{"id":69093,"date":"2005-08-25T00:01:00","date_gmt":"2005-08-25T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2005\/08\/25\/hey-scripting-guy-how-can-i-find-all-the-users-with-remote-access-permissions\/"},"modified":"2018-12-19T11:11:10","modified_gmt":"2018-12-19T18:11:10","slug":"hey-scripting-guy-how-can-i-find-all-the-users-with-remote-access-permissions","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-find-all-the-users-with-remote-access-permissions\/","title":{"rendered":"Hey, Scripting Guy! How Can I Find All the Users with Remote Access Permissions?"},"content":{"rendered":"

 <\/p>\n

\n

 <\/p>\n

 <\/p>\n

\"question\"<\/p>\n

Hey, Scripting Guy! How can I find all the users with remote access permissions; that is, all those with the Dial-In or VPN property set to\u00a0Allow<\/b>?<\/p>\n

— RC\n\n<\/span><\/span><\/span><\/p>\n

 <\/p>\n

\"answer\"<\/a><\/p>\n

Hey, RC. You know, it seems like people are always looking for something: true love, happiness, the meaning of life. We can\u2019t help you with any of those. (We thought we could with the meaning of life, but it turns out we were wrong.) But that\u2019s OK; after all, we\u00a0can<\/i>\u00a0help you find all the users with remote access permissions:<\/p>\n

On Error Resume Next<\/span><\/pre>\n
Const ADS_SCOPE_SUBTREE = 2<\/span><\/pre>\n
Set objConnection = CreateObject(\"ADODB.Connection\")\r\nSet objCommand =   CreateObject(\"ADODB.Command\")\r\nobjConnection.Provider = \"ADsDSOObject\"\r\nobjConnection.Open \"Active Directory Provider\"\r\nSet objCommand.ActiveConnection = objConnection<\/span><\/pre>\n
objCommand.Properties(\"Page Size\") = 1000\r\nobjCommand.Properties(\"Searchscope\") = ADS_SCOPE_SUBTREE <\/span><\/pre>\n
objCommand.CommandText = _\r\n    \"SELECT Name FROM 'LDAP:\/\/dc=fabrikam,dc=com' WHERE objectCategory='user' \" & _\r\n        \"AND msNPAllowDialin = TRUE\"Set objRecord\r\nSet = objCommand.Execute<\/span><\/pre>\n
objRecordSet.MoveFirst\r\nDo Until objRecordSet.EOF    \r\n    Wscript.Echo objRecordSet.Fields(\"Name\").Value\r\n    objRecordSet.MoveNext\r\nLoop<\/span><\/pre>\n
One piece of advice we always give people is this: any time you\u2019re looking for something, a good place to start your search is in<\/span> Active Directory. This script is a good example of that. You\u2019re looking for users who have the\u00a0Allow access<\/b>\u00a0option selected on the\u00a0Dial-in<\/b>\u00a0tab in Active Directory:<\/p>\n
As it turns out, the\u00a0Remote Access Permission (Dial-in or VPN)<\/b>\u00a0option equates to the\u00a0msNPAllowDialin<\/b>\u00a0attribute in Active Directory. If access is allowed, msNPAllowDialin will be True. If access is denied, then msNPAllowDialin will be False. And if msNPAllowDialin has no value, then that means the\u00a0Control access through Remote Access Policy<\/b>\u00a0option has been selected.<\/p>\n
In other words, to find all the users who have remote access all we need to do is search for user accounts where the msNPAllowDialin attribute is True. We won\u2019t undertake a lengthy explanation of the code for searching Active Directory; that\u2019s covered in detail in our two-part\u00a0Tales from the Script<\/b><\/a>\u00a0series\u00a0Dude, Where\u2019s My Printer?<\/i>\u00a0We will, however, show you the query that retrieves those users:<\/p>\n
objCommand.CommandText = _\r\n    \"SELECT Name FROM 'LDAP:\/\/dc=fabrikam,dc=com' WHERE objectCategory='user' \" & _\r\n        \"AND msNPAllowDialin = TRUE\"<\/pre>\n
As you can see, we\u2019re looking for all the Active Directory objects where the\u00a0objectCategory<\/b>\u00a0is equal to user (in other words, we\u2019re looking for user accounts as opposed to group accounts or computer accounts)\u00a0and<\/i>\u00a0where the msNPAllowDialin attribute is True. If we wanted to find all the users who have been\u00a0denied<\/i>\u00a0access we would search for users where the value msNPAllowDialin was equal to False:<\/p>\n
objCommand.CommandText = _\r\n    \"SELECT Name FROM 'LDAP:\/\/dc=fabrikam,dc=com' WHERE objectCategory='user' \" & _\r\n        \"AND msNPAllowDialin = FALSE\"<\/pre>\n
And what about those users who have remote access determined via policy? In that case we can search for users who don\u2019t have a value configured for msNPAllowDialin:<\/p>\n
objCommand.CommandText = _\r\n    \"SELECT Name FROM 'LDAP:\/\/dc=fabrikam,dc=com' WHERE objectCategory='user' \" & _\r\n        \"AND msNPAllowDialin <> '*'\"<\/pre>\n
Yes, it looks a little crazy, but in ADSI the asterisk is a wildcard representing anything. In this query, we\u2019re asking for a list of users where the msNPAllowDialin property does\u00a0not<\/i>\u00a0equal anything. In other words, show us all the users who have no value for the msNPAllowDialin attribute; users with any other value (True or False) will be excluded. In turn, the users returned by this query will be the users who have remote access determined via policy. (This, by the way, is the default setting. If you don\u2019t specify otherwise, users will have remote access permissions determined by policy.)<\/p>\n
Whew; got all that? After returning a recordset of users who meet the criteria, we simply employ these lines of code to cycle through the list, echoing back the name of each user:<\/p>\n
Do Until objRecordSet.EOF\r\n    Wscript.Echo objRecordSet.Fields(\"Name\").Value\r\n    objRecordSet.MoveNext\r\nLoop<\/pre>\n
Like we said, finding a list of users who have remote access permissions isn\u2019t quite the same thing as finding the meaning of life. But we like to believe that it\u2019s the next best thing.<\/p>\n
 <\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
      Hey, Scripting Guy! How can I find all the users with remote access permissions; that is, all those with the Dial-In or VPN property set to\u00a0Allow? — RC   Hey, RC. You know, it seems like people are always looking for something: true love, happiness, the meaning of life. We can\u2019t help […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[68,3],"class_list":["post-69093","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-error-handling","tag-scripting-guy"],"acf":[],"blog_post_summary":"
      Hey, Scripting Guy! How can I find all the users with remote access permissions; that is, all those with the Dial-In or VPN property set to\u00a0Allow? — RC   Hey, RC. You know, it seems like people are always looking for something: true love, happiness, the meaning of life. We can\u2019t help […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69093","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=69093"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/69093\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=69093"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=69093"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=69093"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}