Using the Quest Active Directory PowerShell Snapin to Search For & Set Attributes

I want to make sure that all users in a specific OU in my mikefrobbins.com Active Directory domain have the “Deny this user permissions to log on to Remote Desktop Session Host server” option set (checked):

deny-rdp1.png

Download the Quest Active Directory PowerShell Snapin (free). The PowerShell command shown below searches this specific OU in my Active Directory domain for users where this attribute is not equal to false. The default setting is blank (allowed) as shown with the Gill Bates user below. Once this setting has been checked (set to false) and then unchecked, it has a value of true instead of being blank as shown with the John Doe user below.

Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
Get-QADUser * -OrganizationalUnit "ou=users,ou=test,dc=mikefrobbins,dc=com" |
?{$_.TsAllowLogon -ne $false} |
select Company, Name, Type, TsAllowLogon |
sort Company, Name |
ft -auto

deny-rdp2.png

The following PowerShell command sets this value to false for all users in this OU who are not already set to false (where the value is blank or true):

Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
Get-QADUser * -OrganizationalUnit "ou=users,ou=test,dc=mikefrobbins,dc=com" |
?{$_.TsAllowLogon -ne $false} |
Set-QADUser -TsAllowLogon $false

deny-rdp3.png

This does seem a little confusing because the GUI property says deny and checking it sets the value shown in PowerShell to false. In PowerShell, the property is named TSAllowedLogon so that helps clear up the confusion though.

ยต