?
Solved

VBS Active Directory user attribute update problem

Posted on 2010-11-26
15
Medium Priority
?
1,289 Views
Last Modified: 2012-05-10
I made a script to modify our users Network access permissions under the Dial In tab in AD.
The scripts seem to be doing it´s job and the right radio button is selected when you view it in AD users and computers, BUT the users dont have access.
The property is not really updated although it looks that way.
If I reselct the allow access button, although it´s already selected, then the apply button becomes active and if I apply, it finally works.
But what is the reason that the vb script cant do it and is there any way around this?
As you can see in the script I tried some different ways to update the attribute, but none of them works.
Option Explicit
'Const ADS_PROPERTY_CLEAR = 1
'Const ADS_PROPERTY_UPDATE = 2
Dim strMember, strDNSDomain, strContainer
Dim objGroup, objUser, objRootDSE
Dim arrMemberOf

strContainer = "cn=tin-elev,OU=Grupper,ou=Tinderhøj-skole,"
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

Set objGroup = GetObject("LDAP://"& strContainer & strDNSDomain)
objGroup.getInfo

arrMemberOf = objGroup.GetEx("member")

For Each strMember in arrMemberOf
Set objUser = GetObject("LDAP://" & strMember) 
'objUser.PutEx ADS_PROPERTY_CLEAR, "msNPAllowDialIn", 0
'objUser.SetInfo 
'objUser.PutEx ADS_PROPERTY_UPDATE, "msNPAllowDialIn", TRUE
'objUser.SetInfo 
objUser.Put "msNPAllowDialIn", True
objUser.SetInfo 
Next

Wscript.Quit

Open in new window

0
Comment
Question by:Ducknaldi
  • 8
  • 3
  • 3
  • +1
15 Comments
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34217462
By the way, even when I look in ADSI edit, the value is set as it should be, but it´s not working before I do it manually in ADUC anyway.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 34220772


take a look at the functions in this script:
http://www.wisesoft.co.uk/scripts/vbscript_write_msnpallowdialin_attribute.aspx

seems like msNPAllowDialIn is a single value (.Put)  rather then a multivalued (.PutEx)

Like you said things should work manually before the script.


Mark
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34221517

Ignore that value and look for others it sets. It wouldn't be the first in the GUI that sets more than one in the background.

Chris
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 71

Accepted Solution

by:
Chris Dent earned 1500 total points
ID: 34221531

Ahh here we go, it even has KB articles, and it does need another attribute (a change to userParameters):

http://support.microsoft.com/?id=252398
http://support.microsoft.com/?id=257341

Is your domain Mixed mode? If so, in theory a change to Native should allow this to work. Of course, that kind of change depends on your Domain Controllers.

Chris
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34221616
Markpalinux.
As you see in my script I use put, but I have also tried putex, now "outcommented", they both give the same result, the radio button is set but to make it work I have to do it manually in ADUC.

Chris-Dent
Sounds like a good idea, what do you recommend for checking other changes made by the radio button?
I found the kb articles also, but my domain is running 2008 native mode, so I dont think that´s the reason.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 34226807
Hi guys, Chris, hopefully you can find this useful.....This post shows the properties associated with the Dial In, and how to *show* the information, but I have no idea just yet how to set this, or in which order.  I might be able to play around with it at some stage later this week, but for now, I don't have time:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_23516965.html

Regards,

Rob.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 34226823
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34228402
I found another link to somebody with the exact same problems.
He seemed to sort it out by making a c script, but I really dont have any knowledge about c scripting and wouldn´t know how to convert this to my own situation.
http://www.autoitscript.com/forum/topic/70526-ad-dialinprivilege-msnpallowdialin-attribute-problem-adsi-question/
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34228406
Rob, the examples use the same methods as I´ve been trying. Thx anyway;)
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34228914
Ok, solved it now.
The radio button sets a second parameter like Chris suggested.
By adding the second parameter it now works.

 
Option Explicit
Dim strMember, strDNSDomain, strContainer
Dim objGroup, objUser, objRootDSE
Dim arrMemberOf

strContainer = "cn=blabla,OU=Groups,ou=whatever,"
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

Set objGroup = GetObject("LDAP://"& strContainer & strDNSDomain)
objGroup.getInfo

arrMemberOf = objGroup.GetEx("member")

For Each strMember in arrMemberOf
Set objUser = GetObject("LDAP://" & strMember) 
objUser.Put "msNPAllowDialIn", True
objUser.Put "userParameters", "m:                    d	                        "
objUser.SetInfo 
Next

Wscript.Quit

Open in new window


This line is what makes it work

 
objUser.Put "userParameters", "m:                    d	                        "

Open in new window

0
 
LVL 1

Author Closing Comment

by:Ducknaldi
ID: 34228925
The complete solution was not given, only hints in the right direction, but thanks anyway.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 34228965

Apologies for the lack of feedback, I ended up being a bit busier than expected over the weekend.

Chris
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34229038
It´s ok, the important thing is that the problem was solved.
Thanks mate;)
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 34234475
Wow, that's pretty cryptic:
objUser.Put "userParameters", "m:                    d                              "

But it seems userParameters is a binary value.  Perhaps it would be better to set up an account with the settings that you actually want for dial-in, then export that binary value from that test user.  Then, you should use those settings to set the binary value of userParameters with.  My feeling is that you don't really know what
objUser.Put "userParameters", "m:                    d                              "
 
is actually setting, and it may be overwriting (or not setting) some of the settings that you want.

Thanks for sharing!

Rob.
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34234913
Hi Rob, thank you for the suggestions.
I only need this one setting, it´s not really a dialin connection so I dont need other settings.
I use it for web authentication on a wlc and cisco secure access server and it works fine for everyone now, but you´re right, that´s an insane value.
I found the value by enabling in gui and checking with adsi edit, then copied the value from there in to the script and it worked.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month13 days, 17 hours left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question