BUG: WTSSetUserConfig() May Modify a User's Remote Access Permission (277631)
The information in this article applies to:
- Microsoft Win32 Application Programming Interface (API), when used with:
- the operating system: Microsoft Windows 2000
This article was previously published under Q277631 SYMPTOMS
If WTSSetUserConfig() is used to modify a domain user's Terminal Server settings, it may also modify the user's remote access permission as a side effect. When this occurs, the remote access permission level is changed to "Deny access" from its original default value of "Control access through Remote Access Policy." This problem occurs only if the remote access permission has never been explicitly set for the user.
CAUSE
In a Windows 2000 domain, a user's remote access permission is controlled by an Active Directory attribute called msNPAllowDialin. When the user's account is created, the structure that contains this attribute is uninitialized. In this case, the system's default behavior is to control dial-in access for the user according to the Remote Access Policy. The WTSSetUserConfig() API initializes the Active Directory structure if it has never been initialized before. During this initialization, the msNPAllowDialin attribute is set to deny dial-in access for the user.
RESOLUTION
To work around this problem, a program can explicitly set the user's dial-in settings prior to calling WTSSetUserConfig(). The Remote Access Service (RAS) APIs can be used for this purpose. The following sample code demonstrates how to do this.
Sample Code
The following code uses the RAS function MprAdminUserGetInfo() to retrieve a user's current dial-in settings. Then a call to MprAdminUserSetInfo() is made to explicitly store these settings. If this is the first time that the settings have been explicitly set, the Active Directory structure that contains dial-in settings will be initialized, thereby preventing future WTSSetUserConfig() calls from altering the settings.
#define UNICODE
#define _UNICODE
#include <windows.h>
#include <stdio.h>
#include <mprapi.h> // must be linked with mprapi.lib
void wmain(int argc, WCHAR *argv[]) {
WCHAR szUser[UNLEN + 1];
WCHAR szDomain[DNLEN + 1];
WCHAR szUasServer[UNCLEN + 1];
DWORD dwResult;
// We must use the RAS_USER_1 structure to preserve all
// Windows 2000 remote access permission attributes
RAS_USER_1 ru1;
if (argc < 3) {
wprintf(L"usage: %s <user> <domain>\n", argv[0]);
return;
}
wcscpy(szUser, argv[1]);
wcscpy(szDomain, argv[2]);
// Retrieve the name of the server with the User Accounts Subsystem
dwResult = MprAdminGetPDCServer(szDomain, NULL, (PWSTR) szUasServer);
if (dwResult != NO_ERROR) {
wprintf(L"MprAdminGetPDCServer() failed. Error %d\n", dwResult);
return;
}
// Retrieve the user's current dial-in settings
dwResult = MprAdminUserGetInfo(szUasServer, szUser, 1, (PBYTE) &ru1);
if (dwResult != NO_ERROR) {
wprintf(L"MprAdminUserGetInfo() failed. Error %d\n", dwResult);
return;
}
// Explicitly reset the user's dial-in settings
dwResult = MprAdminUserSetInfo(szUasServer, szUser, 1, (PBYTE) &ru1);
if (dwResult != NO_ERROR) {
wprintf(L"MprAdminUserSetInfo() failed. Error %d\n", dwResult);
return;
}
// Now it is safe to call WTSSetUserConfig()
return;
}
STATUSMicrosoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article. REFERENCESFor additional information on the msNPAllowDialin attribute, click the article numbers below
to view the articles in the Microsoft Knowledge Base:
252398 Cannot Grant Dial-in Access to a User from an ADSI Script
257341 'msNPAllowDialin' Attribute Works Only in Native Mode
| Modification Type: | Major | Last Reviewed: | 11/3/2003 |
|---|
| Keywords: | kbAPI kbBug kbKernBase kbpending kbRemoteProg kbTermServ KB277631 |
|---|
|