tkrajcar
asked on
ADSI script -- Setting dial-in privileges
I have an ADSI program written in VisualBasic that I am running once per hour. It queries an Access database to retrieve a list of users that need their accounts created, and then does all the account creation tasks.
Part of this process is enabling their RAS permissions. We used to do this with the dos command rasgrant, but now that we have an ADSI app to do it, I'd like to do it in the same app. This is setting the 'Remote Access Permission (Dial-in or VPN)' bit to 'Allow access'.
The script runs this portion, but the dial-in permission never actually gets set. The method I am using is one I found on Microsoft's site as well as several other sites.
We need to automate this process.
Here is the code snippet I am using for this process:
Our domain name is "NTDOM". We are running AD in mixed-mode with several DCs.
emailname is the user's logon name, such as 'jdoe'.
Set objUser2 = GetObject("WinNT://NTDOM/" & emailname & ",user")
objUser2.DialinPrivilege = True
objUser2.SetInfo
Thanks for your help.
Part of this process is enabling their RAS permissions. We used to do this with the dos command rasgrant, but now that we have an ADSI app to do it, I'd like to do it in the same app. This is setting the 'Remote Access Permission (Dial-in or VPN)' bit to 'Allow access'.
The script runs this portion, but the dial-in permission never actually gets set. The method I am using is one I found on Microsoft's site as well as several other sites.
We need to automate this process.
Here is the code snippet I am using for this process:
Our domain name is "NTDOM". We are running AD in mixed-mode with several DCs.
emailname is the user's logon name, such as 'jdoe'.
Set objUser2 = GetObject("WinNT://NTDOM/"
objUser2.DialinPrivilege = True
objUser2.SetInfo
Thanks for your help.
I see that you are using the WinNT provider already, but here is something I found that may be applicable:
http://support.microsoft.com/?kbid=252398
Do you receive any errors or does it appear to execute without issue?
http://www.ntmag.com/Articles/Index.cfm?ArticleID=258&pg=3
Good luck!
http://support.microsoft.com/?kbid=252398
Do you receive any errors or does it appear to execute without issue?
http://www.ntmag.com/Articles/Index.cfm?ArticleID=258&pg=3
Good luck!
ASKER
Well, I found Q252398 as well, and that's why I'm doing it the way I am. It still doesn't work.
The code executes without any issue at all.
The code executes without any issue at all.
When all else fails, vote for the MS approved method ;)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/user/ScrUG83.asp
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/user/ScrUG83.asp
ASKER
I am now using this code:
Set objLDAPUser = GetObject("LDAP://cn=" & fullname & ",OU=Students,DC=NTDOM,DC= CUPDX")
objLDAPUser.Put "msNPAllowDialin", True
objLDAPUser.SetInfo
(since I don't need or want tos et any of the attributes).
It still does not work...
Set objLDAPUser = GetObject("LDAP://cn=" & fullname & ",OU=Students,DC=NTDOM,DC=
objLDAPUser.Put "msNPAllowDialin", True
objLDAPUser.SetInfo
(since I don't need or want tos et any of the attributes).
It still does not work...
Since I don't have AD handy, kind of hard to test but this is what I have seen in several places:
Set objLDAPUser = GetObject("LDAP://cn=" & fullname & ",OU=Students,DC=NTDOM,DC= CUPDX")
objLDAPUser.msNPAllowDiali n = True
objLDAPUser.SetInfo
If this doesn't do it, I am fresh out. Good luck!
Set objLDAPUser = GetObject("LDAP://cn=" & fullname & ",OU=Students,DC=NTDOM,DC=
objLDAPUser.msNPAllowDiali
objLDAPUser.SetInfo
If this doesn't do it, I am fresh out. Good luck!
ASKER
Nope, this still does not work. :( anybody else have any thoughts?
Just for confirmation, I ran this against my AD domain and it works flawlessly.
Set objUser = GetObject("LDAP://CN=Joe Blow, OU=Users, OU=Administrative, DC=sub, DC=domain, DC=com")
objUser.msNPAllowDialin = True
objUser.SetInfo
MsgBox objUser.msNPAllowDialin
I then changed it to false and that modified the property as well. Are you sure that everything else looks appropriate? You don't have any On Error Resume Next or On Error Goto's that may be disguising your problem do you?
Set objUser = GetObject("LDAP://CN=Joe Blow, OU=Users, OU=Administrative, DC=sub, DC=domain, DC=com")
objUser.msNPAllowDialin = True
objUser.SetInfo
MsgBox objUser.msNPAllowDialin
I then changed it to false and that modified the property as well. Are you sure that everything else looks appropriate? You don't have any On Error Resume Next or On Error Goto's that may be disguising your problem do you?
