none
ADSI WinNT get User properties

    Question

  • I want to read Network Access Permission property value of local user account (Local Users and Groups ► Properties ► Dial-in tab) at WS2012r2 in workgroup environment.

    I run this vbscript:

    On Error Resume Next
    Set usr = GetObject("WinNT://<Workgroup_name>/<computer_name>/<user_name>,user")
    
    WScript.Echo "Parameters " & usr.Parameters
    WScript.Echo "RasPermissions " & usr.RasPermissions
    WScript.Echo "DialinPrivilege " & usr.DialinPrivilege
    WScript.Echo "msNPAllowDialin " & usr.msNPAllowDialin
    
    WScript.Echo "MaxDisconnectionTime " & usr.MaxDisconnectionTime

    and get only:

    Parameters m                     d                              P♣▲∟☺msNPAllowDi
    alin?????????????☺CtxCfgPresent????☺CtxCfgFlags1????☺CtxShadow????*☻☺CtxMinEncry
    ptionLevel?
    MaxDisconnectionTime 60

    — just msNPAllowDialin mentioned in Parameters string value, but in unreadable form.

    How can I accomplish this?

    Friday, January 4, 2019 12:14 PM

All replies

  • Remove "On Error" line and look at the errors.

    User remoting attributes do not exist in a workgroup.  They are for AD only.


    \_(ツ)_/

    Friday, January 4, 2019 2:31 PM
  • You are binding to a local user account on a computer, but msNPAllowDialin is a Boolean attribute of domain user accounts. Parameters and rasPermissions are properties of local users, but rasPermissions has a special format and Parameters is difficult to interpret. I've never seen DialinPrivilege or MaxDisconnectionTime, so maybe they are new.

    Reference for DialinPrivilege:

    https://docs.microsoft.com/en-us/windows/desktop/api/mprapi/ns-mprapi-_ras_user_0

    Reference for MaxDisconnectionTime:

    https://docs.microsoft.com/en-us/windows/desktop/api/tsuserex/nn-tsuserex-iadstsuserex


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Friday, January 4, 2019 3:16 PM
    Moderator
  • This will get all Mandatory and Optional properties for a local user even if they are not set for that user.  RAS and DIALIN are not part of optional properties in W10 and later.

    strComputer = "alpha" 
    strUser = "guest"
    Set objUser = GetObject("WinNT://" & strComputer & "/" & strUser & ",user") 
    Set objClass = GetObject(objUser.Schema) 
      
    WScript.Echo "Mandatory properties for " & objUser.Name & ":" 
    For Each property in objClass.MandatoryProperties 
        WScript.Echo property, objUser.Get(property) 
    Next 
      
    WScript.Echo "Optional properties for " & objUser.Name & ":"
    On Error Resume Next
    For Each property in objClass.OptionalProperties
    	p = objUser.Get(property)
    	If Err Then p = "NOT FOUND"
        WScript.Echo property, p
    Next
    

    On a server with RAS installed the settings for RAS may be added.  I don't feel like cranking up a workgroup server and domain servers are no help with workgroup settings.


    \_(ツ)_/

    Friday, January 4, 2019 3:50 PM
  • I set up a workgroup computer on a workgroup and it does not add the RAS properties to a local account.


    \_(ツ)_/

    Friday, January 4, 2019 4:06 PM
  • This shows no mandatory properties and 23 optional (21 - "NOT FOUND" and just "Description" and "FullName" set.)
    What does it give me?

    "LastLogin" is "NOT FOUND", but I can read this value.
    There is no "MaxDisconnectionTime" among them, but I can get it as well…

    • Edited by Everlighter Thursday, January 10, 2019 2:35 PM Quote several property names
    Thursday, January 10, 2019 2:31 PM
  • This shows no mandatory properties and 23 optional (21 - "NOT FOUND" and just "Description" and "FullName" set.)
    What does it give me?

    "LastLogin" is "NOT FOUND", but I can read this value.
    There is no "MaxDisconnectionTime" among them, but I can get it as well…

    These things do not exist for local accounts. Some properties on local accounts are not displayed with WinNT for older systems.


    \_(ツ)_/

    Thursday, January 10, 2019 2:39 PM
  • I believe LastLogin is a property method. I can retrieve it on Windows 7 and Windows 10 clients. The MaxDisconnectionTime seems to exist, as a method, not a property. I don't know how to retrieve a value.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    Thursday, January 10, 2019 3:46 PM
    Moderator
  • Yes.  Most are property methods.  The script is just a way to get all the available properties defined in the schema for a user object.


    \_(ツ)_/

    Thursday, January 10, 2019 3:55 PM
  • The easiest way to get all properties is to use:

     get-localuser userid |fl *

    LastLogon is not defined on any local account that I have checked.  I believe it does exist in the registry.


    \_(ツ)_/

    Thursday, January 10, 2019 3:58 PM
  • The commands in this module do get lastlogon

    find-module localaccount

    Get-LocalUser userid | select *


    \_(ツ)_/

    Thursday, January 10, 2019 4:01 PM