users Full Control Ras Man Config", set the scope to the "VPN Computers" groups only and add Authenticated Users to "Delegation" with "read" permissions.

  • @nilleftw
    @nilleftw 2 роки тому +3

    This is the only guide I've found that doesn't assume that you actually already know all the steps. Like how many and what types of certificates that you need to use, and so on. TACK!

    • @nilleftw
      @nilleftw 2 роки тому

      Oh my god, after one week of work I managed to get Always On VPN running with Fortigate as the VPN server. This guide was the first one to actually mention that you need a USER certificate too. After that, things slowly started falling in to place.

    • @thaioviet8104
      @thaioviet8104 2 роки тому

      @@nilleftw hi, you using forti client or windows built in vpn client for always on vpn?

    • @antwainpatrick6669
      @antwainpatrick6669 Місяць тому

      Yes, and because Richard hicks vpn videos, always leave out important information.

  • @jmtread
    @jmtread 2 роки тому +1

    Thankyou for the video Divv. In your opinion, has much changed in the last 12months in regard to the setup of this service.

    • @divv8079
      @divv8079  2 роки тому

      Good question. I'm not sure since I have not gone through it in the last year. If you decide to follow my guide and you stumble upon some differences in my video compared to the official documentation, please let me know. If there are minor changes I might put a disclaimer here in the comments, if there are major changes I might have to take the guide down.

  • @superXperience
    @superXperience 11 місяців тому

    I watch your documentation twice.
    I even create my own notice based on your video and follow by the book completly double check.
    Result: when I manually connect from Windows 11 it return an ugly error.
    - when I connect from another Win 2022 server it work. I have to study why Win 11 make problems.
    Superb Documentation ! Wonderful !

    • @MarcinK-e1j
      @MarcinK-e1j 10 місяців тому +1

      have this same problem with Win11. On Win10 works.

  • @alanrussk
    @alanrussk 3 роки тому +3

    Awesome guide, sending you good vibes from Germany 👌🏽

    • @divv8079
      @divv8079  3 роки тому

      Thank you, greetings from Sweden

  • @KevinBuchanan66
    @KevinBuchanan66 3 роки тому +3

    Very well done video. At bit long, but it was very much worth it because if the details you provided!! I’ve watched it twice and plan to use many of your tricks!

  • @redadz9105
    @redadz9105 3 роки тому +9

    can please guide us how to deploy those profile xml through Intune? Thanks a lot

  • @cazibrasga
    @cazibrasga 3 роки тому +4

    Excellent and thorough guide. Just a note, for additional security, you don't need to join the RAS server to the domain since only certificates are used for authentication.

    • @divv8079
      @divv8079  3 роки тому

      True

    • @thaioviet8104
      @thaioviet8104 3 роки тому

      and Web Enrollment with CSR for Request RAS Cert?

    • @MrMaster2k
      @MrMaster2k 2 роки тому +1

      @@thaioviet8104 Web Enrollment isn't used as much anymore since Windows Server 2003. You can still install & Use it, however it mainly relies on Internet Explorer to function correctly - which will be End of Life on June 15, 2022. *This is just my opinion* There really isn't any use of running Web Enrollment anymore as you can accomplish the same task by running adding the Certificate Service snap-in to MMC

    • @thaioviet8104
      @thaioviet8104 2 роки тому

      ​@@MrMaster2k thank, job done

  • @tomkruczek7681
    @tomkruczek7681 7 місяців тому

    Great Guide, many thanks from Denmark

  • @hasan135
    @hasan135 3 роки тому

    Thanks for sharing. This is the tutorial I am searching for a long time.

  • @MrMaster2k
    @MrMaster2k 2 роки тому

    Thanks for creating this video - It definitely will be VERY useful for myself shortly!

  • @bharatarora7769
    @bharatarora7769 Рік тому

    Nicely created content!! Easly understood. Thanks

  • @goldminer5761
    @goldminer5761 3 місяці тому

    Superb! I wish al Microsoft Learn articles were pieced together like this video! I hate reading all that MS Learn techno-garbage - but this video puts it all together .. Brilliant! More please !! 😉😁👍👍👍

  • @bigbassjonz
    @bigbassjonz 3 роки тому +1

    Great job with this guide!