Yeah... I've a thought
Try your ASDI line with the "down client" login name... not the newer-style User Principle Name.
Set objUser2 = GetObject("WinNT://NTDOM/" & LoginName & ",user")
...where LoginName is GRAYE ... not Emmet.Gray@domain.com
Try your ASDI line with the "down client" login name... not the newer-style User Principle Name.
Set objUser2 = GetObject("WinNT://NTDOM/"
...where LoginName is GRAYE ... not Emmet.Gray@domain.com
ASKER
I moved some code around, and am now executing this dial-in right when I create the user.
So, the code looks like so:
firstname = "Timmah"
lastname = "Tester"
emailname = "ttester"
recip = "CN=" & fullname
Set objContainer = GetObject("LDAP://OU=Stude nts,DC=ntd om,DC=cupd x")
Set objUser = objContainer.Create("User" , recip)
objUser.Put "samAccountName", emailname
objUser.Put "sn", lastname
objUser.Put "givenName", firstname
objUser.Put "displayname", fullname
objUser.Put "userPrincipalName", emailname
objUser.Put "Fullname", fullname
objUser.LoginScript = logscript
objUser.Put "msNPAllowDialin", True
objUser.msNPAllowDialin = True
objUser.SetInfo
Everything is getting set here, except the dialin!
So, the code looks like so:
firstname = "Timmah"
lastname = "Tester"
emailname = "ttester"
recip = "CN=" & fullname
Set objContainer = GetObject("LDAP://OU=Stude
Set objUser = objContainer.Create("User"
objUser.Put "samAccountName", emailname
objUser.Put "sn", lastname
objUser.Put "givenName", firstname
objUser.Put "displayname", fullname
objUser.Put "userPrincipalName", emailname
objUser.Put "Fullname", fullname
objUser.LoginScript = logscript
objUser.Put "msNPAllowDialin", True
objUser.msNPAllowDialin = True
objUser.SetInfo
Everything is getting set here, except the dialin!
Just for fun, try to execute SetInfo prior to modifying msNPAllowDialin (and after). Something like this:
firstname = "Timmah"
lastname = "Tester"
emailname = "ttester"
recip = "CN=" & fullname
Set objContainer = GetObject("LDAP://OU=Stude nts,DC=ntd om,DC=cupd x")
Set objUser = objContainer.Create("User" , recip)
objUser.Put "samAccountName", emailname
objUser.Put "sn", lastname
objUser.Put "givenName", firstname
objUser.Put "displayname", fullname
objUser.Put "userPrincipalName", emailname
objUser.Put "Fullname", fullname
objUser.LoginScript = logscript
objUser.SetInfo
'objUser.Put "msNPAllowDialin", True
objUser.msNPAllowDialin = True
objUser.SetInfo
If you bind to an existing user account, does the previously posted script work or do you still encounter the problem with the property not being modified?
firstname = "Timmah"
lastname = "Tester"
emailname = "ttester"
recip = "CN=" & fullname
Set objContainer = GetObject("LDAP://OU=Stude
Set objUser = objContainer.Create("User"
objUser.Put "samAccountName", emailname
objUser.Put "sn", lastname
objUser.Put "givenName", firstname
objUser.Put "displayname", fullname
objUser.Put "userPrincipalName", emailname
objUser.Put "Fullname", fullname
objUser.LoginScript = logscript
objUser.SetInfo
'objUser.Put "msNPAllowDialin", True
objUser.msNPAllowDialin = True
objUser.SetInfo
If you bind to an existing user account, does the previously posted script work or do you still encounter the problem with the property not being modified?
Did anyone ever figure this out? Was there any more dialog on this topic. I've been trying to accomplish the same thing but have run into a wall. My script does set the "msNPAllowDialin" attribute to TRUE, but the button never gets updated from DENY to ALLOW in the "dial-in" tab. I read somewhere that the button is controlled by the "userParameters" attribute and not the "msNPAllowDialin" attribute. Anybody?
I am currently working on this very same issue. I can't get it to work either. If anybody can figure this out, it would be very helpful. I have to get this resolved in the next day or two.
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I realize this question is old, but I'm looking to do something similar and came across this thread. I did find this article from MS that seems to indicate you need to have native mode enabled for this to work:
http://support.microsoft.com/kb/257341
http://support.microsoft.com/kb/257341
ASKER