Cannot Grant Dial-in Access to a User from an ADSI Script

When you create a user from an Active Directory Services Interface (ADSI) script in Windows 2000, you cannot enable the Remote Access Service (RAS) "Allow Access" permission in the Remote Access Permission (Dial-in or VPN) section of the Dial-In tab in the user's properties.

This behavior occurs when the msNPAllowDialin and userParameters settings are out of synchronization. Lightweight Directory Access Protocol (LDAP) programs, such as the ADSI LDAP provider, can update the msNPAllowDialin setting correctly. However, Active Directory cannot update the userParameters setting. This behavior affects Windows 2000-based domains in Mixed mode or Windows 2000-based domains in Native mode that include RAS servers hosted by Microsoft Windows NT-based computers.

The workaround for Windows 2000-based domains in a Mixed-mode environment is to enable the DialinPrivilege user object parameter that is exposed by the Windows NT provider. To implement this workaround:

1. Download Active Directory Services Interface (ADSI) from the following link:
   http://technet.microsoft.com/en-us/library/cc749949.aspx (http://technet.microsoft.com/en-us/library/cc749949.aspx)
2. Look for the Adsras.dll file in the ADSI Software Development Kit (SDK).
3. Register the Adsras.dll file on the computer on which you will run the script. To register the Adsras.dll file, use the following command:
   regsvr32 adsras.dll
4. To get a handle to the user object, use the following command:
   set usr = getobject("winnt://domainname/username")
5. To grant dial-in access (the "Allow Access" permission) to the user, use the following command:
   usr.dialinprivilege = true

The workaround for Windows 2000-based domains in Native mode is to host the RAS server on a Windows 2000-based computer.

This behavior is by design.