Just a little thing observation here..... msNPAllowDialin is NOT populated if you are using RAS Policies (or RADIUS) to set the Dialin access. This code will return only users who have their Dialin properties manually set to either "Allow" or "Deny" on their accounts. In my environment, we set Dialin/VPN permissions through Policies applied to specific groups. So, when I want to know who has dialin permissions, I query the Group membership.
HTH Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Creamer, Mark Sent: Thu 12/18/2003 12:27 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] attribute for remote access Thanks Coleman - I feel good - my solution looks a lot like that! (logic-wise, anyway) <mc> -----Original Message----- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 3:04 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] attribute for remote access I should have just sent the whole script the first time. Anyway, here you go (watch for line wraps) ================================================================= Option Explicit Const adStateOpen = 1 Dim agencyOU Dim RootDSE Dim SearchRoot Dim ldapPath Dim adoConnection Dim adoRecordset Dim thisDate Dim userADsPath Dim objUser Dim dialInEnabled Dim objRecordSet Dim fileSys Dim fileName Dim fileTxt Dim j Const ForReading = 1, ForWriting = 2, ForAppending = 8 Const adVarChar = 200 'specifies a string type data 'Create the disconnected recordset Set objRecordset = CreateObject("ADODB.Recordset") objRecordset.Fields.Append "UserName", adVarChar, 50 objRecordset.Fields.Append "ACF2ID", adVarChar, 10 objRecordset.Fields.Append "DialInState", adVarChar, 50 objRecordset.Open Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADSDSOObject" adoConnection.Open "", "", "" agencyOU = InputBox ("Enter the Agency's root OU") Set RootDSE = GetObject("LDAP://RootDSE";) searchRoot = RootDSE.Get("defaultNamingContext") ldapPath = "ou=" & agencyOU & "," & searchRoot 'On Error Resume Next Set adoRecordset = adoConnection.Execute _ ("<LDAP://"; & ldapPath & ">;(objectClass=User);" _ & "Name,ADsPath,sAMAccountName;SubTree") 'Set up the text file for output thisDate = FormatDateTime(Now(), 1) thisDate = split(thisDate, ", ") fileName = thisDate(0) & thisDate(1) & ".txt" 'Wscript.Echo fileName set fileSys = CreateObject("Scripting.FileSystemObject") Set fileTxt = fileSys.OpenTextFile(fileName, ForAppending, True) fileTxt.WriteLine(vbCrLf & "***********************************************************") fileTxt.WriteLine(formatdatetime(now(),2)) fileTxt.WriteLine(ldapPath) fileTxt.WriteLine(vbCrLf) 'Loop through all of the user objects, and print out those who are able to dial in or VPN While Not adoRecordset.EOF userADsPath = adoRecordset.Fields.Item("ADsPath").Value set objUser = GetObject(userADsPath) dialInEnabled = objUser.msNPAllowDialin If (dialInEnabled = True) then objRecordset.AddNew objRecordSet("UserName") = adoRecordset.Fields.Item("Name").Value objRecordSet("ACF2ID") = adoRecordset.Fields.Item("SAMAccountName").Value objRecordSet("DialInState") = dialInEnabled objRecordSet.Update End If adoRecordset.MoveNext Wend adoConnection.Close Set adoRecordset = Nothing '-----------Output Attempt from the disconnected ADORecordset------------------- objRecordSet.MoveFirst 'sort it by user name objRecordSet.Sort="UserName ASC" While Not objRecordSet.EOF fileTxt.WriteLine(objRecordSet.Fields.Item("UserName") & VBTab & "(" & objRecordSet.Fields.Item("ACF2ID") & ")" & VBTab & "Remote Access Permission = " & objRecordSet.Fields.Item("DialInState")) objRecordSet.MoveNext Wend fileTxt.WriteLine(vbCrLf) j = objRecordSet.RecordCount fileTxt.WriteLine("Total number of dial-in enabled users is " & j) objRecordSet.Close set objRecordSet = Nothing Wscript.Echo "Script finished" ============================================================================ == -----Original Message----- From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 12:24 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] attribute for remote access Thanks guys - that made things a heck of a lot easier! <mc> -----Original Message----- From: Fuller, Stuart [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 2:00 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] attribute for remote access Looking at this attrib via ADSI Edit shows that msNPAllowDialin set to "True" is equiv. to "allow". "False" is equiv to "deny" and "<not set>" is "Control access through Remote Access Policy". -Stuart -----Original Message----- From: Coleman, Hunter [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:52 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] attribute for remote access Mark- Here's a snippit of a script we use to check that: userADsPath = adoRecordset.Fields.Item("ADsPath").Value set objUser = GetObject(userADsPath) dialInEnabled = objUser.msNPAllowDialin Hunter ________________________________ From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Thursday, December 18, 2003 11:09 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] attribute for remote access Anyone know what schema attribute controls the remote access policy (has 3 choices, Allow, Deny or Control by Policy)? I'd like to query for the users with Allow enabled. Thanks! Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
