When using Routing and Remote Access remember that in a Domain setting all users have their dial-in properties set to "Control through Remote Access Policy".
Also remember that if No Policies exist (as in someone deleted the two default policies)there is still an implicit Deny. If none of the policies match when a user is trying to dial-in then they are denied. Additionally, if you don't delete the default policies, and create a third (and beyond) custom policy to place it above the default ones, as the policies are applied in order, from top to bottom.When a match is made to a policy the Routing and Remote Access Server stops processing policies.
Before a remote access server checks if a user has been granted dial-in access, the server checks if the user's connection to the server matches at least one of the remote access policies defined on the server. If there is no remote access policy, a remote access connection cannot be established.