  • @JustSomeGuy009
    @JustSomeGuy009 Рік тому +6

    This is just stupidly complex with config settings when Microsoft should easily make this automated.

  • @peterthayne3687
    @peterthayne3687 3 роки тому +1

    Hi I was nearly there, a working user tunnel. made it to 1:33:25 configure and deploy Device Tunnel. I completed the Device tunnel config which worked fine. Except now the user tunnel won't connect ????? Carefully checked the XML file, any ideas ?

    • @Morfiy1
      @Morfiy1 Рік тому

      I have the same problem. The device tunnel connects automatically, but when a user logs in, the user tunnel does not automatically connect.

    • @Morfiy1
      @Morfiy1 Рік тому

      made a separate rule in the GPO on Logon User (ConnectedAlwaysOnVPN.ps1) and after exiting from sleep a separate Job scheduler for the exit from sleep event (System, Ms-Win-Power-Troubleshut 1)

  • @binodgupta1748
    @binodgupta1748 Рік тому

    Hi Divv.. crystal explanation. I loved it.. Thanks for sharing..

  • @practi-herramientasdesoftw3208
    @practi-herramientasdesoftw3208 2 роки тому

    Master , extraordinary video!

  • @Mark-dk9zd
    @Mark-dk9zd Рік тому

    Any ideas where I can get the make profile script at 1:10:42 ? Thanks

  • @littlezeta
    @littlezeta 2 роки тому

    hey divv, thanks 4 this video, u are awesome

  • @MotzBaum
    @MotzBaum 8 місяців тому

    Thanks for this video - That helped alot!

  • @devraj_thezeus
    @devraj_thezeus 3 роки тому +1

    This is really awesome

  • @EdHotin
    @EdHotin 8 місяців тому

    Hi, is it possible to deploy Always On VPN in Windows Server 2016 Essentials? If so, how would I go about doing that? Thanks in advance.

  • @cmonspike
    @cmonspike 3 роки тому

    Great video, thanks for this.

  • @spyroskarakos3407
    @spyroskarakos3407 3 роки тому

    thanks a lot for your helpful video. excellent job

  • @flaitube
    @flaitube 2 роки тому

    Thanks a lot for this video, it's very usefull and detailed.

  • @jetye6560
    @jetye6560 3 роки тому +1

    It is better to run "gpupdate /force" after changing GPO, or you will find the rasphone.pbk could not be copied as expected.

  • @yurydavidov1930
    @yurydavidov1930 3 роки тому

    Great tutorial! Thank you

  • @iansalgado8710
    @iansalgado8710 3 роки тому

    could you please post a link to the scripts mention at 1:24:00 ? cheers

    • @divv8079
      @divv8079  3 роки тому +2

      Sorry, I dont have it. It's just a small snippet, you would have to rewrite it ;) If you're worried about syntax errors I can recommend VSCode with the PowerShell extension. It will give you syntax highlight and intellisense.

  • @davidsutter3584
    @davidsutter3584 2 роки тому

    very helpful video, thank you

  • @thedr00
    @thedr00 3 роки тому +1

    This is a very well made video. Thank you for sharing it.
    I can understand doing this for testing purposes, but the amount of kit and licences required seems very backwards. As an idea for 2016, it's fine of course, but modern solutions, especially in advances like zero-trust tools, make this approach seem very antiquated.
    Now that you have set this up, is it a configuration you would recommend to clients? Or would you suggest they look at other approaches and tools?

    • @divv8079
      @divv8079  3 роки тому

      Thank you. I'm not sure what you mean by zero-trust, that seems to be more about authorization? Always On VPN is a solution to access the corporate network from any external network with internet connection. But I will read more about this zero-trust thing.
      This is just a basic deployment. In a production setup there would be differences. As an example, you would not want to have a CA on a domain controller. There are probably tons of more, but as I said, this is just a slim basic deployment, so that you can play around with the technology.

