Re: how to find users with the checkmark on allow to logon to terminal servers

07-08-2009

Spundae wrote:

> Hello,
>
> I am looking for a way to find all my users in active directory that
> have a checkmark set at the terminal server tab where you can specify
> that the user is allowed to logon to terminal server.
> I tried to do this with adfind or a script with ldap but failed.
>
> Is there a way because I also read that this information is in
> binairy.
>
> Thanks in advance
>
> H.S.

If you take a look using ADSIEdit you will find that the terminal
services properties are nto actually part of the AD attributes of the
user. ADUC merely has some hooks in it to make that configuration
easier.

There is a Microsoft DLL you can hunt for called wtsadmin.dll that when
registered will let you query these properties.

I wasn't able to find a copy of that DLL with a quick search so you may
need to do some digging. I did find a third party freeware version
called wts_admin.dll but looks like that hasn't been updated to newer
versions and the DLL would not register on my Windows 7 x64 machine.
May work fine for you on a 32 bit machine though.
http://cwashington.netreach.net/main....asp?topic=n-z

Hope that helps,

Mark D. MacLachlan

--

07-09-2009

Mark D. MacLachlan wrote:

> Spundae wrote:
>
> > Hello,
> >
> > I am looking for a way to find all my users in active directory that
> > have a checkmark set at the terminal server tab where you can
> > specify that the user is allowed to logon to terminal server.
> > I tried to do this with adfind or a script with ldap but failed.
> >
> > Is there a way because I also read that this information is in
> > binairy.
> >
> > Thanks in advance
> >
> > H.S.
>
> If you take a look using ADSIEdit you will find that the terminal
> services properties are nto actually part of the AD attributes of the
> user. ADUC merely has some hooks in it to make that configuration
> easier.
>
> There is a Microsoft DLL you can hunt for called wtsadmin.dll that
> when registered will let you query these properties.
>
> I wasn't able to find a copy of that DLL with a quick search so you
> may need to do some digging. I did find a third party freeware
> version called wts_admin.dll but looks like that hasn't been updated
> to newer versions and the DLL would not register on my Windows 7 x64
> machine. May work fine for you on a 32 bit machine though.
> http://cwashington.netreach.net/main....asp?topic=n-z
>
> Hope that helps,
>
> Mark D. MacLachlan

OK, so I did some more digging and came up witht he follwoign script.
You need to execute it from a server with Terminal Services enabled.
This will query all users in your domain that have that check box
checked.

Code:

'=======================================================================
===
'
' NAME: ListUsersDeniesTSLogon.vbs
'
' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
' URL: http://www.thespidersparlor.com
' DATE  : 7/8/2009
' COPYRIGHT © 2009, All Rights Reserved
'
' COMMENT:
'    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
'    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
'    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
'    PARTICULAR PURPOSE.
'
'    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE
SUPPLIERS
'    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
'    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
'    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
'    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
'    OF THIS CODE OR INFORMATION.
'
'=======================================================================
===

Set oRootDSE = GetObject("LDAP://rootDSE")
strDomain = oRootDSE.get("defaultNamingContext")

' other categories = computer, user, printqueue, group
qQuery = "<LDAP://" & strDomain &">;" & _
"(objectCategory=person)" & _
";name,DistinguishedName;subtree"

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Open "Provider=ADsDSOObject;"
objCommand.ActiveConnection = objConnection
objCommand.CommandText = qQuery
Set objRecordSet = objCommand.Execute

While Not objRecordSet.EOF
Set objUser = GetObject("LDAP://" &
objRecordSet.Fields("DistinguishedName"))
If objUser.AllowLogon = 0 Then
Wscript.Echo "TS Denied for user " & objRecordSet.Fields("name")
End If
objrecordset.MoveNext
Wend

objConnection.Close

Hope that helps,

Mark D. MacLachlan

--

07-09-2009

"Mark D. MacLachlan" <> wrote in message
news:...
> Mark D. MacLachlan wrote:
>
>> Spundae wrote:
>>
>> > Hello,
>> >
>> > I am looking for a way to find all my users in active directory that
>> > have a checkmark set at the terminal server tab where you can
>> > specify that the user is allowed to logon to terminal server.
>> > I tried to do this with adfind or a script with ldap but failed.
>> >
>> > Is there a way because I also read that this information is in
>> > binairy.
>> >
>> > Thanks in advance
>> >
>> > H.S.
>>
>> If you take a look using ADSIEdit you will find that the terminal
>> services properties are nto actually part of the AD attributes of the
>> user. ADUC merely has some hooks in it to make that configuration
>> easier.
>>
>> There is a Microsoft DLL you can hunt for called wtsadmin.dll that
>> when registered will let you query these properties.
>>
>> I wasn't able to find a copy of that DLL with a quick search so you
>> may need to do some digging. I did find a third party freeware
>> version called wts_admin.dll but looks like that hasn't been updated
>> to newer versions and the DLL would not register on my Windows 7 x64
>> machine. May work fine for you on a 32 bit machine though.
>> http://cwashington.netreach.net/main....asp?topic=n-z
>>
>> Hope that helps,
>>
>> Mark D. MacLachlan
>
> OK, so I did some more digging and came up witht he follwoign script.
> You need to execute it from a server with Terminal Services enabled.
> This will query all users in your domain that have that check box
> checked.
>
>

