locked
Listing All Users they have the dial in permission in AD (RAS VPN ACCESS) RRS feed

  • Question

  • HI,

    Is there any way to show the all users in AD they have dial in permission for RRAS. (Allow Access)

    Plese Help


    Best Regards, SA
    Thursday, December 1, 2011 6:11 AM

Answers

  • use the below script. save the file as find_users_with_dialin+permission_for_RRAS.vbs

    Once script completes it will output a file called rras_vpn_users.txt in same folder as script.

    '***************************************************
    'This script will pull all users that have Dial-in
    'access from Active Directory and the OU the account
    'is in and writes the values out to the file RRAS_VPN_Users.txt
    '***************************************************
    Option Explicit
    
    On Error Resume Next
    Const ADS_SCOPE_SUBTREE = 2
    Dim objConnection, objCommand, objRootDSE
    Dim objRecordSet, ou 
    Dim namingContext, fso, outFile 
    Set objConnection = CreateObject("ADODB.Connection") 
    Set objCommand = CreateObject("ADODB.Command") 
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection
    
    set objRootDSE = getobject("LDAP://RootDSE")
    namingContext = objRootDSE.Get("defaultNamingContext")
    set objRootDSE = nothing
    
    Set fso = CreateObject("Scripting.FileSystemObject") 
    Set outFile = fso.CreateTextFile("RRAS_VPN_Users.txt", True) 
    objCommand.Properties("Page Size") = 1000 
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
    objCommand.CommandText = _ 
    "SELECT Name FROM 'LDAP://" & namingContext & _
    "' WHERE objectCategory='user' " & _
    "AND msNPAllowDialin = TRUE"
    
    Set objRecordSet = objCommand.Execute 
    objRecordSet.MoveFirst 
    Do Until objRecordSet.EOF
    ' Call function to find OU from computer name
    ou = getOUByUserName(objRecordSet.Fields("Name").Value)
    outFile.WriteLine(objRecordSet.Fields("Name").Value & _
    ",'" & ou & "'")  
    objRecordSet.MoveNext 
    Loop
    outFile.Close
    
    WScript.Echo "Complete"
    
    WScript.Quit
    
    function getOUByUserName(byval UserName)
    
    ' *** Function to find ou/container of user object *** 
    DIM namingContext, ldapFilter, ou 
    DIM cn, cmd, rs 
    DIM objRootDSE 
    set objRootDSE = getobject("LDAP://RootDSE")
    namingContext = objRootDSE.Get("defaultNamingContext")
    set objRootDSE = nothing
    
    ldapFilter = "<LDAP://" & namingContext & _
    ">;(&(objectCategory=User)(name=" & userName & "))" & _
    ";distinguishedName;subtree"
    
    set cn = createobject("ADODB.Connection") 
    set cmd = createobject("ADODB.Command") 
    cn.open "Provider=ADsDSOObject;"
    cmd.activeconnection = cn
    cmd.commandtext = ldapFilter
    
    set rs = cmd.execute 
    if rs.eof <> true and rs.bof <> true then
    ou = rs(0)
    ou = mid(ou,instr(ou,",")+1,len(ou)-instr(ou,","))
    getOUByuserName = ou
    
    end if 
    rs.close 
    cn.close 
    end function 
    


    Regards, ~P MCSE, MCITP, MCTS, MCP, CCNA
    Thursday, December 1, 2011 7:44 AM
  • You can also use dsquery (at the command prompt of a DC):

    dsquery * -Filter "(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))"

    The string TRUE must be in all caps (the only time anything is case sensitive in LDAP syntax filters). The same LDAP syntax filter can also be used with other utilities, like the PowerShell Get-ADUser (with AD modules):

    Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))"

    The filter can also be used with Joe Richards' free adfind utility.


    Richard Mueller - MVP Directory Services
    Thursday, December 1, 2011 3:40 PM

All replies

  • use the below script. save the file as find_users_with_dialin+permission_for_RRAS.vbs

    Once script completes it will output a file called rras_vpn_users.txt in same folder as script.

    '***************************************************
    'This script will pull all users that have Dial-in
    'access from Active Directory and the OU the account
    'is in and writes the values out to the file RRAS_VPN_Users.txt
    '***************************************************
    Option Explicit
    
    On Error Resume Next
    Const ADS_SCOPE_SUBTREE = 2
    Dim objConnection, objCommand, objRootDSE
    Dim objRecordSet, ou 
    Dim namingContext, fso, outFile 
    Set objConnection = CreateObject("ADODB.Connection") 
    Set objCommand = CreateObject("ADODB.Command") 
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection
    
    set objRootDSE = getobject("LDAP://RootDSE")
    namingContext = objRootDSE.Get("defaultNamingContext")
    set objRootDSE = nothing
    
