August 25th, 2005

Hey, Scripting Guy! How Can I Find All the Users with Remote Access Permissions?

 

 

 

question

Hey, Scripting Guy! How can I find all the users with remote access permissions; that is, all those with the Dial-In or VPN property set to Allow?

— RC

 

answer

Hey, RC. You know, it seems like people are always looking for something: true love, happiness, the meaning of life. We can’t help you with any of those. (We thought we could with the meaning of life, but it turns out we were wrong.) But that’s OK; after all, we can help you find all the users with remote access permissions:

On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
objCommand.CommandText = _
    "SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='user' " & _
        "AND msNPAllowDialin = TRUE"Set objRecord
Set = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF    
    Wscript.Echo objRecordSet.Fields("Name").Value
    objRecordSet.MoveNext
Loop

One piece of advice we always give people is this: any time you’re looking for something, a good place to start your search is in Active Directory. This script is a good example of that. You’re looking for users who have the Allow access option selected on the Dial-in tab in Active Directory:

As it turns out, the Remote Access Permission (Dial-in or VPN) option equates to the msNPAllowDialin attribute in Active Directory. If access is allowed, msNPAllowDialin will be True. If access is denied, then msNPAllowDialin will be False. And if msNPAllowDialin has no value, then that means the Control access through Remote Access Policy option has been selected.

In other words, to find all the users who have remote access all we need to do is search for user accounts where the msNPAllowDialin attribute is True. We won’t undertake a lengthy explanation of the code for searching Active Directory; that’s covered in detail in our two-part Tales from the Script series Dude, Where’s My Printer? We will, however, show you the query that retrieves those users:

objCommand.CommandText = _
    "SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='user' " & _
        "AND msNPAllowDialin = TRUE"

As you can see, we’re looking for all the Active Directory objects where the objectCategory is equal to user (in other words, we’re looking for user accounts as opposed to group accounts or computer accounts) and where the msNPAllowDialin attribute is True. If we wanted to find all the users who have been denied access we would search for users where the value msNPAllowDialin was equal to False:

objCommand.CommandText = _
    "SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='user' " & _
        "AND msNPAllowDialin = FALSE"

And what about those users who have remote access determined via policy? In that case we can search for users who don’t have a value configured for msNPAllowDialin:

objCommand.CommandText = _
    "SELECT Name FROM 'LDAP://dc=fabrikam,dc=com' WHERE objectCategory='user' " & _
        "AND msNPAllowDialin <> '*'"

Yes, it looks a little crazy, but in ADSI the asterisk is a wildcard representing anything. In this query, we’re asking for a list of users where the msNPAllowDialin property does not equal anything. In other words, show us all the users who have no value for the msNPAllowDialin attribute; users with any other value (True or False) will be excluded. In turn, the users returned by this query will be the users who have remote access determined via policy. (This, by the way, is the default setting. If you don’t specify otherwise, users will have remote access permissions determined by policy.)

Whew; got all that? After returning a recordset of users who meet the criteria, we simply employ these lines of code to cycle through the list, echoing back the name of each user:

Do Until objRecordSet.EOF
    Wscript.Echo objRecordSet.Fields("Name").Value
    objRecordSet.MoveNext
Loop

Like we said, finding a list of users who have remote access permissions isn’t quite the same thing as finding the meaning of life. But we like to believe that it’s the next best thing.

 

Author

0 comments

Discussion are closed.