Jump to content
Sign in to follow this  
wes517

AD dialinprivilege/ msNPAllowDialin attribute problem (ADSI question)

Recommended Posts

wes517

I'm trying to figure this one out and having some issues.

After messing around with a script for weeks, I've found out that using LDAP is a problem and using a script to set remote dialin access, it updates the GUI, but doesn't actually give permissions everywhere.

Found out that there's 2 parts to it, msNPAllowDialin and dialinprivilege. The first can be updated with the UDF for AD functions here, but dialinprivilege is only through ADSI.

so my question is how can i set the dialinprivilege for a computer using ADSI?

This is what I tried and doesn't work ( I know some of the includes aren't used in the code below, they were in some different attempts)

#cs 
It pops up a box asking for the computer name to give dial in rights for, gives the rights to the computer in Active Directory, then procedes to install the application.

#ce
#NoTrayIcon
autoitsetoption("RunErrorsFatal",0)
autoitsetoption("WinTitleMatchMode",2)
#include <adfunctions.au3>; not a standard file. It is available in the source folder and on autoit's website
#include <file.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <wfsi.au3>
#include <array.au3>
#AutoIt3Wrapper_icon=Odyssey.ico 
Fileinstall("D:\Autoit Scripts\Odyssey\Adsras.dll","C:\temp\Adsras.dll")

If Not IsDeclared("sInputBoxAnswer") Then Local $sInputBoxAnswer
$computername = InputBox("Dial In Access","Please enter the computer name that you want to grant Dial In access to.",@ComputerName," M","-1","-1","-1","-1")
Select
    Case @Error = 0;OK - The string returned is valid
        $computername = $computername & '$';$ is needed for AD query on computers
            $result = _ADObjectExists($computername)
            if ($result <> 1) Then
                msgbox(64,"Error", "The computer you specified (" & $computername & ") can't be found in AD.")
                Exit
            EndIf   
        $result = _ADModifyAttribute2($computername,'msNPAllowDialin','TRUE')
        
        
    ;Check it to make sure it changed - -1 means yes
        $result2 = _ADGetObjectAttribute($computername,'msNPAllowDialin')
        $result3 = _ADGetObjectAttribute($computername,'DialinPrivilege')
    
        If ($result2 == -1) Then
            MsgBox(64,'Info','Dialin Access has been granted. Click OK to start installation',8)
        ;_write_to_log('Odyssey_NON_IS',$computername & ' has dialin rights')
        Else    
            MsgBox(64,'Error','Dialin Access NOT granted.')
        ;_write_to_log('Odyssey_NON_IS',$computername & ' does NOT have dialin rights')
        EndIf
    Case @Error = 1;The Cancel button was pushed
    
    Case @Error = 3;The InputBox failed to open
        Msgbox(64,'Error','Error, the messagebox failed to open.')
        Exit
EndSelect

Func _ADModifyAttribute2($object, $attribute, $value)
    
    RunWait("regsvr32 adsras.dll /s")
$strDomain = "wfsi.priv"

$obj = ObjGet("WinNT://" & $strDomain & '/' & $object)

$obj.getinfo()




$obj.put('dialinprivilege','true')
;$obj.put('msNPAllowDialin','true')
$obj.SetInfo()

return

EndFunc  ;==>_ADModifyAttribute

can anyone help out?

Share this post


Link to post
Share on other sites
wes517

Ok, found a vb script that made it work when i converted it over...

I've seen many people have questions on this while searching, so here's what is working for me.

;_allow_dialin
;$computername = computer's name with no trailing $

Func _allow_dialin($computername)
Const $ADS_SCOPE_SUBTREE = 2

$objConnection = ObjCreate("ADODB.Connection")
$objCommand = ObjCreate("ADODB.Command")
$objConnection.Provider = "ADsDSOObject"

$objConnection.Open("Active Directory Provider")
$objCommand.ActiveConnection = $objConnection

$objCommand.Properties("Page Size") = 1000
$objCommand.Properties("Searchscope") = $ADS_SCOPE_SUBTREE 
$objCommand.Properties("Sort On") = "Name"

$objWMIService = ObjGet("Winmgmts:root\cimv2") 

;Call always gets only one Win32_ComputerSystem object. 
For $objComputer in $objWMIService.InstancesOf("Win32_ComputerSystem") 
$defcompname = $objComputer.caption('Name')
next

If $computername = "" then
   return
EndIf

$objCommand.CommandText = "SELECT Name, ADsPath FROM 'LDAP://dc=DOMAIN,dc=DOMAIN' WHERE objectCategory='computer' AND Name='" & $computername  & "'"
$objRecordSet = $objCommand.Execute
;MsgBox(64,'info', $objRecordset.RecordCount)
$objRecordSet.MoveFirst

$compname = $objRecordSet.Fields("Name").Value
$comppath = $objRecordSet.Fields("ADsPath").Value

If $compname <> "" Then
   $objComputer = ObjGet($comppath)
   $objDIProperty = $objComputer.Get("msNPAllowDialin")
   $objUserParams = $objComputer.Get("userParameters")

msgbox(64,'info',$objUserParams)

   $objUserParamsa = "m:                    d                           "

    If $objDIProperty = "True" and $objUserParams = $objUserParamsa then
    ;If this fires then it was already set and this will do nothing.
        return('Already set')
    Else
    ;It was not set correctly, so now set it the way it should be.
        $objComputer.Put ("msNpAllowDialin", TRUE)
        $objComputer.Put ("userParameters", $objUserParamsa)
        $objComputer.setinfo

        return('Now set')
       
    EndIf
EndIf

EndFunc

$objComputer.Put ("userParameters", $objUserParamsa) seems to have something to do with why it is working... my problem doesn't go away without it...

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×