When you create a user from an Active Directory Services Interface (ADSI) script in Windows 2000, you cannot enable the Remote Access Service (RAS) "Allow Access" permission in the
Remote Access Permission (Dial-in or VPN) section of the
Dial-In tab in the user's properties.
Back to the top
This behavior occurs when the msNPAllowDialin and userParameters settings are out of synchronization. Lightweight Directory Access Protocol (LDAP) programs, such as the ADSI LDAP provider, can update the msNPAllowDialin setting correctly. However, Active Directory cannot update the userParameters setting. This behavior affects Windows 2000-based domains in Mixed mode or Windows 2000-based domains in Native mode that include RAS servers hosted by Microsoft Windows NT-based computers.
Back to the top
The workaround for Windows 2000-based domains in a Mixed-mode environment is to enable the
DialinPrivilege user object parameter that is exposed by the Windows NT provider. To implement this workaround:
| 1. | Download Active Directory Services Interface (ADSI) from the following link: |
| 2. | Look for the Adsras.dll file in the ADSI Software Development Kit (SDK). |
| 3. | Register the Adsras.dll file on the computer on which you will run the script. To register the Adsras.dll file, use the following command:
regsvr32 adsras.dll
|
| 4. | To get a handle to the user object, use the following command:
set usr = getobject("winnt://domainname/username")
|
| 5. | To grant dial-in access (the "Allow Access" permission) to the user, use the following command:
usr.dialinprivilege = true
|
The workaround for Windows 2000-based domains in Native mode is to host the RAS server on a Windows 2000-based computer.
Back to the top
This behavior is by design.
Back to the top
Help and Support
