如何使用VBScript从LDAP获取Active Directory拨入权限设置？

在Active Directory中，有一个名为“拨入”的选项卡，该选项卡下有一个单选按钮控件，具有三种设置：

Allow Access
Deny Access
Control access through remote access policy

我想编写一个VBScript来获取用户名，并返回该用户的设置。 （实际上我正在修改一个现有的VBScript，这就是为什么我不得不使用该工具的原因）

---

最好的方法是什么？

这里是我能想到的最好的解决方案。很容易修改它以输出所有用户的设置

Main

Function Main
  'Usage: cscript /nologo lookup.vbs mydomain username
  Wscript.Echo CanDialIn(Wscript.Arguments(0), Wscript.Arguments(1))
  Main = 0
End Function

Function CanDialIn(domainname, username)
  'Take a user name and query whether they have permission to Dial in or not
  'http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0825.mspx
  Const ADS_SCOPE_SUBTREE = 2
  Dim objConnection
  Dim objCommand
  Dim objRecordSet

  Set objConnection = CreateObject("ADODB.Connection")
  Set objCommand =   CreateObject("ADODB.Command")
  objConnection.Provider = "ADsDSOObject"
  objConnection.Open "Active Directory Provider"
  Set objCommand.ActiveConnection = objConnection

  objCommand.Properties("Page Size") = 1000
  objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 

  'Three possible values for msNPAllowDialin:
  'TRUE = "Allow Access"
  'FALSE = "Deny Access"
  'EMPTY = "Control access through remote access policy"
  objCommand.CommandText = _
    "SELECT msNPAllowDialin FROM 'LDAP://dc=" & domainname & ",dc=com' WHERE objectCategory='user' AND sAMAccountName = '" & username & "'"
  On Error Resume Next
  Set objRecordSet = objCommand.Execute
  if objRecordSet.EOF then
    CanDialIn = "Could not find user " & username
  else
    if objRecordSet.Fields("msNPAllowDialin").Value = True then
      CanDialIn = "Allow"
    else
      if objRecordSet.Fields("msNPAllowDialin").Value = False then
        CanDialIn = "Deny"
      else
        CanDialIn = "Control"
      end if
    end if  
  end if
End Function