Listing All Users they have the dial in permission in AD (RAS VPN ACCESS)
HI,
Is there any way to show the all users in AD they have dial in permission for RRAS. (Allow Access)
Plese HelpBest Regards, SA
December 1st, 2011 1:24am
use the below script. save the file as find_users_with_dialin+permission_for_RRAS.vbs
Once script completes it will output a file called rras_vpn_users.txt in same folder as script.
'***************************************************
'This script will pull all users that have Dial-in
'access from Active Directory and the OU the account
'is in and writes the values out to the file RRAS_VPN_Users.txt
'***************************************************
Option Explicit
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Dim objConnection, objCommand, objRootDSE
Dim objRecordSet, ou
Dim namingContext, fso, outFile
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
set objRootDSE = getobject("LDAP://RootDSE")
namingContext = objRootDSE.Get("defaultNamingContext")
set objRootDSE = nothing
Set fso = CreateObject("Scripting.FileSystemObject")
Set outFile = fso.CreateTextFile("RRAS_VPN_Users.txt", True)
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT Name FROM 'LDAP://" & namingContext & _
"' WHERE objectCategory='user' " & _
"AND msNPAllowDialin = TRUE"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
' Call function to find OU from computer name
ou = getOUByUserName(objRecordSet.Fields("Name").Value)
outFile.WriteLine(objRecordSet.Fields("Name").Value & _
",'" & ou & "'")
objRecordSet.MoveNext
Loop
outFile.Close
WScript.Echo "Complete"
WScript.Quit
function getOUByUserName(byval UserName)
' *** Function to find ou/container of user object ***
DIM namingContext, ldapFilter, ou
DIM cn, cmd, rs
DIM objRootDSE
set objRootDSE = getobject("LDAP://RootDSE")
namingContext = objRootDSE.Get("defaultNamingContext")
set objRootDSE = nothing
ldapFilter = "<LDAP://" & namingContext & _
">;(&(objectCategory=User)(name=" & userName & "))" & _
";distinguishedName;subtree"
set cn = createobject("ADODB.Connection")
set cmd = createobject("ADODB.Command")
cn.open "Provider=ADsDSOObject;"
cmd.activeconnection = cn
cmd.commandtext = ldapFilter
set rs = cmd.execute
if rs.eof <> true and rs.bof <> true then
ou = rs(0)
ou = mid(ou,instr(ou,",")+1,len(ou)-instr(ou,","))
getOUByuserName = ou
end if
rs.close
cn.close
end function
Regards, ~P MCSE, MCITP, MCTS, MCP, CCNA
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2011 2:58am
You can also use dsquery (at the command prompt of a DC):
dsquery * -Filter "(&(objectCatgegory=person)(objectClass=user)(msNPAllowDialin=TRUE))"
The string TRUE must be in all caps (the only time anything is case sensitive in LDAP syntax filters). The same LDAP syntax filter can also be used with other utilities, like the PowerShell Get-ADUser (with AD modules):
Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))"
The filter can also be used with Joe Richards' free adfind utility.
Richard Mueller - MVP Directory Services
December 1st, 2011 10:42am
use the below script. save the file as find_users_with_dialin+permission_for_RRAS.vbs
Once script completes it will output a file called rras_vpn_users.txt in same folder as script.
'***************************************************
'This script will pull all users that have Dial-in
'access from Active Directory and the OU the account
'is in and writes the values out to the file RRAS_VPN_Users.txt
'***************************************************
Option Explicit
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Dim objConnection, objCommand, objRootDSE
Dim objRecordSet, ou
Dim namingContext, fso, outFile
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
set objRootDSE = getobject("LDAP://RootDSE")
namingContext = objRootDSE.Get("defaultNamingContext")
set objRootDSE = nothing
Set fso = CreateObject("Scripting.FileSystemObject")
Set outFile = fso.CreateTextFile("RRAS_VPN_Users.txt", True)
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT Name FROM 'LDAP://" & namingContext & _
"' WHERE objectCategory='user' " & _
"AND msNPAllowDialin = TRUE"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
' Call function to find OU from computer name
ou = getOUByUserName(objRecordSet.Fields("Name").Value)
outFile.WriteLine(objRecordSet.Fields("Name").Value & _
",'" & ou & "'")
objRecordSet.MoveNext
Loop
outFile.Close
WScript.Echo "Complete"
WScript.Quit
function getOUByUserName(byval UserName)
' *** Function to find ou/container of user object ***
DIM namingContext, ldapFilter, ou
DIM cn, cmd, rs
DIM objRootDSE
set objRootDSE = getobject("LDAP://RootDSE")
namingContext = objRootDSE.Get("defaultNamingContext")
set objRootDSE = nothing
ldapFilter = "<LDAP://" & namingContext & _
">;(&(objectCategory=User)(name=" & userName & "))" & _
";distinguishedName;subtree"
set cn = createobject("ADODB.Connection")
set cmd = createobject("ADODB.Command")
cn.open "Provider=ADsDSOObject;"
cmd.activeconnection = cn
cmd.commandtext = ldapFilter
set rs = cmd.execute
if rs.eof <> true and rs.bof <> true then
ou = rs(0)
ou = mid(ou,instr(ou,",")+1,len(ou)-instr(ou,","))
getOUByuserName = ou
end if
rs.close
cn.close
end function
Regards, ~P MCSE, MCITP, MCTS, MCP, CCNA
Free Windows Admin Tool Kit Click here and download it now
December 1st, 2011 10:44am
Thnx a lot this script is working for me .
and if you can please share one more script that list all users they have password never expires tick mart in AD.
we created some of the users with this option now i need to find out those users
Best Regards, SA
December 3rd, 2011 8:01am
Please start a new question for that request.
Regards, ~P MCSE, MCITP, MCTS, MCP, CCNA
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2011 8:26am
What about control access through Remote Access Policy? Is there any script to show user with this attribute enabled?
March 13th, 2012 3:44pm