Discussion:
how to find users with the checkmark on allow to logon to terminal servers
(too old to reply)
Spundae
2009-07-08 11:54:00 UTC
Permalink
Hello,

I am looking for a way to find all my users in active directory that
have a checkmark set at the terminal server tab where you can specify
that the user is allowed to logon to terminal server.
I tried to do this with adfind or a script with ldap but failed.

Is there a way because I also read that this information is in
binairy.

Thanks in advance

H.S.
Mark D. MacLachlan
2009-07-08 19:14:11 UTC
Permalink
Post by Spundae
Hello,
I am looking for a way to find all my users in active directory that
have a checkmark set at the terminal server tab where you can specify
that the user is allowed to logon to terminal server.
I tried to do this with adfind or a script with ldap but failed.
Is there a way because I also read that this information is in
binairy.
Thanks in advance
H.S.
If you take a look using ADSIEdit you will find that the terminal
services properties are nto actually part of the AD attributes of the
user. ADUC merely has some hooks in it to make that configuration
easier.

There is a Microsoft DLL you can hunt for called wtsadmin.dll that when
registered will let you query these properties.

I wasn't able to find a copy of that DLL with a quick search so you may
need to do some digging. I did find a third party freeware version
called wts_admin.dll but looks like that hasn't been updated to newer
versions and the DLL would not register on my Windows 7 x64 machine.
May work fine for you on a 32 bit machine though.
http://cwashington.netreach.net/main/tools/default.asp?topic=n-z

Hope that helps,

Mark D. MacLachlan

--
Mark D. MacLachlan
2009-07-09 08:16:20 UTC
Permalink
Post by Mark D. MacLachlan
Post by Spundae
Hello,
I am looking for a way to find all my users in active directory that
have a checkmark set at the terminal server tab where you can
specify that the user is allowed to logon to terminal server.
I tried to do this with adfind or a script with ldap but failed.
Is there a way because I also read that this information is in
binairy.
Thanks in advance
H.S.
If you take a look using ADSIEdit you will find that the terminal
services properties are nto actually part of the AD attributes of the
user. ADUC merely has some hooks in it to make that configuration
easier.
There is a Microsoft DLL you can hunt for called wtsadmin.dll that
when registered will let you query these properties.
I wasn't able to find a copy of that DLL with a quick search so you
may need to do some digging. I did find a third party freeware
version called wts_admin.dll but looks like that hasn't been updated
to newer versions and the DLL would not register on my Windows 7 x64
machine. May work fine for you on a 32 bit machine though.
http://cwashington.netreach.net/main/tools/default.asp?topic=n-z
Hope that helps,
Mark D. MacLachlan
OK, so I did some more digging and came up witht he follwoign script.
You need to execute it from a server with Terminal Services enabled.
This will query all users in your domain that have that check box
checked.

[code]
'=======================================================================
===
'
' NAME: ListUsersDeniesTSLogon.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: http://www.thespidersparlor.com
' DATE : 7/8/2009
' COPYRIGHT © 2009, All Rights Reserved
'
' COMMENT:
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
' ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
' THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
' PARTICULAR PURPOSE.
'
' IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE
SUPPLIERS
' BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
' DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
' WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
' ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
' OF THIS CODE OR INFORMATION.
'
'=======================================================================
===

Set oRootDSE = GetObject("LDAP://rootDSE")
strDomain = oRootDSE.get("defaultNamingContext")

' other categories = computer, user, printqueue, group
qQuery = "<LDAP://" & strDomain &">;" & _
"(objectCategory=person)" & _
";name,DistinguishedName;subtree"

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Open "Provider=ADsDSOObject;"
objCommand.ActiveConnection = objConnection
objCommand.CommandText = qQuery
Set objRecordSet = objCommand.Execute

While Not objRecordSet.EOF
Set objUser = GetObject("LDAP://" &
objRecordSet.Fields("DistinguishedName"))
If objUser.AllowLogon = 0 Then
Wscript.Echo "TS Denied for user " & objRecordSet.Fields("name")
End If
objrecordset.MoveNext
Wend

objConnection.Close
[/code]

Hope that helps,

Mark D. MacLachlan

--
Spundae
2009-07-09 09:58:07 UTC
Permalink
Hello Mark D. MacLachlan

It worked like a charm, I did have to change it so that it would only
search through 1 particulair domain and that it would resume on an
error but that's easy.

Thank you very much for your script and quick reply
Mark D. MacLachlan
2009-07-09 21:15:15 UTC
Permalink
Post by Spundae
Hello Mark D. MacLachlan
It worked like a charm, I did have to change it so that it would only
search through 1 particulair domain and that it would resume on an
error but that's easy.
Thank you very much for your script and quick reply
Happy to assist.