    • @thedr00
      @thedr00 3 роки тому

      @@divv8079 Thanks for the response. Zero Trust is a framework that swaps the connect first then authenticate model of VPNs, you deny access to everything except the resources specifically approved for that user (usually via an AD group membership).
      So it provides remote access AND authentication AND Network Segmentation AND MFA and least privilege all in 1 approach. Plus, you don't need to buy more licences from Microsoft.
      It's not a new concept I might add, but vendors are now making tools to specifically enable a zero trust approach.
      Needless to say, I'm a big fan.
      But sorry to hijack your thread. I very much liked the video and learned about something I previously knew very little about. Thank you.

    • @heavy1metal
      @heavy1metal 3 роки тому +2

      @@divv8079 Long story short, SSL VPNs + authorization, will give you zero trust. Your setup is using certificate based authentication which will happen before the tunnel is established, and you have NPS which can handle authorization - so what's missing is just resource assignment which is done at NPS + AD Security groups + routing (assign users to different VLANs based on certain criteria). You just create more policies yadda yadda. So "thedr00" just didn't quite grasp the tools you're using, can accomplish zero trust quite easily. In a cisco environment, they would just use ISE. Microsoft, you just use NPS / RADIUS.

    • @thaioviet8104
      @thaioviet8104 2 роки тому

      @@heavy1metal hi sir, assign vlan for vpn client?

  • @altben
    @altben 3 роки тому +1

    Tried to configure the device-tunnel without the need on an xml file only with powershells "Add-VpnConnection", "Set-VpnConnection" and "Add-VpnConnectionRoute" cmdlets. All with variables, everything worked but failed because you can't disable the default class-based routing option via powershell easily. Have to completely redo my script to generate xml just because of that. Thanks for the video!

  • @patrick5591
    @patrick5591 3 роки тому +1

    Hello divv, thank you for your detailed documentation. This helped me a lot. Have you already tested your configuration with Windows11? So far I haven't got it. Maybe also a bug like with Server 2019 RAS (SC.exe IAS ...)?
    kind regards Patrick

  • @fernandocrespo4661
    @fernandocrespo4661 Рік тому

    Well done, I´ll give it a try. To best visualize the VMs you could have expanded the VM windows a bit more😉

  • @urilgal
    @urilgal 2 роки тому

    I seem to be having an issue that is not addressed here. My user certificate is not deployed to the computers. I've double check the video and i have the same configuration.

  • @lagmoore5550
    @lagmoore5550 3 роки тому +1

    Great guide how ever I do have one question, The DC, RAS and NPS server cannot resolve DNS queries, because the DNS server on the DC is not setup for that in this guide. Is this on purpose?

    • @thaioviet8104
      @thaioviet8104 2 роки тому

      just your dns server connected internet, its resolve dns query with root hints dns server.

  • @DanVisan-he6hk
    @DanVisan-he6hk 3 місяці тому

    Minute 44.09: if you chose the Accounting Provider as Radius Accounting I think you have to do the Configure (NPS.divv.local server)as well.

  • @ShangGuanFeiHong
    @ShangGuanFeiHong 9 місяців тому

    How to deploy always on vpn for newly installed remote computers?
    Not joined to the domain yet, no certificate yet.
    Set up another VPN server, log in with username and password, join the domain, and then use the startup script to set up User Tunnel and Device Tunnel.

  • @viral_S07
    @viral_S07 2 дні тому

    I have followed your video and everything is working fine but i want your help to configure this VPN client on Mac OS. Is it possible. Can you please guide me on this

  • @justinmenge4195
    @justinmenge4195 3 роки тому

    Great Job, thanks a lot!

  • @massparaacademy
    @massparaacademy 2 роки тому

    Thanks for making this video. What do you do when you don't get the certificate?

  • @miketarbox1190
    @miketarbox1190 8 місяців тому

    Wow! Has anything changed dramatically with Server 2022? Question though, can I install all of the server roles on the same server?

  • @fiddley
    @fiddley 3 роки тому +1

    I know this is a lab but in a production environment there’s a security risk installing DHCP on a DC and you are gonna have some pain if you put the CA on the DC. Otherwise, great vid! Helped me a load thanks!

