Announcement

Collapse
No announcement yet.

Find users in AD with Allow Logon Through Terminal Services Right

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Find users in AD with Allow Logon Through Terminal Services Right

    Hi All,


    I am trying to find a way to find all users in my Windows Server 2003 native domain that have the "allow logon through terminal services" option activated in their user account (the terminal services profile tab in the user object).

    I have searched /googled and came up with these excellent ldap query examples :
    http://www.petri.com/ldap_search_sam...d_exchange.htm

    I have found that the attribute is ms-TS-Allow-Logon but I cannot get it to work within a custom search query (perhaps this attribute is windows 2008 only?)

    There is another attribute called allowlogon but I cannot get it to work either..

    Furthermore I have found that the privilege is called
    SeRemoteInteractiveLogonRight, but I am not sure how to search for this within Active Directory.


    Can someone please help me with this? Many thanks!


    P.S. This is my first post here, so be gentle

  • #2
    Re: Find users in AD with Allow Logon Through Terminal Services Right

    Originally posted by JStraman View Post
    Hi All,


    I am trying to find a way to find all users in my Windows Server 2003 native domain that have the "allow logon through terminal services" option activated in their user account (the terminal services profile tab in the user object).
    It's not directly a LDAP query for AllowLogon, but maybe this script can help?
    Code:
    ' Terminal Services Profile
    ' http://www.activexperts.com/activmon...ps/tsaccounts/
     
    Const ADS_SCOPE_SUBTREE = 2
     
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    
    Set objConnection = CreateObject("ADODB.Connection")
    Set objCommand =   CreateObject("ADODB.Command")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    Set objCommand.ActiveConnection = objConnection
    
    objCommand.Properties("Page Size") = 1000
    objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
    objCommand.CommandText = _
        "SELECT AdsPath FROM 'LDAP://" & strDNSDomain & "' WHERE " _
        & "objectCategory='person' AND ObjectClass='user'"
    
    Set objRecordSet = objCommand.Execute
     
    If not objRecordSet.EOF Then 
      objRecordSet.MoveFirst
      Do Until objRecordSet.EOF
     
        Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
     
        AllowLogonTS = objUser.AllowLogon
        strUser = MID(objUser.name,4)
     
        If AllowLogonTS = 0 Then
          AllowLogonTS = "No"
        ElseIf AllowLogonTS = 1 Then
          AllowLogonTS = "Yes"
        End If
     
        If AllowLogonTS = "No" _
          Then WScript.echo strUser, " Allow Logon:", AllowLogonTS
     
        objRecordSet.MoveNext
      Loop
    End If
    objConnection.Close
     
    wscript.quit
    \Rems
    Last edited by Rems; 8th August 2008, 17:22. Reason: corrected the case in the "LDAP://RootDSE" line (!)

    This posting is provided "AS IS" with no warranties, and confers no rights.

    __________________

    ** Remember to give credit where credit's due **
    and leave Reputation Points for meaningful posts

    Comment


    • #3
      Re: Find users in AD with Allow Logon Through Terminal Services Right

      Thanks, maybe the script can help. What I ultimately want to accomplish is to dynamically fill a distribution group (query based). We have a sonicwall ssl vpn appliance and want to exclude all domain users from using it that do not have the allow logon through terminal services right.

      the ssl vpn can read all kinds of groups (security/distribution), and a query based distribution group would be ideal for this situation. But maybe I'm focussing on the wrong things here...

      Comment


      • #4
        Re: Find users in AD with Allow Logon Through Terminal Services Right

        Well i solved my problem. I used a vbscript to read out all users that have the option "allow logon to terminal services" activated. I put those users in a security group and configured our citrix/terminal servers and ssl vpn sonicwall to only allow this group access. A little different from what I intended originally, but hey it fixes my problem!


