Problem solve Get help with specific problems with your technologies, process and projects.

Creating new Active Directory users with dial-in permission

Two parameters are needed for new user dial-in access. This Active Directory tip helps you cover all the bases.

Creating new AD users with dial-in permission
Kevin R. Sharp

Two parameters must be properly configured for a new user to be granted dial-in privileges, but Active Directory services can directly modify only one of them. If the two parameters are out of synchronization, no remote access will be allowed. The msNPAllowDialin setting can be updated by Lightweight Directory Access Protocol (LDAP) programs like the ADSI LDAP provider. The UserParameters setting cannot be modified by such programs. The recommended work-around depends on whether the Windows 2000 domain is running in Mixed mode or in Native mode with the remote access servers hosted on Windows NT machines.


Microsoft's position is that this behavior is "by design" meaning you have to work around it because Microsoft is not going to fix it. If your architecture currently calls for a Windows 2000 machine in Native mode working with remote access servers hosted on NT machines, I'm afraid you're out of luck. The official Microsoft workaround for this problem is to move the RAS server off the NT machine onto a Windows 2000 machine. If you're in a mixed mode environment, however, you have a much cleaner option by enabling the DialinPrivilege user object exposed by the Windows NT provider.

  1. Download the Active Directory Services Interface from

  2. Look for Adsras.dll in the included SDK and register it on the computer on which you will run the script using the following command:
    regsvr32 adsras.dll
  3. Now get a handle to the user object using:
    set usr = getobject("winnt://domainname/username")
  4. Now you can grant dial-in access with:
    usr.dialinprivilege = true

For the Microsoft knowledge base article dealing with this workaround, see Q252398 - Cannot Grant Dial-in Access to a User from an ADSI Script.

Note that in mixed mode, some dial-in options are unavailable, including verify Caller ID and assign a static IP address. For more information, see Q193897 - Dial-In Options Unavailable with Active Directory in Mixed Mode.

Kevin Sharp is a registered professional engineer and writer living in Tucson, Arizona who gains his expertise from a variety of professional activities. His engineering outlets include Web consulting for ID Systems Magazine, focusing on the fulfillment side of electronic commerce.

Did you like this tip? Let us know. You can drop a line to sound off.

Related Book

Mission-Critical Active Directory Architecting a Secure and Scalable Infrastructure
Author : Micky Balladelli and Jan De Clercq
Publisher : Digital Press
Published : Mar 2001
Summary :
Learn from Compaq's own Active Directory experts techniques and best practices for creating a secure and scalable network foundation for Windows 2000 and Exchange 2000.
Mission-Critical Active Directory teaches systems designers and administrators within growing and large organizations techniques and insights into Active Directory they'll need to build a Windows 2000 network that can reliably accommodate many thousands of new users, computers, and programs. Few individuals possess the knowledge of Active Directory design, operation, and security necessary to build a truly secure and stable Windows 2000 system. Now two of these experts--Compaq's own resident authorities--share their methods and experiences with readers.

Dig Deeper on Windows systems and network management