    • @MR-vj8dn
      @MR-vj8dn 2 роки тому +1

      Hi. Would you care to elaborate on the security risk of placing DHCP and DNS on the domain controller?

    • @fiddley
      @fiddley 2 роки тому

      @@MR-vj8dn It's to do with the account that DHCP uses to do its stuff. It's hugely overprivileged for a domain controller, which is a Tier 0 server. Any vulnerability in the DHCP service means your enterprise gets completely owned. Search "Disable or remove the DHCP Server service installed on any domain controllers" and the top hit should be Microsoft page with a video explainer.

    • @MR-vj8dn
      @MR-vj8dn 2 роки тому

      @@fiddley I get it. I’ll read up on it. Thanks for the heads-up.
      Also, my mistake to include DNS in my question above. Surely AD needs DNS to live locally on the DC?

    • @thaioviet8104
      @thaioviet8104 2 роки тому

      @@MR-vj8dn not sure, Domain services and DNS maybe setup on two server. however, that's really complicated...

  • @weiwang2874
    @weiwang2874 2 роки тому

    Hello Divv, Great guide first of all. I got pretty much almost everything working. It's just with the same VPN profile PEAP - Authentication - certificate, smart card - Certificate authentication I"m getting event ID 6273 with reason code 16 in regards to credential error. Not sure what the issue is here. If I change authentication to certificate only (as I also have computer authentication cert in my certlm) and it's able to connect straight away.

  • @GamersHive1
    @GamersHive1 3 роки тому

    Hi Divv, fantastic guide. Would you mind explaining a little more about your DMZ set up? On your ISP Router do you put the 10.x address as the IP adress for the DMZ or a static 192.x IP assigned to the internal router on its WAN port? Thanks.

    • @divv8079
      @divv8079  3 роки тому +1

      Hi Tim. When I activate DMZ on a physical port (port 4 in my case) on my ISP router, whatever I then connect to that port will receive a new public IP from my ISP. I choose to connect a new router (the internal router) to port 4 which DMZ is activated on. My internal router thus has a public IP on it's WAN and it's on my internal router I setup the 10.x network. If your ISP is not providing you the option of DMZ, you will have to have your whole setup on the same network I believe, 192.x.

    • @GamersHive1
      @GamersHive1 3 роки тому

      @@divv8079 Hi Divv, thanks for your reply. I was able to get it working and set up a device and user tunnel in my homelab. Definitely learned a lot through the process.

  • @lucianoargutti
    @lucianoargutti 3 роки тому

    Hi, I generated the SetOnVpnAutoTrigger scripts but Always On is always connected, it does not detect the dns suffix, do you know why? Thank you!

  • @hectoriturrieta6144
    @hectoriturrieta6144 2 роки тому +1

    excellent video, thank you very much, any way to get the scripts?

  • @slavapupkin3975
    @slavapupkin3975 3 роки тому

    Hi everyone! I'm not really good in Win administration. Can someone explain one thing: I've done all steps that was showed in the video and my win10 take a cert for user. However, when I move virtual machine into another network windows delete this cert and also if I back win10 in the home network it don't enroll the cert. Why can this happen and what need I look at?

  • @anthonyjones5981
    @anthonyjones5981 2 роки тому

    I've followed this guide to the letter up to the setting up of the template. Whilst testing this I get a successful connection but no internet access. Both VPN connection and wifi connection show no internet. I can't get past this. Any thoughts? Love the video btw!