        Oh by the way I used this script:

        http://www.activedir.org/Articles/ta...4/Default.aspx

        Comment


        • #5
          Re: Find users in AD with Allow Logon Through Terminal Services Right

          Thanks for letting us now


          It would also be possible to make a few changes to my script. To make it not only finding the users, but also able to controll the members of a (distribution)Group.
          Then you can scheduled running the script so the group will be periodically updated automatically.

          example:

          Code:
          ' http://forums.petri.com/showthread.php?t=26443
          
          'option explicit
          
          Const ADS_GROUP_TYPE_GLOBAL_GROUP     = &h2
          Const ADS_GROUP_TYPE_LOCAL_GROUP      = &h4
          Const ADS_GROUP_TYPE_UNIVERSAL_GROUP  = &h8
          Const ADS_GROUP_TYPE_SECURITY_ENABLED = &h80000000
          
          Const ADS_PROPERTY_CLEAR  = 1
          Const ADS_PROPERTY_APPEND = 3
          
          Const ADS_SCOPE_SUBTREE   = 2
          
          Dim objRootDSE
          Dim strDNSDomain, strOUpath, strNewGp
          Dim objOU, objGroup
          Dim objConnection, objCommand, objRecordSet
          Dim objUser
          
          Set objRootDSE = GetObject("LDAP://RootDSE")
          
          strDNSDomain = objRootDSE.Get("DefaultNamingContext")
          strOUpath    = "OU=Groups, OU=Test container"
          strNewGp     = "No TM-logon"
          
          '*** Create new Group - If not exist
          'http://activexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/groups/
          On Error Resume Next
           Set objOU = GetObject("LDAP://" & strOUpath & "," & strDNSDomain )
           Set objGroup = objOU.Create("Group","CN=" & strNewGp)
           objGroup.Put "sAMAccountName", strNewGp
           objGroup.Put "groupType", ADS_GROUP_TYPE_GLOBAL_GROUP
           '(note, If you want make the group also a securitygroup.., use " OR " or " + " to add ADS_GROUP_TYPE_SECURITY_ENABLED to the previous line, do not use "AND")
           objGroup.setInfo
          
          '*** Remove All Members from the Group - If exist
          If Err then
           Set objGroup = GetObject _
             ("LDAP://CN=" & strNewGp & "," & strOUpath & "," & strDNSDomain ) 
           objGroup.PutEx ADS_PROPERTY_CLEAR, "member", 0
           objGroup.SetInfo
          End If
          On Error GoTo 0
          
          '-------------------------------------------------------------------------------------------
          '*** Find users
          
          Dim arrUsers(), intSize : intSize=0
          
          Set objConnection = CreateObject("ADODB.Connection")
          Set objCommand =   CreateObject("ADODB.Command")
          objConnection.Provider = "ADsDSOObject"
          objConnection.Open "Active Directory Provider"
          Set objCommand.ActiveConnection = objConnection
          
          objCommand.Properties("Page Size") = 1000
          objCommand.Properties("Timeout") = 30
          objCommand.Properties("Cache Results") = False
          
          objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
          objCommand.CommandText = _
              "SELECT AdsPath FROM 'LDAP://" & strDNSDomain & "' WHERE " _
              & "objectCategory='person' AND ObjectClass='user'"
          
          Set objRecordSet = objCommand.Execute
          
          If not objRecordSet.EOF Then 
            objRecordSet.MoveFirst
            Do Until objRecordSet.EOF
           
              Set objUser = GetObject(objRecordSet.Fields("AdsPath").Value)
           
              If objUser.AllowLogon = 0 Then
          
                 '*** populate array:
                  ReDim Preserve arrUsers(intSize)
                  arrUsers(intSize) = objUser.distinguishedName
                  intSize = intSize + 1
          
              End If
          
              objRecordSet.MoveNext
            Loop
          End If
          
          objConnection.Close
          
          
          '*** Add Members to the Group (objGroup)
                 objGroup.PutEx ADS_PROPERTY_APPEND, "member", arrUsers
                 objGroup.SetInfo
          
          Wscript.Quit
          \Rems
          Last edited by Rems; 8th August 2008, 18:44.

          This posting is provided "AS IS" with no warranties, and confers no rights.

          __________________

          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts

          Comment

          Working...
          X