    Set fso = CreateObject("Scripting.FileSystemObject") 
    Set outFile = fso.CreateTextFile("RRAS_VPN_Users.txt", True) 
    objCommand.Properties("Page Size") = 1000 
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
    objCommand.CommandText = _ 
    "SELECT Name FROM 'LDAP://" & namingContext & _
    "' WHERE objectCategory='user' " & _
    "AND msNPAllowDialin = TRUE"
    
    Set objRecordSet = objCommand.Execute 
    objRecordSet.MoveFirst 
    Do Until objRecordSet.EOF
    ' Call function to find OU from computer name
    ou = getOUByUserName(objRecordSet.Fields("Name").Value)
    outFile.WriteLine(objRecordSet.Fields("Name").Value & _
    ",'" & ou & "'")  
    objRecordSet.MoveNext 
    Loop
    outFile.Close
    
    WScript.Echo "Complete"
    
    WScript.Quit
    
    function getOUByUserName(byval UserName)
    
    ' *** Function to find ou/container of user object *** 
    DIM namingContext, ldapFilter, ou 
    DIM cn, cmd, rs 
    DIM objRootDSE 
    set objRootDSE = getobject("LDAP://RootDSE")
    namingContext = objRootDSE.Get("defaultNamingContext")
    set objRootDSE = nothing
    
    ldapFilter = "<LDAP://" & namingContext & _
    ">;(&(objectCategory=User)(name=" & userName & "))" & _
    ";distinguishedName;subtree"
    
    set cn = createobject("ADODB.Connection") 
    set cmd = createobject("ADODB.Command") 
    cn.open "Provider=ADsDSOObject;"
    cmd.activeconnection = cn
    cmd.commandtext = ldapFilter
    
    set rs = cmd.execute 
    if rs.eof <> true and rs.bof <> true then
    ou = rs(0)
    ou = mid(ou,instr(ou,",")+1,len(ou)-instr(ou,","))
    getOUByuserName = ou
    
    end if 
    rs.close 
    cn.close 
    end function 
    


    Regards, ~P MCSE, MCITP, MCTS, MCP, CCNA
    Thursday, December 1, 2011 7:44 AM
  • You can also use dsquery (at the command prompt of a DC):

    dsquery * -Filter "(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))"

    The string TRUE must be in all caps (the only time anything is case sensitive in LDAP syntax filters). The same LDAP syntax filter can also be used with other utilities, like the PowerShell Get-ADUser (with AD modules):

    Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))"

    The filter can also be used with Joe Richards' free adfind utility.


    Richard Mueller - MVP Directory Services
    Thursday, December 1, 2011 3:40 PM
  •  

     

    Thnx a lot this script is working for me .

    and if you can please share one more script that list all users they have password never expires tick mart in AD.

    we created some of the users with this option now i need to find out those users 

     


    Best Regards, SA
    Saturday, December 3, 2011 12:58 PM
  • Please start a new question for that request.

     


    Regards, ~P MCSE, MCITP, MCTS, MCP, CCNA
    Saturday, December 3, 2011 1:23 PM
  • What about control access through Remote Access Policy?  Is there any script to show user with this attribute enabled?
    Tuesday, March 13, 2012 7:41 PM
  • You can also use dsquery (at the command prompt of a DC):

    dsquery * -Filter "(&(objectCatgegory=person)(objectClass=user)(msNPAllowDialin=TRUE))"

    The string TRUE must be in all caps (the only time anything is case sensitive in LDAP syntax filters). The same LDAP syntax filter can also be used with other utilities, like the PowerShell Get-ADUser (with AD modules):

    Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))"

    The filter can also be used with Joe Richards' free adfind utility.

     


    Richard Mueller - MVP Directory Services

    You have a typo in the dsquery line above: "catgegory" should be "category".

    Wednesday, September 26, 2012 6:57 PM
  • $usernames = Get-ADUser -Filter * | select -ExpandProperty SamAccountName

    foreach ($username in $usernames) {

    $dialin = Get-ADUser $username -Properties * | select -ExpandProperty msNPAllowDialin

    If ($dialin -eq "True") {echo "$username" >> C:\result.txt}

    }

      
    • Edited by Operdale Tuesday, March 15, 2016 3:55 PM edit
    • Proposed as answer by Operdale Tuesday, March 15, 2016 9:46 PM
    Tuesday, March 15, 2016 3:49 PM
  • foreach ($username in $usernames) {

    $expires = Get-ADUser $username -Properties * | select -ExpandProperty PasswordNeverExpires

    If ($expires -eq "True") {echo "$username" >> C:\result.txt}

    }

    Tuesday, March 15, 2016 9:54 PM
  • Can I vote two times? Thank you very much!

    Marcelo Costa.

    Tuesday, June 20, 2017 3:52 PM