Snow & Ice
Well, here in Indiana we were hit with a snow & ice storm a few days ago and many people in our firm were unable to make it into the office. So we had a record number of users working from home over VPN. Our HelpDesk person was able to make it in (thanks to public transportation) and was bombarded with calls about users being unable to login to VPN. I am not ashamed to admit that some things get overlooked during the account creation process (which is not my responsibility mind you) and this is one of them.
So the problem was that for some reason the Remote Access Permissions were set to Deny Access for a small minority of end users. Not a big deal to fix but annoying nonetheless. So this issue made me consider a long-term solution which would be to make changes to the account creation process and ensure that these settings are set correctly. Furthermore, I wanted to know how to find out who in our Active Directory does not have Remote Access/VPN.
So Who Doesn’t Have VPN Access?
So to determine this I fired up my favorite LDAP browser, Softerra LDAP Browser. I looked through the attributes of a user account and found an attribute that caught my attention–msNPAllowDialin. According to MSDN this attribute “indicates if the account has permission to dial in to the RAS server.” Perfect! Exactly what I was looking for.
I scurried on over to my customized MMC console and went into Active Directory Users and Computers and performed the following steps to create the desired LDAP Query.
The LDAP Query
- Expand Active Directory Users and Computers
- Right-click on the Saved Queries folder and select New > Query
- Name: Get-Non-RemoteAccessUsers, Description: Users who do no have remote access/VPN
- Click the Define Query button
- In the Find: drop-down box select Custom Search
- Click on the Advanced tab
- Enter LDAP query: (&(objectclass=user)(msNPAllowDialin=FALSE))
And that should result in all of the users within your Active Directory Environment that do not have Remote Access/VPN.