Script to grant dial-in access in Active Directory

I have found that is not a trivial task to change the dial-in permission in an Active Directory user or computer because you must update the userParameters attribute at the same time that the msNPAllowDialin.

In the KB252398, Microsoft says to download the Active Directory Service Interface, so you can register adsras.dll, and use the ADSI interface it provides, but the download is no longer available.

I have managed to create a script to allow dial-in: first, I have allowed manually a user to dial-in, and then I pick those permissions and apply them to the rest.

I save the userParameters to a file:

$goodUser = Get-QADUser -IncludeAllProperties -Identity goodUser
$badUser = Get-QADUser -IncludeAllProperties -Identity badUser
$goodUserParams = $goodUser.userParameters
$badUserParams = $badUser.userParameters
Export-Clixml -InputObject $goodUserParams -Path ".goodUserParams.xml"
Export-Clixml -InputObject $badUserParams -Path ".badUserParams.xml"

Run the script to bulk-update all the users:

$goodUserParams = Import-Clixml -Path ".goodUserParams.xml"
$badUserParams = Import-Clixml -Path ".badUserParams.xml"
$list = Get-QADUser -IncludeAllProperties -SizeLimit 0
$list | foreach{
    if (($_.userParameters -ne $goodUserParams) -and ($_.userParameters -ne $badUserParams) -and ($_.userParameters -ne $null)) {
        Write-Host "Skip user: " $_.samAccountName
    }
    else {
        $dirEntry=$_.DirectoryEntry.PSBase
        $dirEntry.InvokeSet('msNPAllowDialIn', $true)
        $dirEntry.InvokeSet('userParameters', $goodUserParams)
        $dirEntry.CommitChanges()
    }
}

The same goes for the computers:

$goodPC = Get-QADComputer -IncludeAllProperties -Identity GoodPC
$badPC = Get-QADComputer -IncludeAllProperties -Identity BadPC
$goodUserParams = $goodPC.userParameters
$badUserParams = $badPC.userParameters
Export-Clixml -InputObject $goodUserParams -Path ".goodPCUserParams.xml"
Export-Clixml -InputObject $badUserParams -Path ".badPCUserParams.xml"

And apply for all:

$goodUserParams = Import-Clixml -Path ".goodPCUserParams.xml"
$badUserParams = Import-Clixml -Path ".badPCUserParams.xml"
$list = Get-QADComputer -IncludeAllProperties -SizeLimit 0
$list | foreach{
    if (($_.userParameters -ne $goodUserParams) -and ($_.userParameters -ne $badUserParams) -and ($_.userParameters -ne $null)) {
        Write-Host "Skip computer: " $_.samAccountName
    }
    else {
        $dirEntry=$_.DirectoryEntry.PSBase
        $dirEntry.InvokeSet('msNPAllowDialIn', $true)
        $dirEntry.InvokeSet('userParameters', $goodUserParams)
        $dirEntry.CommitChanges()
    }
}
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s