|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
how to modify dial-in property for a user account
################################################################# Script: Set objUser = GetObject("LDAP://cn=username,ou=Test,dc=company,dc=com,dc=cn") objUser.Put "msNPAllowDialin", False objUser.SetInfo objUser.GetInfo Wscript.echo objUser.Get("msNPAllowDialin") #################################################### I meet the same problem described in KB252398.The script carry out successfully ,but the Dial-in property is not modified. My questions is : 1.KB252398 is for Win2000-based domain£¬but my domain is Win2003-based domain in Native mode. I wonder whether the sulotion works well in my workaround £¿ 2.In KB252398, the link for ADSI.exe downloading is not available now.I want to know how to download the updated ADSI ? 3¡£As well as DC server ,should ADSI.exe be installed on Client computer on which the script runs ? 4¡£Now, the version of activeds.dll on WinXPSP2 is 5.1.2600.2180 ,and the version of activeds.dll on DC is 5.2.3790.3959. Is it necessary to update ADSI ? It should work against Windows 2003 domain. Are you running the script from
an XP desktop with admin credentials? It should work. You shouldn't need to download anything. Do you get errors or does nothing happen? -- Jeffery Hicks Microsoft PowerShell MVP http://www.scriptinganswers.com http://blog.sapien.com Now Available: WSH and VBScript Core: TFM Coming Soon: Windows PowerShell: TFM 2nd Ed. Show quote "£¤£¤£¤" <eagle@no.spam.net> wrote in message news:uZV$TgPIIHA.484@TK2MSFTNGP06.phx.gbl... >I created a script to modify Dial-in property for a user account. > ################################################################# > Script: > Set objUser = > GetObject("LDAP://cn=username,ou=Test,dc=company,dc=com,dc=cn") > objUser.Put "msNPAllowDialin", False > objUser.SetInfo > objUser.GetInfo > Wscript.echo objUser.Get("msNPAllowDialin") > #################################################### > > I meet the same problem described in KB252398.The script carry out > successfully ,but the Dial-in property is not modified. > My questions is : > 1.KB252398 is for Win2000-based domain£¬but my domain is Win2003-based > domain in Native mode. I wonder whether the sulotion works well in my > workaround £¿ > > 2.In KB252398, the link for ADSI.exe downloading is not available now.I > want to know how to download the updated ADSI ? > > 3¡£As well as DC server ,should ADSI.exe be installed on Client computer > on which the script runs ? > > 4¡£Now, the version of activeds.dll on WinXPSP2 is 5.1.2600.2180 ,and the > version of activeds.dll on DC is 5.2.3790.3959. Is it necessary to update > ADSI ? > Yes,I run the script(I have modified the script as following.) from an
WinXPSP2 desktop with domain administrator credential.the script can read Dial-in property for a user account and it seems that the script can modify the Dial-in property too. However,I check the Dial-in property in Dial-in tab in the user's properties through the AD Users and Computers console,I find it is not modified.I use the account to try vpn access and make sure that the Dial-in property is not be modified exactly. The same as running the script on DC server directly .There is no error information occurring. My domain is Win2003-based domain in Native mode. the new script: Set objUser = GetObject("LDAP://cn=username,ou=Test,dc=company,dc=com,dc=cn") objUser.GetInfo Wscript.echo objUser.Get("msNPAllowDialin") newstatus=not objUser.Get("msNPAllowDialin") objUser.Put "msNPAllowDialin", newstatus objUser.SetInfo objUser.GetInfo Wscript.echo objUser.Get("msNPAllowDialin") I know this may seem silly, but are you looking at the account in AD,
running the script and then looking at the account again to see if it changed? If so, are you refreshing Active Directory Users and Computers? I was speaking at a conference a few days ago and someone mentioned a problem with a vbscript that didn't seem to update users when I asked about refreshing the screen and he realized he wasn't and that likely the script was working after all. Your original script worked just fine for me and I don't see why it shouldn't work for you. Is this just a refresh issue? -- Jeffery Hicks Microsoft PowerShell MVP http://www.scriptinganswers.com http://blog.sapien.com Now Available: WSH and VBScript Core: TFM Coming Soon: Windows PowerShell: TFM 2nd Ed. Show quote "£¤£¤£¤" <eagle@no.spam.net> wrote in message news:ucpMbYaIIHA.1184@TK2MSFTNGP04.phx.gbl... > Yes,I run the script(I have modified the script as following.) from an > WinXPSP2 desktop with domain administrator credential.the script can read > Dial-in property for a user account and it seems