We have all been in the position where we have started a new job with an existing organization where security was somewhat lax. Inevitably during the process of locking the network down you have to deal with the VPN / Dial-up access problem.
The first step is to determine who already has access. This is fairly easy to accomplish using LDAP filters.
- (&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))
This filter will show you all of the user accounts that have Allow Access checked for Remote Access on the Dialin Tab of the ADUC MMC.