Solved

VBS Active Directory user attribute update problem

Posted on 2010-11-26
15
1,255 Views
Last Modified: 2012-05-10
I made a script to modify our users Network access permissions under the Dial In tab in AD.
The scripts seem to be doing it´s job and the right radio button is selected when you view it in AD users and computers, BUT the users dont have access.
The property is not really updated although it looks that way.
If I reselct the allow access button, although it´s already selected, then the apply button becomes active and if I apply, it finally works.
But what is the reason that the vb script cant do it and is there any way around this?
As you can see in the script I tried some different ways to update the attribute, but none of them works.
Option Explicit

'Const ADS_PROPERTY_CLEAR = 1

'Const ADS_PROPERTY_UPDATE = 2

Dim strMember, strDNSDomain, strContainer

Dim objGroup, objUser, objRootDSE

Dim arrMemberOf



strContainer = "cn=tin-elev,OU=Grupper,ou=Tinderhøj-skole,"

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("DefaultNamingContext")



Set objGroup = GetObject("LDAP://"& strContainer & strDNSDomain)

objGroup.getInfo



arrMemberOf = objGroup.GetEx("member")



For Each strMember in arrMemberOf

Set objUser = GetObject("LDAP://" & strMember) 

'objUser.PutEx ADS_PROPERTY_CLEAR, "msNPAllowDialIn", 0

'objUser.SetInfo 

'objUser.PutEx ADS_PROPERTY_UPDATE, "msNPAllowDialIn", TRUE

'objUser.SetInfo 

objUser.Put "msNPAllowDialIn", True

objUser.SetInfo 

Next



Wscript.Quit

Open in new window

0
Comment
Question by:Ducknaldi
  • 8
  • 3
  • 3
  • +1
15 Comments
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34217462
By the way, even when I look in ADSI edit, the value is set as it should be, but it´s not working before I do it manually in ADUC anyway.
0
 
LVL 15

Expert Comment

by:markpalinux
ID: 34220772


take a look at the functions in this script:
http://www.wisesoft.co.uk/scripts/vbscript_write_msnpallowdialin_attribute.aspx

seems like msNPAllowDialIn is a single value (.Put)  rather then a multivalued (.PutEx)

Like you said things should work manually before the script.


Mark
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34221517

Ignore that value and look for others it sets. It wouldn't be the first in the GUI that sets more than one in the background.

Chris
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 34221531

Ahh here we go, it even has KB articles, and it does need another attribute (a change to userParameters):

http://support.microsoft.com/?id=252398
http://support.microsoft.com/?id=257341

Is your domain Mixed mode? If so, in theory a change to Native should allow this to work. Of course, that kind of change depends on your Domain Controllers.

Chris
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34221616
Markpalinux.
As you see in my script I use put, but I have also tried putex, now "outcommented", they both give the same result, the radio button is set but to make it work I have to do it manually in ADUC.

Chris-Dent
Sounds like a good idea, what do you recommend for checking other changes made by the radio button?
I found the kb articles also, but my domain is running 2008 native mode, so I dont think that´s the reason.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 34226807
Hi guys, Chris, hopefully you can find this useful.....This post shows the properties associated with the Dial In, and how to *show* the information, but I have no idea just yet how to set this, or in which order.  I might be able to play around with it at some stage later this week, but for now, I don't have time:
http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_23516965.html

Regards,

Rob.
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 34226823
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Author Comment

by:Ducknaldi
ID: 34228402
I found another link to somebody with the exact same problems.
He seemed to sort it out by making a c script, but I really dont have any knowledge about c scripting and wouldn´t know how to convert this to my own situation.
http://www.autoitscript.com/forum/topic/70526-ad-dialinprivilege-msnpallowdialin-attribute-problem-adsi-question/
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34228406
Rob, the examples use the same methods as I´ve been trying. Thx anyway;)
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34228914
Ok, solved it now.
The radio button sets a second parameter like Chris suggested.
By adding the second parameter it now works.

 
Option Explicit

Dim strMember, strDNSDomain, strContainer

Dim objGroup, objUser, objRootDSE

Dim arrMemberOf



strContainer = "cn=blabla,OU=Groups,ou=whatever,"

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("DefaultNamingContext")



Set objGroup = GetObject("LDAP://"& strContainer & strDNSDomain)

objGroup.getInfo



arrMemberOf = objGroup.GetEx("member")



For Each strMember in arrMemberOf

Set objUser = GetObject("LDAP://" & strMember) 

objUser.Put "msNPAllowDialIn", True

objUser.Put "userParameters", "m:                    d	                        "

objUser.SetInfo 

Next



Wscript.Quit

Open in new window


This line is what makes it work

 
objUser.Put "userParameters", "m:                    d	                        "

Open in new window

0
 
LVL 1

Author Closing Comment

by:Ducknaldi
ID: 34228925
The complete solution was not given, only hints in the right direction, but thanks anyway.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 34228965

Apologies for the lack of feedback, I ended up being a bit busier than expected over the weekend.

Chris
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34229038
It´s ok, the important thing is that the problem was solved.
Thanks mate;)
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 34234475
Wow, that's pretty cryptic:
objUser.Put "userParameters", "m:                    d                              "

But it seems userParameters is a binary value.  Perhaps it would be better to set up an account with the settings that you actually want for dial-in, then export that binary value from that test user.  Then, you should use those settings to set the binary value of userParameters with.  My feeling is that you don't really know what
objUser.Put "userParameters", "m:                    d                              "
 
is actually setting, and it may be overwriting (or not setting) some of the settings that you want.

Thanks for sharing!

Rob.
0
 
LVL 1

Author Comment

by:Ducknaldi
ID: 34234913
Hi Rob, thank you for the suggestions.
I only need this one setting, it´s not really a dialin connection so I dont need other settings.
I use it for web authentication on a wlc and cisco secure access server and it works fine for everyone now, but you´re right, that´s an insane value.
I found the value by enabling in gui and checking with adsi edit, then copied the value from there in to the script and it worked.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now