' borfpurge.vbs: Sets all users to use access policies except administrators.
'
' DANGER: The behavior of this script is undefined in mixed-mode domains.
'
' The AD msNPAllowDialin user object property, which is boolean, determines RRAS access.
' 
'  msNPAllowDialin == TRUE     -> Always grant access.
'  msNPAllowDialin == FALSE    -> Always deny access.
'  !defined( msNPAllowDialin ) -> Use RRAS access policies.
'
' WARNING: The LDAP provider must be used because the WinNT provider does not expose msNPAllowDialin.
' WARNING: VBScript does not know about system constants or object typing.
'


' Disallow implicit declarations.
Option Explicit

' Set the error handler. Note that this is the only handler that VBScript supports.
On Error Resume Next

' Definitions from ADS_PROPERTY_OPERATION_ENUM in <iads.h>. 
Const ADS_PROPERTY_CLEAR  = 1
Const ADS_PROPERTY_UPDATE = 2
Const ADS_PROPERTY_APPEND = 3
Const ADS_PROPERTY_DELETE = 4


' The Active Directory root in which localhost is participating.
Dim borfRoot

' The LDAP domain name.
Dim borfDomain

' The group object for "Domain Admins".
Dim borfDomainAdmins

' The group object for "Domain Users".
Dim borfDomainUsers

' The user object buffer.
Dim borfUser

' Load the root object. 
Set borfRoot = GetObject( "LDAP://RootDSE" )

' Load the domain name.
borfDomain = borfRoot.Get( "DefaultNamingContext" )

' Load the admin group.
Set borfDomainAdmins = GetObject( "LDAP://cn=Domain Admins,cn=Users," + borfDomain )

' Load the user group.
Set borfDomainUsers = GetObject( "LDAP://cn=Domain Users,cn=Users," + borfDomain )

' Ensure that we only change user accounts.
borfDomainUsers.Members.Filter = Array( "user" )


For Each borfUser In borfDomainUsers.Members

	if( borfDomainAdmins.IsMember( borfUser.ADsPath ) ) Then
	
		' Always grant access to administrators.
		borfUser.PutEx ADS_PROPERTY_UPDATE, "msNPAllowDialin", Array( True )

	Else
	
		' Set access by policy for all other users.
		borfUser.PutEx ADS_PROPERTY_CLEAR, "msNPAllowDialin", 0

	End If
	
	' Commit the account change.
	borfUser.SetInfo

Next


' Ensure that the group objects are released.
Set borfDomainAdmins = Nothing
Set borfDomainUsers  = Nothing

' eof