that the script can > modify the Dial-in property too. However,I check the Dial-in property in > Dial-in tab in the user's properties through the AD Users and Computers > console,I find it is not modified.I use the account to try vpn access and > make sure that the Dial-in property is not be modified exactly. The same > as running the script on DC server directly .There is no error information > occurring. > > My domain is Win2003-based domain in Native mode. > > the new script: > > Set objUser = > GetObject("LDAP://cn=username,ou=Test,dc=company,dc=com,dc=cn") > objUser.GetInfo > Wscript.echo objUser.Get("msNPAllowDialin") > newstatus=not objUser.Get("msNPAllowDialin") > objUser.Put "msNPAllowDialin", newstatus > objUser.SetInfo > objUser.GetInfo > Wscript.echo objUser.Get("msNPAllowDialin") > After I ran the script,I used the account to try vpn access and made sure
that the Dial-in property was not be modified exactly. There is no change after I restart AD Users and Computers. Obviously£¬this is not a refresh issue. Additionally, DisableAccount script can work well.I can almost immediately see the result in AD Users and Computers. ##################################### DisableAccount script: Set objUser = GetObject("LDAP://cn=username,ou=Test,dc=company,dc=com,dc=cn") objUser.AccountDisabled = TRUE objUser.SetInfo ########################################################## You said my original script worked just fine for you. Did you test it in a Win2003-based domain in Win2000 Native mode? Now,I found another issue.If the dail-in property of a account is default ,I mean that it is not ever be changed from default status (Default status is denied access),script code "objUser.Get("msNPAllowDialin")" will return an error.Error code is 8000500D(The ADSI property cannot be found in the property cache). Once the dail-in property of a account is modified,script code "objUser.Get("msNPAllowDialin")" will return right value. My test domain is running Windows 2003 native. The account I changed had
never been modified before and everything worked just fine. Although...I ran the script ON the domain controller. -- Jeffery Hicks Microsoft PowerShell MVP http://www.scriptinganswers.com http://blog.sapien.com Now Available: WSH and VBScript Core: TFM Coming Soon: Windows PowerShell: TFM 2nd Ed. Show quote "£¤£¤£¤" <eagle@no.spam.net> wrote in message news:u6RHVqnIIHA.1184@TK2MSFTNGP04.phx.gbl... > After I ran the script,I used the account to try vpn access and made sure > that the Dial-in property was not be modified exactly. There is no change > after I restart AD Users and Computers. > Obviously£¬this is not a refresh issue. > > Additionally, DisableAccount script can work well.I can almost immediately > see the result in AD Users and Computers. > ##################################### > DisableAccount script: > > Set objUser = > GetObject("LDAP://cn=username,ou=Test,dc=company,dc=com,dc=cn") > objUser.AccountDisabled = TRUE > objUser.SetInfo > ########################################################## > > You said my original script worked just fine for you. Did you test it in a > Win2003-based domain in Win2000 Native mode? > > Now,I found another issue.If the dail-in property of a account is default > ,I mean that it is not ever be changed from default status (Default status > is denied access),script code "objUser.Get("msNPAllowDialin")" will > return an error.Error code is 8000500D(The ADSI property cannot be found > in the property cache). Once the dail-in property of a account is > modified,script code "objUser.Get("msNPAllowDialin")" will return right > value. > Sorry,I think I express myself incorrectly.
My domain is not a native mode. In fact, My domain is window2003-based in Win2000 native mode ,which means my domain is a mixed mode Win2003 domain. I run a script as following to disable the dial-in property of a user account Set objUser = GetObject("LDAP://cn=username,ou=Test,dc=company,dc=com") objUser.Put "msNPAllowDialin", False objUser.SetInfo objUser.GetInfo Wscript.echo objUser.Get("msNPAllowDialin") I can see that the value of msNPAllowDialin has been modified,but there is no change in the Remote Access Permission section of the dial-in tab in the user's properties in AD users and computers console,which is like that addressed in KB252398 (http://support.microsoft.com/kb/252398/en-us) I found a page about adsi downloading,but the link in this page is not available. (http://www.microsoft.com/technet/archive/winntas/downloads/adsi25.mspx?mfr=true ) I want to know how to get the ADSI25 installing file? How to modify the the dial-in property of a user account in a mixed mode domain. Thanks!  |
|||||||||||||||||||||||
Other interesting topics