Link to home
Start Free TrialLog in
Avatar of tkrajcar
tkrajcar

asked on

ADSI script -- Setting dial-in privileges

I have an ADSI program written in VisualBasic that I am running once per hour. It queries an Access database to retrieve a list of users that need their accounts created, and then does all the account creation tasks.

Part of this process is enabling their RAS permissions. We used to do this with the dos command rasgrant, but now that we have an ADSI app to do it, I'd like to do it in the same app. This is setting the 'Remote Access Permission (Dial-in or VPN)' bit to 'Allow access'.

The script runs this portion, but the dial-in permission never actually gets set. The method I am using is one I found on Microsoft's site as well as several other sites.

We need to automate this process.

Here is the code snippet I am using for this process:
Our domain name is "NTDOM". We are running AD in mixed-mode with several DCs.
emailname is the user's logon name, such as 'jdoe'.

        Set objUser2 = GetObject("WinNT://NTDOM/" & emailname & ",user")
        objUser2.DialinPrivilege = True
        objUser2.SetInfo

Thanks for your help.
Avatar of tkrajcar
tkrajcar

ASKER

I increased the point value, as this question is extremely important -- we need to get this fixed in the next week if not sooner.
I see that you are using the WinNT provider already, but here is something I found that may be applicable:

http://support.microsoft.com/?kbid=252398

Do you receive any errors or does it appear to execute without issue?

http://www.ntmag.com/Articles/Index.cfm?ArticleID=258&pg=3

Good luck!
Well, I found Q252398 as well, and that's why I'm doing it the way I am. It still doesn't work.

The code executes without any issue at all.
I am now using this code:

    Set objLDAPUser = GetObject("LDAP://cn=" & fullname & ",OU=Students,DC=NTDOM,DC=CUPDX")
    objLDAPUser.Put "msNPAllowDialin", True
    objLDAPUser.SetInfo

(since I don't need or want tos et any of the attributes).

It still does not work...
Since I don't have AD handy, kind of hard to test but this is what I have seen in several places:

Set objLDAPUser = GetObject("LDAP://cn=" & fullname & ",OU=Students,DC=NTDOM,DC=CUPDX")

objLDAPUser.msNPAllowDialin = True
objLDAPUser.SetInfo

If this doesn't do it, I am fresh out.  Good luck!
Nope, this still does not work. :( anybody else have any thoughts?
Just for confirmation, I ran this against my AD domain and it works flawlessly.

Set objUser = GetObject("LDAP://CN=Joe Blow, OU=Users, OU=Administrative, DC=sub, DC=domain, DC=com")
objUser.msNPAllowDialin = True
objUser.SetInfo
MsgBox objUser.msNPAllowDialin

I then changed it to false and that modified the property as well.  Are you sure that everything else looks appropriate?  You don't have any On Error Resume Next or On Error Goto's that may be disguising your problem do you?
Yeah... I've a thought

Try your ASDI line with the "down client" login name... not the newer-style User Principle Name.

       Set objUser2 = GetObject("WinNT://NTDOM/" & LoginName & ",user")

...where LoginName is GRAYE ... not Emmet.Gray@domain.com
I moved some code around, and am now executing this dial-in right when I create the user.
So, the code looks like so:


    firstname = "Timmah"
    lastname = "Tester"
    emailname = "ttester"
    recip = "CN=" & fullname
    Set objContainer = GetObject("LDAP://OU=Students,DC=ntdom,DC=cupdx")
    Set objUser = objContainer.Create("User", recip)
    objUser.Put "samAccountName", emailname
    objUser.Put "sn", lastname
    objUser.Put "givenName", firstname
    objUser.Put "displayname", fullname
    objUser.Put "userPrincipalName", emailname
    objUser.Put "Fullname", fullname
    objUser.LoginScript = logscript
    objUser.Put "msNPAllowDialin", True
    objUser.msNPAllowDialin = True
    objUser.SetInfo

Everything is getting set here, except the dialin!
Just for fun, try to execute SetInfo prior to modifying msNPAllowDialin (and after).  Something like this:

   firstname = "Timmah"
   lastname = "Tester"
   emailname = "ttester"
   recip = "CN=" & fullname
   Set objContainer = GetObject("LDAP://OU=Students,DC=ntdom,DC=cupdx")
   Set objUser = objContainer.Create("User", recip)
   objUser.Put "samAccountName", emailname
   objUser.Put "sn", lastname
   objUser.Put "givenName", firstname
   objUser.Put "displayname", fullname
   objUser.Put "userPrincipalName", emailname
   objUser.Put "Fullname", fullname
   objUser.LoginScript = logscript
   objUser.SetInfo
   'objUser.Put "msNPAllowDialin", True
   objUser.msNPAllowDialin = True
   objUser.SetInfo

If you bind to an existing user account, does the previously posted script work or do you still encounter the problem with the property not being modified?
Did anyone ever figure this out?  Was there any more dialog on this topic.  I've been trying to accomplish the same thing but have run into a wall.  My script does set the "msNPAllowDialin" attribute to TRUE, but the button never gets updated from DENY to ALLOW in the "dial-in" tab.  I read somewhere that the button is controlled by the "userParameters" attribute and not the "msNPAllowDialin" attribute.  Anybody?
I am currently working on this very same issue.  I can't get it to work either.  If anybody can figure this out, it would be very helpful.  I have to get this resolved in the next day or two.

Thanks.
ASKER CERTIFIED SOLUTION
Avatar of Computer101
Computer101
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I realize this question is old, but I'm looking to do something similar and came across this thread.  I did find this article from MS that seems to indicate you need to have native mode enabled for this to work:
http://support.microsoft.com/kb/257341