Allow Dial-in and assign static IP Addresses in Active Directory with PowerShell

So it turns out setting IP addresses in Active Directory with PowerShell is not quite as straight forward as you might expect. It is perfectly possible though, lets have a look at how it works.

Just so we are on the same page, this is what we are looking at – our Dial-in tab in AD:

By default, Network Access Permission is set to “Control access through NPS Network Policy” and there is no assigned IP address.

First let’s take a look at which attributes are affected:

These attributes are set when we set the Dial-in tab as shown in the caption above.

The first thing you might be wondering is what on earth 169090600 is. It is in fact our IP address as an Integer representation of the 32bit binary that is the IP address.
That is = 00001010.00010100.00011110.00101000.
Remove the dots and you get 00001010000101000001111000101000 = 169090600.

Now that we know what we are dealing with, let’s get to the PowerShell part of it.
The first thing we have to do is convert our IP from to 169090600. I wrote a quick function to do just that.

function Convert-IP {
 [String]$IPAddress = ""

 $octetsDecimal = $IPAddress -split "\."
 $octetsBinary = $octetsDecimal | % { [convert]::ToString($_, 2) }

$octetsBinary = $octetsBinary | % { ("0" * (8 - $_.length)) + $_ }

$octetsBinary | % { $binaryIP += $_ }
 $integerIP = [convert]::ToInt32($binaryIP, 2)

 return $integerIP

Setting the attributes in AD is simple

Set-QADUser -Identity "Testuser" -IncludedProperties @("msNPAllowDialin", "msRADIUSFramedIPAddress", "msRASSavedFramedIPAddress") -ObjectAttributes

Combine the two and you can make this task painless

$IP = Convert-IP ""
Set-QADUser -Identity "Testuser" -IncludedProperties @("msNPAllowDialin", "msRADIUSFramedIPAddress", "msRASSavedFramedIPAddress") -ObjectAttributes @{msNPAllowDialin=$true;msRADIUSFramedIPAddress=$IP;msRASSavedFramedIPAddress=$IP}

7 thoughts on “Allow Dial-in and assign static IP Addresses in Active Directory with PowerShell”

  1. I get a negative number for the IP addresses I have set via Dialin TAB. If you change “ToInt64” to “ToInt32” then your function matches. As you say, it’s a 32 bit [signed] binary [integer].

  2. What is the correct string to change the status to dialin allowed without the IP settings? I tried -IncludedProperties @{msNPAllowDialin=$true}. No error message and no change to the tested account.

    1. Hi Gordon.

      You have to use the -ObjectAttributes parameter also. If using Quest cmdlets this would be the way to do it:

      Set-QADUser -Identity TheUser -IncludedProperties @(‘msNPAllowDialin’) -ObjectAttributes @{msNPAllowDialin=$true}

      ObjectAttributes is the parameter that sets the given field, while IncludedProperties simply makes it available (Quest doesn’t load the msNPAllowDialin field by default).

      I wrote this article using Quest examples, today I would recommend using the native ActiveDirectory Module. If using native cmdlets this would be the command:

      Set-ADUser -Identity TheUser -Add @{msNPAllowDialin=$true}

      1. Thank you for the assist with adding Dialin only. Works like a charm. Now I don’t have to fire up another tool, go find the account and make the change.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s