  • @matambanadzo123
    @matambanadzo123 2 роки тому +3

    Would have been nice if you had posted the scripts in the description. Here is the FullControl one from 1:24:00... otherwise fantastic AOVPN setup video!
    $Path = "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Config"
    if (!(Test-Path -Path $Path))
    {
    New-Item -Path $Path
    }
    $IdRef = [System.Security.Principal.NTAccount](".\Users")
    $RegRights = [System.Security.AccessControl.RegistryRights]::FullControl
    $InhFlags = [System.Security.AccessControl.InheritanceFlags]::None
    $PrFlags = [System.Security.AccessControl.PropagationFlags]::None
    $AcType = [System.Security.AccessControl.AccessControlType]::Allow
    $Rule = New-Object System.Security.AccessControl.RegistryAccessRule ($IdRef, $RegRights, $InhFlags, $PrFlags, $AcType)
    $Acl = Get-Acl $Path
    $Acl.SetAccessRule($Rule)
    $Acl | Set-Acl -Path $Path
    And the AutoTrigger one from 1:24:58......
    $Path = "HKLM:\SYSTEM\CurrentControlSet\Services\RasMan\Config"
    if (Test-Path -Path $Path)
    {
    $AppendedDnsSuffixSearchList = "domain-name"
    $AutoTriggerProfileEntryName = "AlwaysOnVPN"
    $AutoTriggerProfilePhonebookPath = "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Network\Connections\Pbk
    asphone.pbk"
    $UserSID = ([System.Security.Principal.WindowsIdentity]::GetCurrent()).User.Value
    New-ItemProperty -Path $Path -Name "AppendedDnsSuffixSearchList" -Value $AppendedDnsSuffixSearchList -Force
    New-ItemProperty -Path $Path -Name "AutoTriggerDisabledProfilesList" -Force -PropertyType MultiString
    New-ItemProperty -Path $Path -Name "AutoTriggerProfileEntryName" -Value $AutoTriggerProfileEntryName -Force
    New-ItemProperty -Path $Path -Name "AutoTriggerProfilePhonebookPath" -Value $AutoTriggerProfilePhonebookPath -Force
    New-ItemProperty -Path $Path -Name "UserSID" -Value $UserSID -Force
    }

    • @thaioviet8104
      @thaioviet8104 2 роки тому

      thank sir

    • @Schyz
      @Schyz 11 місяців тому +1

      Thank you, you saved me a lot of typing. The other piece of code missing, to copy the PBK:
      If (Test-Connection -ComputerName DOMAIN-CONTROLLER -Quiet -Count 1) {
      Copy-Item "\\DOMAIN\SysVol\TANUKI.local\Policies\{GUID}\User\Scripts\Logon
      asphone.pbk" -Destination "C:\Users\$env:USERNAME\AppData\Roaming\Microsoft\Network\Connections\Pbk"
      }

    • @claudiomalaquias2289
      @claudiomalaquias2289 3 місяці тому

      The Full Control script didn't work for me. It doesn't add the permissions for local users. How do I fix this? How can I test or debug the issue?

  • @darknight_astro
    @darknight_astro 2 роки тому

    One question - can we prevent the users from disconnecting the VPN or deleting the connection? BTW - fantastic video - looking to propose to multiple clients now that so much of the world is moving to remote work/workforce...

  • @x3meos
    @x3meos 3 роки тому

    Hello :) Thanks for your great video! Maybe you can explain me something:
    Why you are using an device and an user tunnel? in this test it is the same connection. Just for showing the tunnel in the list in the windows UI? Is it no problem to usw both connections at the same time? Maybe it would be great to have the device tunnel for DC Connect only. And the Client tunneln for SMB and this whole user stuff. You think this is possible? Think its only possible with an secound ras server for an additional connection.

  • @miltonobonyo2357
    @miltonobonyo2357 3 роки тому

    Is it possible to get a link to the scripts you have used in the automation of the tunnels?

  • @rahultaneja3748
    @rahultaneja3748 2 роки тому

    @divu Thank you for the excellent video! I have a similar deployment and VPN connects fine but I can't access the internal resources like ping and RDP won't work but nslookup works fine. Any thoughts?

  • @OldFellaDave
    @OldFellaDave 2 роки тому +1

    It's a real pain that they replaced Direct Access - which does all this already and is far far far easier to setup and deploy, with this convoluted mess :(

  • @selection989
    @selection989 10 місяців тому

    Hi Divv, Is it possible to set up vpn for an ios device using the infrastructure you have deployed concurrently with the always on vpn for windows devices?

  • @makst5287
    @makst5287 2 роки тому

    how to connect Mac OS devices to this vpn?