Code:

> '=======================================================================
> ===
> '
> ' NAME: ListUsersDeniesTSLogon.vbs
> '
> ' AUTHOR: Mark D. MacLachlan , The Spider's Parlor
> ' URL: http://www.thespidersparlor.com
> ' DATE  : 7/8/2009
> ' COPYRIGHT © 2009, All Rights Reserved
> '
> ' COMMENT:
> '    THIS CODE AND INFORMATION IS PROVIDED "AS IS" WITHOUT WARRANTY OF
> '    ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED To
> '    THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A
> '    PARTICULAR PURPOSE.
> '
> '    IN NO EVENT SHALL THE SPIDER'S PARLOR AND/OR ITS RESPECTIVE
> SUPPLIERS
> '    BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
> '    DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS,
> '    WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
> '    ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE
> '    OF THIS CODE OR INFORMATION.
> '
> '=======================================================================
> ===
>
> Set oRootDSE = GetObject("LDAP://rootDSE")
> strDomain = oRootDSE.get("defaultNamingContext")
>
> ' other categories = computer, user, printqueue, group
> qQuery = "<LDAP://" & strDomain &">;" & _
> "(objectCategory=person)" & _
>       ";name,DistinguishedName;subtree"
>
> Set objConnection = CreateObject("ADODB.Connection")
> Set objCommand = CreateObject("ADODB.Command")
> objConnection.Open "Provider=ADsDSOObject;"
> objCommand.ActiveConnection = objConnection
> objCommand.CommandText = qQuery
> Set objRecordSet = objCommand.Execute
>
> While Not objRecordSet.EOF
>    Set objUser = GetObject("LDAP://" &
> objRecordSet.Fields("DistinguishedName"))
> If objUser.AllowLogon = 0 Then
> Wscript.Echo "TS Denied for user " & objRecordSet.Fields("name")
>    End If
>    objrecordset.MoveNext
> Wend
>
> objConnection.Close
>

>
> Hope that helps,
>
> Mark D. MacLachlan
>
> --
>

I can't find documentation on this. Is it possible that AllowLogon is a
property method rather than an attribute? This would explain why it cannot
be found using ADSI Edit. If it were an attribute, you could use the filter:

(&(objectCategory=person)(objectClass=user)(allowL ogon=0))

to retrieve just the users desired. Or, if allowLogon were boolean:

(&(objectCategory=person)(objectClass=user)(allowL ogon=FALSE))

Or, at least you could add allowLogon to the list of attributes to retrieve,
saving the need to bind to each user object.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

07-09-2009

Spundae wrote:

> Hello Mark D. MacLachlan
>
> It worked like a charm, I did have to change it so that it would only
> search through 1 particulair domain and that it would resume on an
> error but that's easy.
>
> Thank you very much for your script and quick reply

Happy to assist.

--

07-09-2009

I had a conversation with a MS Support Engineer on this a few years
back and was told that it isn't a property within AD, I was told that
ADUC only shows those options as a courtesy to customers so they did
not have to manage TS access separately from the user object. (If only
they had kept that up when Exchange 2007 hit the streets).

In another thread I have posted code that retrieves the information.
It only works when executed from a TS server though.

07-09-2009

"Mark D. MacLachlan" <> wrote in message
news:...
>I had a conversation with a MS Support Engineer on this a few years
> back and was told that it isn't a property within AD, I was told that
> ADUC only shows those options as a courtesy to customers so they did
> not have to manage TS access separately from the user object. (If only
> they had kept that up when Exchange 2007 hit the streets).
>
> In another thread I have posted code that retrieves the information.
> It only works when executed from a TS server though.

I don't have a TS server, which is why I asked. I think you confirmed that
AllowLogon is what I call a property method (a method exposed by the
IADsUser interface that returns a value based on other AD attributes). This
means you cannot improve the query as I suggested with the clause
(allowLogon=0), and avoid the binding steps that slow the script
considerably. Other examples of property methods (exposed by IADsUser) are
Parent, AccountDisabled, AccountExpirationDate and LastName. None of these
show up in ADSI Edit, and none can be used in an ADO query.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Re: Terminal Services - can't logon to other servers	Robert L \(MS-MVP\)	Windows Server	0	10-15-2007 05:13 PM
Users use the wrong logon servers	Stefan 'Birdie' Vogel	Active Directory	4	06-16-2007 05:49 PM
There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away.	Daniel	Scripting	1	04-13-2007 03:45 PM
There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away.	Daniel	Windows Small Business Server	1	04-13-2007 12:50 AM
There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away.	Daniel	DNS Server	1	04-13-2007 12:08 AM