In active directory, The new users who can not VPN in, are set up identically to to the old users who can VPN in. They are set for Dial-in access, and have the same group memberships.