  • @MattPierce
    @MattPierce 3 роки тому +1

    Very well done Video. I learn best by watching someone do it, and then mimic it several times to imprint it in my memory. So thanks.
    The one issue I have right now is the part where I need to verify the user certificate on the Windows 10 Computer. I don't have a physical computer like your Lenovo to use, so I just created another Hyper-V VM with Windows 10 Enterprise. GPRESULT -r shows that it's getting the policies. But when I go into certmgr, and look under Personal, I do not see the Certificates folder, hence I do not see the user certificate. I went back through the whole video, and I cannot see where I went wrong. Everything I did matches exactly what you did except for this being a VM instead of a physical PC. It joined to the domain fine, no issues there and like I said, it's getting the group policies. Any help you can provide would be much appreciated. Howdy from Texas, USA!

    • @LescherYT
      @LescherYT 3 роки тому +1

      Could it be that you dont have the "Software Key Provider" in your Cert-Template selected? In this case issuing a certificate to a vm would fail because you dont have a TMP 2.0 Module. To check for this, try to manually request the certifikate by right clicking on your "Personal" Folder in certmgr

    • @MattPierce
      @MattPierce 3 роки тому

      @@LescherYT I actually missed one of the steps for adding user/computer to the group that was created. Once I did that, I saw the certificate. Now my only issue is connecting to the VPN. Not working right now. Need to T/S further, and then maybe post here if I can't figure it out. Thanks for the reply.

  • @spawn00spawn
    @spawn00spawn 2 роки тому

    Hi! Thanks a lot for this guide! Can you share ps scripts, please?

  • @sinancoskuns
    @sinancoskuns 6 місяців тому

    Bra jobbat

  • @TammamWardi
    @TammamWardi 2 роки тому

    great explaination can you please create sstp vpn video

  • @yumstreetfood7674
    @yumstreetfood7674 Рік тому

    Can you create a video for Intune always on VPN

  • @tarekhalloun9969
    @tarekhalloun9969 2 роки тому

    what if i dont have an external domain name ?

  • @paulorijo5990
    @paulorijo5990 3 роки тому

    Hello,
    Thanks for your video. Its perfect. Can you send the script you made, for log dont show the erros.
    Thanks

  • @miltonobonyo2357
    @miltonobonyo2357 3 роки тому +1

    is it possible to use one server to host all these functionalities ie DC, RAS AND RPS.

    • @thaioviet8104
      @thaioviet8104 2 роки тому

      why not? in that lab...

    • @astro8062
      @astro8062 8 місяців тому

      Did you try this at all? I am currently trying to figure how to do this on an existing vpn.

  • @boukeeisma9995
    @boukeeisma9995 2 роки тому

    I am trying this in a test infrastructur but i am stuck at connecting with the VPN Template.
    I am getting the error: "The network connection between your computer and the VPN server could not be established because the remote server is not responding". It has the error code 809.
    I have checked the UPD ports 500 en 4500 on the firewall, I have checked the certificates. I have pinged every device in the network and I am quite desperate now.
    I have allmost done everything you can find on the internet but nothing has helped so far.
    Do you know a sollution maybey?

    • @boukeeisma9995
      @boukeeisma9995 2 роки тому

      UPDATE:
      I found out the i use a domain named which allready was used at my company.
      So i started over again with a different domain name and got into another problem.
      This time i get the Divv is getting as well. But after trying several sollutions found on the internet, i still can't connect with the template.
      I have checked all authentication methods and everything is the same on the client as on the servers.
      I don't know what to do anymore. PLS help.

  • @azarchehr
    @azarchehr 9 місяців тому

    Hi and thanks a lot for detailed guide. Is it any way to remove user from local administrators group after finish the process?

    • @ShangGuanFeiHong
      @ShangGuanFeiHong 9 місяців тому

      startup script:
      strComputer = "."
      Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")
      objUser.SetPassword "123456789"
      objUser.SetInfo
      Set objDomain = GetObject("WinNT://" & strComputer)
      objDomain.Filter = Array("User")
      For Each objUser in objDomain
      strUser = objUser.Name
      If strUser = "Administrator" Then
      objUser.AccountDisabled = False
      objUser.SetInfo
      Else
      objGroup.Remove(objUser.AdsPath)
      objUser.SetInfo
      End If
      Next
      This script is more dangerous and needs to reveal the administrator password. Try to encapsulate the bat into an exe and use the script to execute the exe.

