none
LDAP Query in Active Directory - NPS Network Policy Attribute

    Question

  • Hi Guys,

    Does anyone know the best way to search for users in Active Directory (2008) with the attribute "control access through NPS Network Policy" (In user properties > dial In Tab) set too deny?

    I've tried to put together an LDAP query to filter users but can't find the relevant attribute to put in, and i'm crap at LDAP query's!

    Any help would be great guys.

    Thanks,
    Andrew
    • Edited by andyspeake Thursday, December 13, 2012 10:06 PM
    Thursday, December 13, 2012 9:59 PM

Answers

  • Luckily, there is a whole blog post on this: http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/25/hey-scripting-guy-august-25-2005.aspx

    Cliff's - You are looking for msNPAllowDialin to be null, this is the equivalent of "control access through NPS Network Policy" so something like (&(objectClass=user)(objectCategory=person)(msNPAllowDialin=""))


    Thursday, December 13, 2012 10:40 PM
  • msNPAllowDialin Attribute", msNPAllowDialin is a Boolean attribute and it can only accept True, False or Not Set.

    => Shows all users with dial-in set to deny
    dsquery * "OU=ABC,DC=domain,DC=local" -filter msNPAllowDialin=FALSE -attr distinguishedname -limit 0

    => Shows all users with dial-in set to allow
    dsquery * "OU=ABC,DC=domain,DC=local" -filter msNPAllowDialin=TRUE -attr distinguishedname -limit 0

    Find All the Users with Remote Access Permissions- who have been denied access.
    http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/25/hey-scripting-guy-august-25-2005.aspx

    Using ADfind tool http://www.joeware.net/freetools/tools/adfind/index.htm
    adfind -default -f "&(objectcategory=person)(objectclass=user)(msNPAllowDialin=FALSE)" samaccountname msnpallowdialin -nodn -csv > Users.csv

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, December 14, 2012 6:23 AM
  • I find the filter for users with "Allow access" is:

    (&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))

    -----

    For "Deny access" is:

    (&(objectCategory=person)(objectClass=user)(msNPAllowDialin=FALSE))

    -----

    and, for "Control access through NPS Network Policy":

    (&(objectCategory=person)(objectClass=user)(!msNPAllowDialin=*))

    -----

    The later means where msNPAllowDialin is <not set> (has no value assigned). The TRUE and FALSE are case sensitive. Boolean value in AD are the only time anything in an LDAP query is case sensitive.


    Richard Mueller - MVP Directory Services

    Friday, December 14, 2012 10:56 AM
  • You can also use Powershell queries for such filtering: http://calumpowell.com/tag/msnpallowdialin/


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, December 15, 2012 4:55 PM

All replies

  • Luckily, there is a whole blog post on this: http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/25/hey-scripting-guy-august-25-2005.aspx

    Cliff's - You are looking for msNPAllowDialin to be null, this is the equivalent of "control access through NPS Network Policy" so something like (&(objectClass=user)(objectCategory=person)(msNPAllowDialin=""))


    Thursday, December 13, 2012 10:40 PM
  • msNPAllowDialin Attribute", msNPAllowDialin is a Boolean attribute and it can only accept True, False or Not Set.

    => Shows all users with dial-in set to deny
    dsquery * "OU=ABC,DC=domain,DC=local" -filter msNPAllowDialin=FALSE -attr distinguishedname -limit 0

    => Shows all users with dial-in set to allow
    dsquery * "OU=ABC,DC=domain,DC=local" -filter msNPAllowDialin=TRUE -attr distinguishedname -limit 0

    Find All the Users with Remote Access Permissions- who have been denied access.
    http://blogs.technet.com/b/heyscriptingguy/archive/2005/08/25/hey-scripting-guy-august-25-2005.aspx

    Using ADfind tool http://www.joeware.net/freetools/tools/adfind/index.htm
    adfind -default -f "&(objectcategory=person)(objectclass=user)(msNPAllowDialin=FALSE)" samaccountname msnpallowdialin -nodn -csv > Users.csv

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, December 14, 2012 6:23 AM
  • I find the filter for users with "Allow access" is:

    (&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))

    -----

    For "Deny access" is:

    (&(objectCategory=person)(objectClass=user)(msNPAllowDialin=FALSE))

    -----

    and, for "Control access through NPS Network Policy":

    (&(objectCategory=person)(objectClass=user)(!msNPAllowDialin=*))

    -----

    The later means where msNPAllowDialin is <not set> (has no value assigned). The TRUE and FALSE are case sensitive. Boolean value in AD are the only time anything in an LDAP query is case sensitive.


    Richard Mueller - MVP Directory Services

    Friday, December 14, 2012 10:56 AM
  • Thanks guys, i managed to do it through the DSQuery command above, but i'm going to try the LDAP filters.... I'll let you know.

    Thanks,

    Andy

    Friday, December 14, 2012 4:22 PM
  • You can also use Powershell queries for such filtering: http://calumpowell.com/tag/msnpallowdialin/


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, December 15, 2012 4:55 PM