none
Mass change to user dial-in setting in AD RRS feed

  • Question

  • We recently made some changes to our network that require us to set the Network Access Permission to Allow under the Dial-In tab of a users account in AD. The issue we have is that we have about 600 users in a single OU without a consistent value for this option set.  So, my question is if there is a simple way to make the change to all of the users at once?  One of our guys played around with creating a GPO, but that doesn't work with what was done on our network. 

    I looked at using a dsquery and piping the results to a dsmod command, but either I'm going down the wrong path or I have the syntax wrong.  What I was trying was:

    dsquery user ou="Employee Accounts",ou=users,ou="branch name",dc=domainpiece1,dc=domainpiece2 | dsmod user -msNPAllow DialIn true

    We only want to change the value for this one OU.

    Friday, April 20, 2012 12:27 AM

Answers

  • The dsmod utility cannot modify the msNPAllowDialin attribute. You can use a VBScript program. You would bind to the OU object, enumerate all objects, check for class "user", assign TRUE to the msNPAllowDialin attribute, and invoke the SetInfo method to save the changes to AD. For example:

    Option Explicit

    Dim objOU, objUser

    Set objOU = GetObject("LDAP://ou=Employee Accounts,ou=users,ou=Branch Name,dc=domainpiece1,dc=domainpiece2")
    For Each objUser In objOU
        If (objUser.Class = "user") Then
            objUser.msNPAllowDialin = TRUE
            objUser.SetInfo
        End If
    Next

    -----



    Richard Mueller - MVP Directory Services

    • Marked as answer by apophistoledo Friday, April 20, 2012 1:48 AM
    Friday, April 20, 2012 1:15 AM

All replies

  • I was able to change the setting on a test account via command line with this command, but didn't know how to script it for all users in the OU.

    netsh RAS set user name=jsmith dialin=permit

     
    Plus, I did it on the server and the test account had been logged into the server previously, so I wasn't sure if that had a bearing on end user accounts that will never directly login to that server.
    • Edited by apophistoledo Friday, April 20, 2012 12:34 AM submitted comment before finished
    Friday, April 20, 2012 12:33 AM
  • The dsmod utility cannot modify the msNPAllowDialin attribute. You can use a VBScript program. You would bind to the OU object, enumerate all objects, check for class "user", assign TRUE to the msNPAllowDialin attribute, and invoke the SetInfo method to save the changes to AD. For example:

    Option Explicit

    Dim objOU, objUser

    Set objOU = GetObject("LDAP://ou=Employee Accounts,ou=users,ou=Branch Name,dc=domainpiece1,dc=domainpiece2")
    For Each objUser In objOU
        If (objUser.Class = "user") Then
            objUser.msNPAllowDialin = TRUE
            objUser.SetInfo
        End If
    Next

    -----



    Richard Mueller - MVP Directory Services

    • Marked as answer by apophistoledo Friday, April 20, 2012 1:48 AM
    Friday, April 20, 2012 1:15 AM
  • Thanks Richard. I was wondering about going down that path but I'm not great at VBScript.  It worked perfectly for us!
    Friday, April 20, 2012 1:49 AM
  • Thanks very much for this, saved my bacon.
    Tuesday, January 6, 2015 1:17 PM
  • Thanks a lot! Worked fine.
    Thursday, August 6, 2015 12:29 AM