For an upcoming project, we started moving an external vendor off of a Microsoft PPTP VPN tunnel (per user client), to a fixed VPN tunnel using IPSEC, and handled at the gateway. During this migration, it was decided to remove access to the PPTP tunnel to ensure the vendor was using the proper tunnel. This required changing the setting for 20 users…
This wouldn’t be too difficult if we’d ever got around to setting up the tunnel correctly, however we never did. What I mean is that the VPN tunnel can be controller by policy. It’s a simple task of granting a group explicit remote access, and leaving the user option set to “controller by policy”. However we never deployed such policies1.
This lack of policy meant that I’d have to update all user accounts, one at a time, and disabling the option in the user profile. This is okay for a few accounts, but 20+ is not so much fun. The only good thing we had was that they were all a member of the same group. This is where scripting comes into its element. The general concept of scripting is to automate a repetitive task.
Microsoft has a handy resource called the “Script Center”. They have some really cool examples, and is usually the first stopping point for me if I need to knock together a quick script. Fortunately there were several examples of exactly what I was after.
Getting the users
The first step is getting access to the users’ that are impacted. This is a simple VBS that talks to the LDAP services on an AD server. The base for my work on this portion is located in the Active Directory section, then groups, on the script center, or you can click here.
set objGroup = GetObject("LDAP://CN=VendorName,OU=Groups,DC=Domain,DC=com") objGroup.GetInfo arrMemberOf = objGroup.GetEx("member") for each strMember in arrMemberOf wscript.echo strMember Next
This simply loops through the group “VendorName” which is in the OU groups. The next step is to use the string returned (a full LDAP string), and remove the Dial-Up properties.
Removing the Dial-Up Preferences
Microsoft doesn’t seem to have the LDAP side of this property defined, but there are 3 values. Enabled, or true, which means the user is explicitly allowed dial-up, disabled, or false, which means they’re explicitly denied access, or unset which means group policy defines their access.
As we currently don’t have any group policies defined to grant access, the best option is to unset their dialup property. Again, the Microsoft Script Center comes through with some examples in the Active Directory, User section.
The final script ends up looking like this:
Const ADS_PROPERTY_CLEAR = 1 set objGroup = GetObject("LDAP://CN=VendorName,OU=Groups,DC=Domain,DC=com") objGroup.GetInfo arrMemberOf = objGroup.GetEx("member") For Each strMember in arrMemberOf Set objUser = GetObject("LDAP://" & strMember) objUser.PutEx ADS_PROPERTY_CLEAR, "msNPAllowDialin", 0 objUser.SetInfo objUser = null next
This loops through the list of members in the group, and unsets the
msNPAllowDialin user option. A quick double check of a handful of the users shows the option is now reset back to the default of group policy controller.
Whilst sometimes it’s relatively easy to click few a few users to do something, there are times when a small script makes life easier. Microsoft’s Script Center has a great collection of samples, and a good jumping point for a lot of common questions. So next time a task requires you to go through and modify, or add, or even delete options, sometimes a script is just as quick.
Something we should get around to, as we probably have a few accounts that shouldn’t have access ↩