Resolution
Directory and Resource Administrator 7.x
symptom
Dial-in properties are displayed incorrectly.
symptom
When viewing a users Dial-in properties, there are three radio button to display what the rights are for the user. One for 'Allow access', one for 'Deny Access' and one for 'Control Access'. Approximately 1 out of 4 user accounts are displayed with no radio button selected at all. This property should always display with one of these selected.
symptom
The property for all these accounts was set by a VBScript using the OnePoint provider and the Directory and Resource Administrator 6.4 server.
Example:
set user = getobject("OnePoint://jnjbebedra01/" & ADSpath) user.put "mSNPAllowDialin", true
cause
See the following article on why this would cause problems in 2 situations (This affects Microsoft Windows 2000-based domains in Mixed mode or Microsoft Windows 2000-based domains in Native mode that include RAS servers hosted by Microsoft Windows NT-based computers.):
- Microsoft Knowledge Base Article 252398: Cannot Grant Dial-in Access to a User from an ADSI Script
fix
This is the correct behavior. The Win32 UI does not look at the msNPAllowDialin property to set the radio for "allow access". It checks the rasPermissions property for the DIALFLG_DialinPrivilege bit set. In the cases with no radio selected, the users in question do not have the RAS flag set.
note
To verify the rasPermissions flag is not set, just check the user's (rasPermissions) setting in AD. It must have the flag for DIALFLG_DialinPrivilege set (Which is 8). The ones that you see with 9, that means they have DIALFLG_DialinPrivilege and DIALFLG_NoCallback (8+1=9). The accounts with only 1, just have DIALFLG_NoCallback, and not DIALFLG_DialinPrivilege.
The flags are:DIALFLG_NoCallback = 0x00000001;
DIALFLG_AdminSetCallback = 0x00000002;
DIALFLG_CallerSetCallback = 0x00000004;
DIALFLG_DialinPrivilege = 0x00000008;
DIALFLG_CallbackType = 0x00000007;