This article was previously published under Q252398
This article has been archived. It is offered "as is" and will no longer be updated.
When you create a user from an Active Directory Services Interface (ADSI) script in Windows 2000, you cannot enable the Remote Access Service (RAS) "Allow Access" permission in the Remote Access Permission (Dial-in or VPN) section of the Dial-In tab in the user's properties.
This behavior occurs when the msNPAllowDialin and userParameters settings are out of synchronization. Lightweight Directory Access Protocol (LDAP) programs, such as the ADSI LDAP provider, can update the msNPAllowDialin setting correctly. However, Active Directory cannot update the userParameters setting. This behavior affects Windows 2000-based domains in Mixed mode or Windows 2000-based domains in Native mode that include RAS servers hosted by Microsoft Windows NT-based computers.
The workaround for Windows 2000-based domains in a Mixed-mode environment is to enable the DialinPrivilege user object parameter that is exposed by the Windows NT provider. To implement this workaround:
Download Active Directory Services Interface (ADSI) from the following link: