Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Dial-in attribute changed to Deny Access for Disable Accounts.

240 views
Skip to first unread message

mik...@gmail.com

unread,
Apr 9, 2008, 4:24:51 PM4/9/08
to
I need a script that will do two things.
1. Scan Active Directory for disable user accounts
2. Then change the msNPAllowDialin attribute on those account to Deny
Access

Any help would be great. Thanks...

Richard Mueller [MVP]

unread,
Apr 9, 2008, 9:19:13 PM4/9/08
to

<mik...@gmail.com> wrote in message
news:5b548951-085c-44d4...@m36g2000hse.googlegroups.com...

ADO can be used in a VBScript program to retrieve information on all
disabled users. I would further restrict the filter to disabled users that
are allowed to dial in. You would retrieve the user Distinguished Names so
you could bind to each and change the setting to False. For example:
======
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes

Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser

' Setup ADO objects.

Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"


' Filter on disabled users that can dial in.
strFilter = "(&(objectCategory=person)(objectClass=user)" _

& "(userAccountControl:1.2.840.113556.1.4.803:=2)" _

& "(msNPAllowDialin=TRUE))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute


' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

' Retrieve values and display.
strDN = adoRecordset.Fields("distinguishedName").Value

' Bind to the user object.

Set objUser = GetObject("LDAP://" & strDN)

' Deny dialin.

objUser.msNPAllowDialin = False

' Save changes.

objUser.SetInfo

Wscript.Echo "User " & strDN & " denied permission to dial in"

' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.

adoRecordset.Close

adoConnection.Close


--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


mik...@gmail.com

unread,
Apr 16, 2008, 10:49:46 AM4/16/08
to
On Apr 9, 9:19 pm, "Richard Mueller [MVP]" <rlmueller-
nos...@ameritech.nospam.net> wrote:
> <mike...@gmail.com> wrote in message

Thanks Richard,

The script worked perfectly! I was able to provide a detail report to
my supervisor regarding these accounts. By the way, I have checked
your website in the pass for scripts and your website has been very
helpful.

Thanks for your help!

Mike Tir

0 new messages