Active Directory User Sign-Ins and Updating Computer DescriptionJuly 13, 2022
There’s a wealth of information in Active Directory Users and Computers. Independently of each other, they can answer a lot of basic questions and help troubleshoot, audit, administer or even create better policies. One fundamental thing ADUC doesn’t do–and is usually handled through a different system or manually done–is who is on which computer? Modern Device Management providers such as Intune can help bridge this gap; but, if you’re organization has no designs to move into that area of cloud space, or you simply want to have that information available in ADUC, then this article is for you.
There are a few prerequisites to get this up and running correctly.
1) Users will need permissions to write to AD computers. We’ll lock this down to just that specific task.
2) Configure two GPOs.
3)The script that will run when users sign-in to their device.
4) Conditional point: The device will need a line of site to the Domain Controller.
First, we need to update permissions for the applicable group. Find the OU with the correct users, right click and select Delegate Control.
Click Next, then select Add. We want to add Authenticated Users.
Continue to the next step. Here, we are going to create a “Custom Task to Delegate.” Then select Next.
Select the radial button, “Only the following objects in the folder.” Then we are going to choose Computer objects.
In the next step, uncheck General and check Property-Specific; then, Write Description.
Now, if this seemed a little weird up to this point, the last step should clarify what just happened. Here’s what mine says.
Reading from the top, my domain with the selected OU (JTUsers) is giving Authenticated Users the permissions to Write the Description of Computer Objects. In and of itself, this does next to nothing. We need to create the script and GPOs to run that script.
Next, we get our script setup. Both the GPOs will revolve around the script, so we’ll do those afterwards.
# Get the user name. $UserName = $env:USERNAME # Get the client object from AD $filter = "(&(objectCategory=computer)(objectClass=computer)(cn=$env:COMPUTERNAME))" $DN = ([adsisearcher]$filter).FindOne().Properties.distinguishedname # Modify the object. $ObjClient = [ADSI]"LDAP://$DN" $ObjClient.Description = $UserName $ObjClient.SetInfo()
Normally, I use Powershell whenever I can. Since each end PC is not going to have RSAT tools installed, we have to use ADSI to do the write. This script will also write the SamAccountName of the user to the computer description. If you prefer the full name or a different field, adjust the script to your liking.
Save your script and I’m going to place mine in \jefftechs.local\SYSVOL\JeffTechs.local\scripts
Now, we need to setup the GPOs. The first one will be to run the script. Open your Group Policy editor. Create a new policy and edit it. We’re drilling down under User Configuration > Policies > Windows Settings > Scripts. Select Logon then the Powershell tab. Click add and browse to the location mentioned above. Make sure to select “Run Windows PowerShell scripts first.”
By default, the script will run every 5 minutes; this won’t work for what we’re trying to achieve. The second GPO will make the script run immediately when someone logs on.
On the second GPO, drill down under Computer Configuration > Policies > Administrative Templates > System > Group Policy. Select “Configure Logon Script Delay.”
Select “Enabled” radial button. After that, you should see the default timeout appear for 5 minutes. Set it to 0 to disable Logon Script Delay.
Link your GPOs and let’s take them for a test drive. Right now, I only have two computers in my lab environment; but, as you can see, there is nothing under either description.
And after signing into those devices.
Ta-da. Curly Cues and Jerry Atrick are the the last users to be on those devices. Bear in mind, if you log onto these as an administrator or someone else logs onto them, it will change the user in the computer description.
Hopefully you found this article helpful and happy administering out there.