As shown in Figure 4.4, Windows NT allows the administrator the ability to restrict login to a specific group of machines. This can be helpful for restricting service accounts or preventing users from roaming to other workstations in the enterprise.
The LoginWorkstations property of the IADsUser interface will return a variant array containing the machines for which user logon will be limited. If this property is set for a user account, the user may only interactively log on to the machines specified in the array assigned to this property.
This property should be set when configuring service accounts to keep users from using these often privileged accounts elsewhere in the enterprise if they should happen to know the password for the account.
Using the now familiar For Each loop to enumerate the contents of the variant array of strings, you can return the values of all workstations for which a user account is limited. Consider the following Visual Basic code segment to perform this action:
On Error Resume Next Dim User as IADsUser Dim UserName as String Dim UserDomain as String Dim Workstation as Variant UserDomain = " Target_User_Domain " UserName = " Target_User_Name " Set User = GetObject("WinNT://" & UserDomain & "/" & UserName & ",user") If User.LoginWorkstations = "" then For Each Workstation in User.LoginWorkstations Debug.Print Workstation Next Else Debug.Print User.LoginWorkstations End If
To add a new logon workstation, you must set the value of the LoginWorkstations property to an array of strings representing the workstations to which the user account will be limited.
Use the following Visual Basic code to add a single entry to the array in the IADsUser LoginWorkstations property:
On Error Resume Next Dim TargetUserDomain As String Dim TargetUserName As String Dim Value As String Dim User As IADsUser Dim Workstation As Variant Dim NewElement() As Variant Dim i As Long Dim EmptyArray As Integer Dim Entry As Variant Dim ValueAlreadyExists As Integer TargetUserDomain = "Target_User_Domain" TargetUserName = "Target_User_Name" Value = "New_Login_Workstation_To_Add" Set User = GetObject("WinNT://" & TargetUserDomain & "/" & TargetUserName & ",user") If IsArray(User.LoginWorkstations) = True Then For Each Entry In User.LoginWorkstations i = UBound(NewElement) + 1 ReDim Preserve NewElement(i) NewElement(i) = Entry If Entry = "" Then EmptyArray = 1 If Entry = Value Then ValueAlreadyExists = 1 Next If EmptyArray = 1 Then User.LoginWorkstations = Array(Value) User.SetInfo Else If ValueAlreadyExists <> 1 Then i = UBound(NewElement) + 1 ReDim Preserve NewElement(i) NewElement(i) = Value User.LoginWorkstations = NewElement User.SetInfo End If End If Else If User.LoginWorkstations <> Value Then User.LoginWorkstations = Array(User.LoginWorkstations, Value) User.SetInfo End If End If
To remove an entry from an existing LoginWorkstations array, you can use the following Visual Basic code as a guide:
On Error Resume Next Dim TargetUserDomain As String Dim TargetUserName As String Dim Value As String Dim User As IADsUser Dim Workstation As Variant Dim NewElement() As Variant Dim i As Long TargetUserDomain = "Target_User_Domain" TargetUserName = "Target_User_Name" Value = "Login_Workstation_To_Remove" Set User = GetObject("WinNT://" & TargetUserDomain & "/" & TargetUserName & ",user") If IsArray(User.LoginWorkstations) = True Then Dim Entry As Variant For Each Entry In User.LoginWorkstations If Value <> Entry Then i = UBound(NewElement) + 1 ReDim Preserve NewElement(i) NewElement(i) = Entry End If Next User.LoginWorkstations = NewElement User.SetInfo Else If User.LoginWorkstations = Value Then User.LoginWorkstations = Array("") User.SetInfo End If End If
Top |