Post by Mark D. MacLachlanPost by SpundaeHello,
I am looking for a way to find all my users in active directory that
have a checkmark set at the terminal server tab where you can
specify that the user is allowed to logon to terminal server.
I tried to do this with adfind or a script with ldap but failed.
Is there a way because I also read that this information is in
binairy.
Thanks in advance
H.S.
If you take a look using ADSIEdit you will find that the terminal
services properties are nto actually part of the AD attributes of the
user. ADUC merely has some hooks in it to make that configuration
easier.
There is a Microsoft DLL you can hunt for called wtsadmin.dll that
when registered will let you query these properties.
I wasn't able to find a copy of that DLL with a quick search so you
may need to do some digging. I did find a third party freeware
version called wts_admin.dll but looks like that hasn't been updated
to newer versions and the DLL would not register on my Windows 7 x64
machine. May work fine for you on a 32 bit machine though.
http://cwashington.netreach.net/main/tools/default.asp?topic=n-z
Hope that helps,
Mark D. MacLachlan
OK, so I did some more digging and came up witht he follwoign script.
You need to execute it from a server with Terminal Services enabled.
This will query all users in your domain that have that check box
checked.
[code]
'=======================================================================
===
'
' NAME: ListUsersDeniesTSLogon.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: http://www.thespidersparlor.com
' DATE : 7/8/2009
' COPYRIGHT © 2009, All Rights Reserved
'
' COMMENT:
' THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
' ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
' THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
' PARTICULAR PURPOSE.
'
' IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE
SUPPLIERS
' BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
' DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
' WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
' ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
' OF THIS CODE OR INFORMATION.
'
'=======================================================================
===
Set oRootDSE = GetObject("LDAP://rootDSE")
strDomain = oRootDSE.get("defaultNamingContext")
' other categories = computer, user, printqueue, group
qQuery = "<LDAP://" & strDomain &">;" & _
"(objectCategory=person)" & _
";name,DistinguishedName;subtree"
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Open "Provider=ADsDSOObject;"
objCommand.ActiveConnection = objConnection
objCommand.CommandText = qQuery
Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
Set objUser = GetObject("LDAP://" &
objRecordSet.Fields("DistinguishedName"))
If objUser.AllowLogon = 0 Then
Wscript.Echo "TS Denied for user " & objRecordSet.Fields("name")
End If
objrecordset.MoveNext
Wend
objConnection.Close
[/code]
Hope that helps,
Mark D. MacLachlan
--