  • @nat4744
    @nat4744 3 роки тому

    Can you please explain why choose WS 2012 R2 and Windows 8.1/Windows Server 2012 R2?

    • @divv8079
      @divv8079  3 роки тому +1

      I used Window Server 2019 and Windows 10 Enterprise in this guide

  • @Stan-rs1ne
    @Stan-rs1ne 2 роки тому

    Hi, so I have followed this tutorial 3 times, and I still have the same issue. I have the same network setup as you, but I have a strange issue when connecting to the template from an external, or even internal network. Whenever I attempt to connect it gives an error: “The network connection between your computer and the remote server can not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your service provider to determine which device may be causing the problem.” I have port forwarded and everything, and google didn’t help much. If anyone knows what the issue is please let me know. Thanks!

    • @boukeeisma9995
      @boukeeisma9995 2 роки тому

      I've got the same issue and i haven't got an sollution yet. quite desperate to find one though

    • @Stan-rs1ne
      @Stan-rs1ne 2 роки тому +1

      @@boukeeisma9995 I’m going to contact Microsoft business support and see if they can figure it out, I’ll let you know if I find anything. Also maybe it’s the internet service provider? Are you using Comcast?

    • @Stan-rs1ne
      @Stan-rs1ne 2 роки тому +1

      @@boukeeisma9995 I found a solution and have fully set it up. Port forward ports 500 through 4500, instead of just ports 500 and 4500. Hope this helps!

    • @Stan-rs1ne
      @Stan-rs1ne 2 роки тому

      @@TheMihi88 yeah

  • @beszan3271
    @beszan3271 3 роки тому

    Wery well documented.

  • @TheLashely
    @TheLashely 3 роки тому

    how to install windows server 2019 active directory on vps and how to join local computer on that active directory server ?

  • @MarcinK-e1j
    @MarcinK-e1j 10 місяців тому

    have this same problem with win11. Windows 10 can connect without any problems.

  • @henryenriquez6496
    @henryenriquez6496 Рік тому

    Will this work with Windows 10 Pro or this setup require Enterprise?

    • @Morfiy1
      @Morfiy1 Рік тому

      "Device Tunnel" works only on version Enterprise

  • @BusinessHugs
    @BusinessHugs Рік тому

    I was getting the same error in the video: Connection prevented because of a policy on your RAS/VPN server.
    Checking the Event Viewer on the NPS server helped get more detail.
    In my case the error was: The revocation function was unable to check revocation because the revocation server was offline.
    This was because my offline root CA CRL was out of date. Publishing a new offline CRL did the trick.

  • @ShangGuanFeiHong
    @ShangGuanFeiHong 9 місяців тому

    1:08:** The problem does not occur in Windows 2022.

  • @prabu101
    @prabu101 2 роки тому

    Thank you

  • @felipeoimperador
    @felipeoimperador 7 місяців тому

    Obrigado

  • @ஷாhul
    @ஷாhul Рік тому

    Getting error while connecting vpn error: ike credentials are unacceptable

  • @hectorlarks6922
    @hectorlarks6922 2 роки тому +1

    You basically have to break security to enable this.

  • @MaghrebProductions
    @MaghrebProductions 3 роки тому +2

    Too many configurations to do while I could just issue a one liner on Linux to configure an IKEv2 server with certificate-based authentication.

    • @Lewisdjos
      @Lewisdjos 3 роки тому

      Please, you can share....

    • @KevinBuchanan66
      @KevinBuchanan66 3 роки тому

      Agree with comment - show us how you do this.

    • @thaioviet8104
      @thaioviet8104 2 роки тому

      you right to many step, but that excellent guide for windows admin.

  • @dragostiflea
    @dragostiflea 3 роки тому

    🤦‍♂️

  • @SEGArianer
    @SEGArianer 3 роки тому

    Great Video, Thanks.

  • @tarekhalloun9969
    @tarekhalloun9969 2 роки тому

    can you have the nps and ras on the same server ?