Jump to content
Sign in to follow this  

AD dialinprivilege/ msNPAllowDialin attribute problem (ADSI question)

Recommended Posts

I'm trying to figure this one out and having some issues.

After messing around with a script for weeks, I've found out that using LDAP is a problem and using a script to set remote dialin access, it updates the GUI, but doesn't actually give permissions everywhere.

Found out that there's 2 parts to it, msNPAllowDialin and dialinprivilege. The first can be updated with the UDF for AD functions here, but dialinprivilege is only through ADSI.

so my question is how can i set the dialinprivilege for a computer using ADSI?

This is what I tried and doesn't work ( I know some of the includes aren't used in the code below, they were in some different attempts)

It pops up a box asking for the computer name to give dial in rights for, gives the rights to the computer in Active Directory, then procedes to install the application.

#include <adfunctions.au3>; not a standard file. It is available in the source folder and on autoit's website
#include <file.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <wfsi.au3>
#include <array.au3>
Fileinstall("D:\Autoit Scripts\Odyssey\Adsras.dll","C:\temp\Adsras.dll")

If Not IsDeclared("sInputBoxAnswer") Then Local $sInputBoxAnswer
$computername = InputBox("Dial In Access","Please enter the computer name that you want to grant Dial In access to.",@ComputerName," M","-1","-1","-1","-1")
    Case @Error = 0;OK - The string returned is valid
        $computername = $computername & '$';$ is needed for AD query on computers
            $result = _ADObjectExists($computername)
            if ($result <> 1) Then
                msgbox(64,"Error", "The computer you specified (" & $computername & ") can't be found in AD.")
        $result = _ADModifyAttribute2($computername,'msNPAllowDialin','TRUE')
    ;Check it to make sure it changed - -1 means yes
        $result2 = _ADGetObjectAttribute($computername,'msNPAllowDialin')
        $result3 = _ADGetObjectAttribute($computername,'DialinPrivilege')
        If ($result2 == -1) Then
            MsgBox(64,'Info','Dialin Access has been granted. Click OK to start installation',8)
        ;_write_to_log('Odyssey_NON_IS',$computername & ' has dialin rights')
            MsgBox(64,'Error','Dialin Access NOT granted.')
        ;_write_to_log('Odyssey_NON_IS',$computername & ' does NOT have dialin rights')
    Case @Error = 1;The Cancel button was pushed
    Case @Error = 3;The InputBox failed to open
        Msgbox(64,'Error','Error, the messagebox failed to open.')

Func _ADModifyAttribute2($object, $attribute, $value)
    RunWait("regsvr32 adsras.dll /s")
$strDomain = "wfsi.priv"

$obj = ObjGet("WinNT://" & $strDomain & '/' & $object)




EndFunc  ;==>_ADModifyAttribute

can anyone help out?

Share this post

Link to post
Share on other sites

Ok, found a vb script that made it work when i converted it over...

I've seen many people have questions on this while searching, so here's what is working for me.

;$computername = computer's name with no trailing $

Func _allow_dialin($computername)

$objConnection = ObjCreate("ADODB.Connection")
$objCommand = ObjCreate("ADODB.Command")
$objConnection.Provider = "ADsDSOObject"

$objConnection.Open("Active Directory Provider")
$objCommand.ActiveConnection = $objConnection

$objCommand.Properties("Page Size") = 1000
$objCommand.Properties("Searchscope") = $ADS_SCOPE_SUBTREE 
$objCommand.Properties("Sort On") = "Name"

$objWMIService = ObjGet("Winmgmts:root\cimv2") 

;Call always gets only one Win32_ComputerSystem object. 
For $objComputer in $objWMIService.InstancesOf("Win32_ComputerSystem") 
$defcompname = $objComputer.caption('Name')

If $computername = "" then

$objCommand.CommandText = "SELECT Name, ADsPath FROM 'LDAP://dc=DOMAIN,dc=DOMAIN' WHERE objectCategory='computer' AND Name='" & $computername  & "'"
$objRecordSet = $objCommand.Execute
;MsgBox(64,'info', $objRecordset.RecordCount)

$compname = $objRecordSet.Fields("Name").Value
$comppath = $objRecordSet.Fields("ADsPath").Value

If $compname <> "" Then
   $objComputer = ObjGet($comppath)
   $objDIProperty = $objComputer.Get("msNPAllowDialin")
   $objUserParams = $objComputer.Get("userParameters")


   $objUserParamsa = "m:                    d                           "

    If $objDIProperty = "True" and $objUserParams = $objUserParamsa then
    ;If this fires then it was already set and this will do nothing.
        return('Already set')
    ;It was not set correctly, so now set it the way it should be.
        $objComputer.Put ("msNpAllowDialin", TRUE)
        $objComputer.Put ("userParameters", $objUserParamsa)

        return('Now set')


$objComputer.Put ("userParameters", $objUserParamsa) seems to have something to do with why it is working... my problem doesn't go away without it...

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Create New...