AD dialinprivilege/ msNPAllowDialin attribute problem (ADSI question)

[wes517]

I'm trying to figure this one out and having some issues.

After messing around with a script for weeks, I've found out that using LDAP is a problem and using a script to set remote dialin access, it updates the GUI, but doesn't actually give permissions everywhere.

Found out that there's 2 parts to it, msNPAllowDialin and dialinprivilege. The first can be updated with the UDF for AD functions here, but dialinprivilege is only through ADSI.

so my question is how can i set the dialinprivilege for a computer using ADSI?

This is what I tried and doesn't work ( I know some of the includes aren't used in the code below, they were in some different attempts)

expandcollapse popup

#cs 
It pops up a box asking for the computer name to give dial in rights for, gives the rights to the computer in Active Directory, then procedes to install the application.

#ce
#NoTrayIcon
autoitsetoption("RunErrorsFatal",0)
autoitsetoption("WinTitleMatchMode",2)
#include <adfunctions.au3>; not a standard file. It is available in the source folder and on autoit's website
#include <file.au3>
#include <GUIConstantsEx.au3>
#include <StaticConstants.au3>
#include <WindowsConstants.au3>
#include <wfsi.au3>
#include <array.au3>
#AutoIt3Wrapper_icon=Odyssey.ico 
Fileinstall("D:\Autoit Scripts\Odyssey\Adsras.dll","C:\temp\Adsras.dll")

If Not IsDeclared("sInputBoxAnswer") Then Local $sInputBoxAnswer
$computername = InputBox("Dial In Access","Please enter the computer name that you want to grant Dial In access to.",@ComputerName," M","-1","-1","-1","-1")
Select
    Case @Error = 0;OK - The string returned is valid
        $computername = $computername & '$';$ is needed for AD query on computers
            $result = _ADObjectExists($computername)
            if ($result <> 1) Then
                msgbox(64,"Error", "The computer you specified (" & $computername & ") can't be found in AD.")
                Exit
            EndIf   
        $result = _ADModifyAttribute2($computername,'msNPAllowDialin','TRUE')
        
        
    ;Check it to make sure it changed - -1 means yes
        $result2 = _ADGetObjectAttribute($computername,'msNPAllowDialin')
        $result3 = _ADGetObjectAttribute($computername,'DialinPrivilege')
    
        If ($result2 == -1) Then
            MsgBox(64,'Info','Dialin Access has been granted. Click OK to start installation',8)
        ;_write_to_log('Odyssey_NON_IS',$computername & ' has dialin rights')
        Else    
            MsgBox(64,'Error','Dialin Access NOT granted.')
        ;_write_to_log('Odyssey_NON_IS',$computername & ' does NOT have dialin rights')
        EndIf
    Case @Error = 1;The Cancel button was pushed
    
    Case @Error = 3;The InputBox failed to open
        Msgbox(64,'Error','Error, the messagebox failed to open.')
        Exit
EndSelect

Func _ADModifyAttribute2($object, $attribute, $value)
    
    RunWait("regsvr32 adsras.dll /s")
$strDomain = "wfsi.priv"

$obj = ObjGet("WinNT://" & $strDomain & '/' & $object)

$obj.getinfo()




$obj.put('dialinprivilege','true')
;$obj.put('msNPAllowDialin','true')
$obj.SetInfo()

return

EndFunc  ;==>_ADModifyAttribute

can anyone help out?

[wes517]

Ok, found a vb script that made it work when i converted it over...

I've seen many people have questions on this while searching, so here's what is working for me.

expandcollapse popup

;_allow_dialin
;$computername = computer's name with no trailing $

Func _allow_dialin($computername)
Const $ADS_SCOPE_SUBTREE = 2

$objConnection = ObjCreate("ADODB.Connection")
$objCommand = ObjCreate("ADODB.Command")
$objConnection.Provider = "ADsDSOObject"

$objConnection.Open("Active Directory Provider")
$objCommand.ActiveConnection = $objConnection

$objCommand.Properties("Page Size") = 1000
$objCommand.Properties("Searchscope") = $ADS_SCOPE_SUBTREE 
$objCommand.Properties("Sort On") = "Name"

$objWMIService = ObjGet("Winmgmts:root\cimv2") 

;Call always gets only one Win32_ComputerSystem object. 
For $objComputer in $objWMIService.InstancesOf("Win32_ComputerSystem") 
$defcompname = $objComputer.caption('Name')
next

If $computername = "" then
   return
EndIf

$objCommand.CommandText = "SELECT Name, ADsPath FROM 'LDAP://dc=DOMAIN,dc=DOMAIN' WHERE objectCategory='computer' AND Name='" & $computername  & "'"
$objRecordSet = $objCommand.Execute
;MsgBox(64,'info', $objRecordset.RecordCount)
$objRecordSet.MoveFirst

$compname = $objRecordSet.Fields("Name").Value
$comppath = $objRecordSet.Fields("ADsPath").Value

If $compname <> "" Then
   $objComputer = ObjGet($comppath)
   $objDIProperty = $objComputer.Get("msNPAllowDialin")
   $objUserParams = $objComputer.Get("userParameters")

msgbox(64,'info',$objUserParams)

   $objUserParamsa = "m:                    d                           "

    If $objDIProperty = "True" and $objUserParams = $objUserParamsa then
    ;If this fires then it was already set and this will do nothing.
        return('Already set')
    Else
    ;It was not set correctly, so now set it the way it should be.
        $objComputer.Put ("msNpAllowDialin", TRUE)
        $objComputer.Put ("userParameters", $objUserParamsa)
        $objComputer.setinfo

        return('Now set')
       
    EndIf
EndIf

EndFunc

$objComputer.Put ("userParameters", $objUserParamsa) seems to have something to do with why it is working... my problem doesn't go away without it...