Using the Quest Active Directory PowerShell Snapin to Search For & Set Attributes

I want to make sure that all users in a specific OU in my Active Directory domain have the “Deny this user permissions to log on to Remote Desktop Session Host server” option set (checked):

Download the Quest Active Directory PowerShell Snapin (free). The PowerShell command shown below searches this specific OU in my Active Directory domain for users where this attribute is not equal to false. The default setting is blank (allowed) as shown with the Gill Bates user below. Once this setting has been checked (set to false) and then unchecked, it has a value of true instead of being blank as shown with the John Doe user below.

The following PowerShell command sets this value to false for all users in this OU who are not already set to false (where the value is blank or true):

This does seem a little confusing because the GUI property says deny and checking it sets the value shown in PowerShell to false. In PowerShell, the property is named TSAllowedLogon so that helps clear up the confusion though.


1 Comment

  1. Angelo Papiccio

    This is an interesting post but I was wondering how you would use the get-qaduser command to show a list of users NOT in a specific OU? The scenario I have is that I need to list a bunch of active user accounts for an audit. However I want to exclude the contents of the Resource OU in my organisation. I’ve everything else except how to exlclude a given OU.

    Any thoughts?


Leave a Reply

%d bloggers like this: