JSI Tip 10596. More ways to determine who has dial-in permission in my domain?

In tip 8459, we used DSQUERY to determine who has dial-in permission in my domain?

In this tip, we will use DSQUERY, ADFind.exe freeware, and VBScript.


Still using DSQUERY.EXE, you can filter for the msNPAllowDialin attribute being TRUE:
@echo off
setlocal EnableDelayedExpansion
set qry=dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)(msNPAllowDialin=TRUE))" -attr distinguishedName -limit 0
for /f "Skip=1 Tokens=*" %%a in ('%qry%') do (
 set dn=%%a#
 set dn=!dn:  =!
 set dn=!dn: #=!
 set dn="!dn:#=!"
 @echo !dn!


Using ADFind.exe freeware, type the following in a batch or at a CMD.EXE window:
adfind -nodn -csv -nocsvheader -default -f "&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE)" distinguishedName


Using a LDAP (Lightweight Directory Access Protocol) query, you can use an approach similar to tip 9843:
On Error Resume Next
Dim objConnection, objCommand, objRootDSE, strDNSDomain
Dim strFilter, strQuery, objRecordSet
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOOBject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject("LDAP://RootDSE")
'Get domain
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
'Define the filter elements
strFilter = "(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE))"
'List all attributes you will require
strAttributes = "distinguishedName"
'compose query
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 99999
objCommand.Properties("Timeout") = 300
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
    strDN = objRecordSet.Fields("distinguishedName")
" & strDN &
" objRecordSet.MoveNext Loop ' Clean up. objConnection.Close Set objConnection = Nothing Set objCommand = Nothing Set objRootDSE = Nothing Set objRecordSet = Nothing

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.