-------------------------------------------------------------------- SearchWin2000.com's Active Directory Tip -------------------------------------------------------------------- TODAY'S AD TIP: Creating new AD users with dial-in permission ==================================================================== SPONSORED BY: NetIQ ==================================================================== FREE ACTIVE DIRECTORY TOOL Get essential, real-time diagnostics for Microsoft Active Directory with NetIQ's ADcheck - your powerful, free diagnostic tool. With ADcheck, you can quickly check domain controllers, domains and replication. After the first test, you'll wonder how you ever got along without it. Download your FREE copy now at http://www.netiq.com/sponsor/default.asp?251. ==================================================================== "Creating new AD users with dial-in permission" By Kevin R. Sharp Two parameters must be properly configured for a new user to be granted dial-in privileges, but Active Directory services can directly modify only one of them. If the two parameters are out of synchronization, no remote access will be allowed. The msNPAllowDialin setting can be updated by Lightweight Directory Access Protocol (LDAP) programs like the ADSI LDAP provider. The UserParameters setting cannot be modified by such programs. The recommended work-around depends on whether the Windows 2000 domain is running in Mixed mode or in Native mode with the remote access servers hosted on Windows NT machines. Procedure: Microsoft's position is that this behavior is "by design" meaning you have to work around it because Microsoft is not going to fix it. If your architecture currently calls for a Windows 2000 machine in Native mode working with remote access servers hosted on NT machines, I'm afraid you're out of luck. The official Microsoft workaround for this problem is to move the RAS server off the NT machine onto a Windows 2000 machine. If you're in a mixed mode environment, however, you have a much cleaner option by enabling the DialinPrivilege user object exposed by the Windows NT provider. 1. Download the Active Directory Services Interface from http://www.microsoft.com/NTWorkstation/downloads/Other/ADSI25.asp 2. Look for Adsras.dll in the included SDK and register it on the computer on which you will run the script using the following command: regsvr32 adsras.dll 3. Now get a handle to the user object using: set usr = getobject("winnt://domainname/username") 4. Now you can grant dial-in access with: usr.dialinprivilege = true For the Microsoft knowledge base article dealing with this workaround, see "Q252398 - Cannot Grant Dial-in Access to a User from an ADSI Script" at http://support.microsoft.com/support/kb/articles/Q252/3/98.ASP. Note that in mixed mode, some dial-in options are unavailable, including verify Caller ID and assign a static IP address. For more information, see "Q193897 - Dial-In Options Unavailable with Active Directory in Mixed Mode" at http://support.microsoft.com/support/kb/articles/Q193/8/97.ASP. -------------------------------------------------------------------- Kevin Sharp is a registered professional engineer and writer living in Tucson, Arizona who gains his expertise from a variety of professional activities. His engineering outlets include Web consulting for ID Systems Magazine, focusing on the fulfillment side of electronic commerce. Did you know that searchWin2000 has an Active Directory discussionn forum? Get peer advice on your most pressing AD issues at http://searchwin2000.discussions.techtarget.com/WebX?50@@.ee83d6a. ==================================================================== WIN! WIN! WIN! -------------------------------------------------------------------- Our July Tip of the Month contest is here! Get in on the action for your chance to win this month's grand prize -- a Garmin eMap handheld GPS! Check out the award winning tips from our June contest and submit your own today at http://searchwin2000.techtarget.com/tipsHallOfFame/0,289489,sid1_prz751595_cts751583,00.html. Help us pick this month's winners! Check out the most recently submitted tips and don't forget to rate them! Just go to http://searchwin2000.techtarget.com/tipsIndex/0,289482,sid1_tax5e3,00.html. =================================================================== FEATURED BOOK ==================================================================== "Mission-Critical Active Directory Architecting a Secure and Scalable Infrastructure" Author: Micky Balladelli and Jan De Clercq Publisher: Digital Press Published: March 2001 Learn from Compaq's own Active Directory experts techniques and best practices for creating a secure and scalable network foundation for Windows 2000 and Exchange 2000. Mission-Critical Active Directory teaches systems designers and administrators within growing and large organizations techniques and insights into Active Directory they'll need to build a Windows 2000 network that can reliably accommodate many thousands of new users, computers, and programs. Few individuals possess the knowledge of Active Directory design, operation, and security necessary to build a truly secure and stable Windows 2000 system. Now two of these experts--Compaq's own resident authorities--share their methods and experiences with readers. http://www.digitalguru.com/dgstore/product.asp?isbn=1555582400&ac_id=73 =================================================================== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DID YOU LIKE THIS TIP? ==================================================================== Whether you loved it or hated it, why not let us know? Just email us at mailto:[EMAIL PROTECTED]. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ==================================================================== If you would like to sponsor this or any techtarget newsletter, please contact Mike Kelly at [EMAIL PROTECTED] ==================================================================== If you no longer wish to receive this newsletter simply reply to this message with "REMOVE" in the subject line. Or, visit http://searchWin2000.techtarget.com/register and adjust your subscriptions accordingly. If you choose to unsubscribe using our automated processing, you must send the "REMOVE" request from the email account to which this newsletter was delivered. Please allow 24 hours for your "REMOVE" request to be processed.