--
Richard Mueller [MVP]
2009-07-09 13:23:21 UTC
Permalink
Post by Mark D. MacLachlan
Post by Mark D. MacLachlan
Post by Spundae
Hello,
I am looking for a way to find all my users in active directory that
have a checkmark set at the terminal server tab where you can
specify that the user is allowed to logon to terminal server.
I tried to do this with adfind or a script with ldap but failed.
Is there a way because I also read that this information is in
binairy.
Thanks in advance
H.S.
If you take a look using ADSIEdit you will find that the terminal
services properties are nto actually part of the AD attributes of the
user. ADUC merely has some hooks in it to make that configuration
easier.
There is a Microsoft DLL you can hunt for called wtsadmin.dll that
when registered will let you query these properties.
I wasn't able to find a copy of that DLL with a quick search so you
may need to do some digging. I did find a third party freeware
version called wts_admin.dll but looks like that hasn't been updated
to newer versions and the DLL would not register on my Windows 7 x64
machine. May work fine for you on a 32 bit machine though.
http://cwashington.netreach.net/main/tools/default.asp?topic=n-z
Hope that helps,
Mark D. MacLachlan
OK, so I did some more digging and came up witht he follwoign script.
You need to execute it from a server with Terminal Services enabled.
This will query all users in your domain that have that check box
checked.
[code]
'=======================================================================
===
'
' NAME: ListUsersDeniesTSLogon.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: http://www.thespidersparlor.com
' DATE : 7/8/2009
' COPYRIGHT © 2009, All Rights Reserved
'
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
' ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
' THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
' PARTICULAR PURPOSE.
'
' IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE
SUPPLIERS
' BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
' DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
' WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
' ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
' OF THIS CODE OR INFORMATION.
'
'=======================================================================
===
Set oRootDSE = GetObject("LDAP://rootDSE")
strDomain = oRootDSE.get("defaultNamingContext")
' other categories = computer, user, printqueue, group
qQuery = "<LDAP://" & strDomain &">;" & _
"(objectCategory=person)" & _
";name,DistinguishedName;subtree"
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Open "Provider=ADsDSOObject;"
objCommand.ActiveConnection = objConnection
objCommand.CommandText = qQuery
Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
Set objUser = GetObject("LDAP://" &
objRecordSet.Fields("DistinguishedName"))
If objUser.AllowLogon = 0 Then
Wscript.Echo "TS Denied for user " & objRecordSet.Fields("name")
End If
objrecordset.MoveNext
Wend
objConnection.Close
[/code]
Hope that helps,
Mark D. MacLachlan
--
I can't find documentation on this. Is it possible that AllowLogon is a
property method rather than an attribute? This would explain why it cannot
be found using ADSI Edit. If it were an attribute, you could use the filter:

(&(objectCategory=person)(objectClass=user)(allowLogon=0))

to retrieve just the users desired. Or, if allowLogon were boolean:

(&(objectCategory=person)(objectClass=user)(allowLogon=FALSE))

Or, at least you could add allowLogon to the list of attributes to retrieve,
saving the need to bind to each user object.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Mark D. MacLachlan
2009-07-09 21:18:26 UTC
Permalink
I had a conversation with a MS Support Engineer on this a few years
back and was told that it isn't a property within AD, I was told that
ADUC only shows those options as a courtesy to customers so they did
not have to manage TS access separately from the user object. (If only
they had kept that up when Exchange 2007 hit the streets).

In another thread I have posted code that retrieves the information.
It only works when executed from a TS server though.
Richard Mueller [MVP]
2009-07-09 21:50:21 UTC
Permalink
Post by Mark D. MacLachlan
I had a conversation with a MS Support Engineer on this a few years
back and was told that it isn't a property within AD, I was told that
ADUC only shows those options as a courtesy to customers so they did
not have to manage TS access separately from the user object. (If only
they had kept that up when Exchange 2007 hit the streets).
In another thread I have posted code that retrieves the information.
It only works when executed from a TS server though.
I don't have a TS server, which is why I asked. I think you confirmed that
AllowLogon is what I call a property method (a method exposed by the
IADsUser interface that returns a value based on other AD attributes). This
means you cannot improve the query as I suggested with the clause
(allowLogon=0), and avoid the binding steps that slow the script
considerably. Other examples of property methods (exposed by IADsUser) are
Parent, AccountDisabled, AccountExpirationDate and LastName. None of these
show up in ADSI Edit, and none can be used in an ADO query.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Spundae
2009-07-10 05:23:42 UTC
Permalink
Thank you Richard and Mark,

For the clarification. When I ran the script it will take a long time
but it does exactly what I wanted. I get a list of users that do not
have the checkmark turned on. This was an issue which was played high
in our company where a user couldn't logon to citrix and TS. Somehow
the checkmark was not checked and we expect that someone had clicked
on this. Too bad we didn't had auditing on. So I needed the script
to find maybe others that were affected.

all, thank you, there wasn't much I could google for (or my input was
not good :)

Harold

Loading...