|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
how to find users with the checkmark on allow to logon to terminal serversHello,
I am looking for a way to find all my users in active directory that have a checkmark set at the terminal server tab where you can specify that the user is allowed to logon to terminal server. I tried to do this with adfind or a script with ldap but failed. Is there a way because I also read that this information is in binairy. Thanks in advance H.S. Spundae wrote:
> Hello, If you take a look using ADSIEdit you will find that the terminal> > I am looking for a way to find all my users in active directory that > have a checkmark set at the terminal server tab where you can specify > that the user is allowed to logon to terminal server. > I tried to do this with adfind or a script with ldap but failed. > > Is there a way because I also read that this information is in > binairy. > > Thanks in advance > > H.S. services properties are nto actually part of the AD attributes of the user. ADUC merely has some hooks in it to make that configuration easier. There is a Microsoft DLL you can hunt for called wtsadmin.dll that when registered will let you query these properties. I wasn't able to find a copy of that DLL with a quick search so you may need to do some digging. I did find a third party freeware version called wts_admin.dll but looks like that hasn't been updated to newer versions and the DLL would not register on my Windows 7 x64 machine. May work fine for you on a 32 bit machine though. http://cwashington.netreach.net/main/tools/default.asp?topic=n-z Hope that helps, Mark D. MacLachlan -- Mark D. MacLachlan wrote:
Show quoteHide quote > Spundae wrote: OK, so I did some more digging and came up witht he follwoign script.> > > Hello, > > > > I am looking for a way to find all my users in active directory that > > have a checkmark set at the terminal server tab where you can > > specify that the user is allowed to logon to terminal server. > > I tried to do this with adfind or a script with ldap but failed. > > > > Is there a way because I also read that this information is in > > binairy. > > > > Thanks in advance > > > > H.S. > > If you take a look using ADSIEdit you will find that the terminal > services properties are nto actually part of the AD attributes of the > user. ADUC merely has some hooks in it to make that configuration > easier. > > There is a Microsoft DLL you can hunt for called wtsadmin.dll that > when registered will let you query these properties. > > I wasn't able to find a copy of that DLL with a quick search so you > may need to do some digging. I did find a third party freeware > version called wts_admin.dll but looks like that hasn't been updated > to newer versions and the DLL would not register on my Windows 7 x64 > machine. May work fine for you on a 32 bit machine though. > http://cwashington.netreach.net/main/tools/default.asp?topic=n-z > > Hope that helps, > > Mark D. MacLachlan You need to execute it from a server with Terminal Services enabled. This will query all users in your domain that have that check box checked. [code] '======================================================================= === ' ' NAME: ListUsersDeniesTSLogon.vbs ' ' AUTHOR: Mark D. MacLachlan , The Spider's Parlor ' URL: http://www.thespidersparlor.com ' DATE : 7/8/2009 ' COPYRIGHT © 2009, All Rights Reserved ' ' COMMENT: ' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF ' ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To ' THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A ' PARTICULAR PURPOSE. ' ' IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE SUPPLIERS ' BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY ' DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, ' WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ' ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE ' OF THIS CODE OR INFORMATION. ' '======================================================================= === Set oRootDSE = GetObject("LDAP://rootDSE") strDomain = oRootDSE.get("defaultNamingContext") ' other categories = computer, user, printqueue, group qQuery = "<LDAP://" & strDomain &">;" & _ "(objectCategory=person)" & _ ";name,DistinguishedName;subtree" Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Open "Provider=ADsDSOObject;" objCommand.ActiveConnection = objConnection objCommand.CommandText = qQuery Set objRecordSet = objCommand.Execute While Not objRecordSet.EOF Set objUser = GetObject("LDAP://" & objRecordSet.Fields("DistinguishedName")) If objUser.AllowLogon = 0 Then Wscript.Echo "TS Denied for user " & objRecordSet.Fields("name") End If objrecordset.MoveNext Wend objConnection.Close [/code] Hope that helps, Mark D. MacLachlan -- Hello Mark D. MacLachlan
It worked like a charm, I did have to change it so that it would only search through 1 particulair domain and that it would resume on an error but that's easy. Thank you very much for your script and quick reply Spundae wrote:
> Hello Mark D. MacLachlan Happy to assist.> > It worked like a charm, I did have to change it so that it would only > search through 1 particulair domain and that it would resume on an > error but that's easy. > > Thank you very much for your script and quick reply --
Show quote
Hide quote
"Mark D. MacLachlan" <markd***@live.com> wrote in message I can't find documentation on this. Is it possible that AllowLogon is a news:OZJAL2GAKHA.4376@TK2MSFTNGP04.phx.gbl... > Mark D. MacLachlan wrote: > >> Spundae wrote: >> >> > Hello, >> > >> > I am looking for a way to find all my users in active directory that >> > have a checkmark set at the terminal server tab where you can >> > specify that the user is allowed to logon to terminal server. >> > I tried to do this with adfind or a script with ldap but failed. >> > >> > Is there a way because I also read that this information is in >> > binairy. >> > >> > Thanks in advance >> > >> > H.S. >> >> If you take a look using ADSIEdit you will find that the terminal >> services properties are nto actually part of the AD attributes of the >> user. ADUC merely has some hooks in it to make that configuration >> easier. >> >> There is a Microsoft DLL you can hunt for called wtsadmin.dll that >> when registered will let you query these properties. >> >> I wasn't able to find a copy of that DLL with a quick search so you >> may need to do some digging. I did find a third party freeware >> version called wts_admin.dll but looks like that hasn't been updated >> to newer versions and the DLL would not register on my Windows 7 x64 >> machine. May work fine for you on a 32 bit machine though. >> http://cwashington.netreach.net/main/tools/default.asp?topic=n-z >> >> Hope that helps, >> >> Mark D. MacLachlan > > OK, so I did some more digging and came up witht he follwoign script. > You need to execute it from a server with Terminal Services enabled. > This will query all users in your domain that have that check box > checked. > > [code] > '======================================================================= > === > ' > ' NAME: ListUsersDeniesTSLogon.vbs > ' > ' AUTHOR: Mark D. MacLachlan , The Spider's Parlor > ' URL: http://www.thespidersparlor.com > ' DATE : 7/8/2009 > ' COPYRIGHT © 2009, All Rights Reserved > ' > ' COMMENT: > ' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF > ' ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To > ' THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A > ' PARTICULAR PURPOSE. > ' > ' IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE > SUPPLIERS > ' BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY > ' DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, > ' WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS > ' ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE > ' OF THIS CODE OR INFORMATION. > ' > '======================================================================= > === > > Set oRootDSE = GetObject("LDAP://rootDSE") > strDomain = oRootDSE.get("defaultNamingContext") > > ' other categories = computer, user, printqueue, group > qQuery = "<LDAP://" & strDomain &">;" & _ > "(objectCategory=person)" & _ > ";name,DistinguishedName;subtree" > > Set objConnection = CreateObject("ADODB.Connection") > Set objCommand = CreateObject("ADODB.Command") > objConnection.Open "Provider=ADsDSOObject;" > objCommand.ActiveConnection = objConnection > objCommand.CommandText = qQuery > Set objRecordSet = objCommand.Execute > > While Not objRecordSet.EOF > Set objUser = GetObject("LDAP://" & > objRecordSet.Fields("DistinguishedName")) > If objUser.AllowLogon = 0 Then > Wscript.Echo "TS Denied for user " & objRecordSet.Fields("name") > End If > objrecordset.MoveNext > Wend > > objConnection.Close > [/code] > > Hope that helps, > > Mark D. MacLachlan > > -- > property method rather than an attribute? This would explain why it cannot be found using ADSI Edit. If it were an attribute, you could use the filter: (&(objectCategory=person)(objectClass=user)(allowLogon=0)) to retrieve just the users desired. Or, if allowLogon were boolean: (&(objectCategory=person)(objectClass=user)(allowLogon=FALSE)) Or, at least you could add allowLogon to the list of attributes to retrieve, saving the need to bind to each user object. I had a conversation with a MS Support Engineer on this a few years
back and was told that it isn't a property within AD, I was told that ADUC only shows those options as a courtesy to customers so they did not have to manage TS access separately from the user object. (If only they had kept that up when Exchange 2007 hit the streets). In another thread I have posted code that retrieves the information. It only works when executed from a TS server though. "Mark D. MacLachlan" <markd***@live.com> wrote in message I don't have a TS server, which is why I asked. I think you confirmed that news:eJboNrNAKHA.1340@TK2MSFTNGP05.phx.gbl... >I had a conversation with a MS Support Engineer on this a few years > back and was told that it isn't a property within AD, I was told that > ADUC only shows those options as a courtesy to customers so they did > not have to manage TS access separately from the user object. (If only > they had kept that up when Exchange 2007 hit the streets). > > In another thread I have posted code that retrieves the information. > It only works when executed from a TS server though. AllowLogon is what I call a property method (a method exposed by the IADsUser interface that returns a value based on other AD attributes). This means you cannot improve the query as I suggested with the clause (allowLogon=0), and avoid the binding steps that slow the script considerably. Other examples of property methods (exposed by IADsUser) are Parent, AccountDisabled, AccountExpirationDate and LastName. None of these show up in ADSI Edit, and none can be used in an ADO query. Thank you Richard and Mark,
For the clarification. When I ran the script it will take a long time but it does exactly what I wanted. I get a list of users that do not have the checkmark turned on. This was an issue which was played high in our company where a user couldn't logon to citrix and TS. Somehow the checkmark was not checked and we expect that someone had clicked on this. Too bad we didn't had auditing on. So I needed the script to find maybe others that were affected. all, thank you, there wasn't much I could google for (or my input was not good :) Harold 
Other interesting topics
Delete Folders using WMI
Scripting Language DNS suffix search list... Robocopy - not providing destination in log output WMI & Eventlogs auto add sutdents to AD 2008 How to make goto when nowhere to go ? Script to Rename Computer Name in Domain grab a String (server name) from log Stopping Service when Memory reaches 2 GB |
|||||||||||||||||||||||
