POLL: POWERSHELL VS. GUI - DO YOU WANT TO BE A DEVOP OR AN ADMIN?
Automatically fill the computer description field in Active Directory
In this article I introduce a VBScript script that populates the description field of the Active Directory computer object with the account name of the last user who logged on to this machine.
By Geoff Kendal | Tue, March 6, 2012 - 25 comments Geoff Kendal is a Windows/Linux systems administrator, scripter and problem solver, with over 12 years experience, based in Leeds, UK.
As a systems administrator, you’ve probably noticed that computer objects in Active Directory have a description field that is shown in the default view of the Active Directory users and computers MMC console. It’s very rare to see an IT department that makes regular use of this field for something useful – never mind keeping it up to date!
I thought that it would be a good idea to automatically populate this field with the last user to logon to the computer object. With a slight tweak to our AD security and a little bit of scripting, it’s quite easily achieved. I also added even more information to the field so I could see the system service tag and model number.
Active Directory description field
In order for this process to work, we will need to allow our authenticated domain users to edit the description values on computer objects. Be aware that by doing this, a malicious or cheeky user on your network could change the description on computer objects to anything they want. Given that mine were all empty, anyway, and that they get overwritten each time someone logs in, I didn’t think this would be a significant problem for me. To grant this access, perform the following steps:
- Open Active Directors Users and Computers MMC
- Ensure you have ‘Advanced Features’ enabled (On the ‘view’ menu)
- Right click on your domain, and select ‘properties’ from the context menu
- On the ‘security’ tab, click the ‘advanced’ button
- Click the ‘add’ button, type ‘Authenticated Users’. Then click OK.
- In the permission entry dialogue, set the ‘apply to’ pull-down menu to ‘Descendant Computer Objects’, then in the permissions section, tick the allow options for ‘Write Description’
Permission entry dialogue
Once you’ve done this, click ‘OK’ on all, then close the ADUC MMC window.
The next stage is to put the script together. You can modify your script to get and insert any data you require, my example saves the username, service tag, and computer make/model – I’ve added a few comments to show what’s going on:
Set WshNetwork = WScript.CreateObject("WScript.Network")
Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
' Get service tag and computer manufacturer
For Each objSMBIOS in objWMI.ExecQuery("Select * from Win32_SystemEnclosure")
serviceTag = replace(objSMBIOS.SerialNumber, ",", ".")
manufacturer = replace(objSMBIOS.Manufacturer, ",", ".")
Next
' Get computer model
For Each objComputer in objWMI.ExecQuery("Select * from Win32_ComputerSystem")
model = trim(replace(objComputer.Model, ",", "."))
Next
' Get computer object in AD
Set objSysInfo = CreateObject("ADSystemInfo")
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
' Build up description field data and save into computer object if different from current description
' We also do not update computers with a description that starts with an underscore (_)
newDescription = WshNetwork.UserName & " (" & serviceTag & " – " & manufacturer & " " & model & ")"
if not objComputer.Description = newDescription and not left(objComputer.Description,1) = "_" then
objComputer.Description = newDescription
objComputer.SetInfo
end if
If you run this script as a regular user, then check ADUC, you should find that the computer object that the script was run from, has now a description field set.
All that remains now is to add the VBScript to the user login script. I do this via GPO (User configuration > Policies > Windows Settings > Scripts > Logon).
Once your GPO is updated, restart another system, and login again – once more, you should see that computers AD object updated. Now you can stil back and relax while you watch your computer objects in AD fill up with useful information in the description field.
This might be an interesting way to display the logged on user and login time and this value could easily be cleared when the user logs out. Of course in larger or more tightly regulated environments there may be some security issues with doing this, but in a small shop it might be acceptable.
Surprised you didn’t write this (or at least provide a version) in PowerShell with all those articles that have been written about it.
Guys, please beware: if you do it after every logon, you can quickly exhaust the USN for the whole AD domain! And then the domain is dead. At least check if this new objComputer.Description is different from old description (already in AD).
Very good point from RaFi…
You could replace the last 2 lines of the script with these 4, to only do the update if data has changed!
if not objComputer.Description = WshNetwork.UserName & ” (” & serviceTag & ” – ” & manufacturer & ” ” & model & “)” then
objComputer.Description = WshNetwork.UserName & ” (” & serviceTag & ” – ” & manufacturer & ” ” & model & “)”
objComputer.SetInfo
end if
In my AD I changed the script:
‘ do not try to overwrite some manually set description
‘ update only if empty or it starts with “# ”
if ((Left(objComputer.Description, 2)=”# “) or (Len(objComputer.Description)<2)) then
' build up description field data and save into computer object
' use "# " to mark our automatic descriptions
newDesc = "# " & WshNetwork.UserName & " (" & serviceTag & " – " & manufacturer & " " & model & ")"
if (objComputer.Description newDesc) then
objComputer.Description = newDesc
objComputer.SetInfo
end if
end if
oops, some tags > < were eaten by comment system
Just what I’ve been looking for. Thank You !
I just began “playing” with AD,
please help me out:
1 – the script has to be saved as.. ?
2 – when adding the script to GPO, where must it be added, under SCRIPT or POWERSHELLSCRIPTS ?
Thank you
Marco
I’m new to this as well, was there any response to Marco’s question?
Regarding RaFi’s comment:
How would you “exhaust the USN” by changing the computer description? It’s an attribute of an object, and doesn’t have it’s own USN.
If attributes had USN’s, you would have problems with “exhausting the USN” when for instance “LastLogonTime” on user objects where updated.
But you save some replication traffic by not updating unchanged information
Wifi:
The computer object has a USN, and updating the attribute of that object updates the USN of its object – that way, AD can replicate the updated attributes of objects.
At least that is my understanding of this.
Big thanks to Geoff
Rafi, Could you send me your script (including the ><)
Do you need to have RSAT installed on the client? I am able to run the script on my admin box with no issues. However on my test client i get access denied on
objComputer.Description = serviceTag & ” – ” & manufacturer & ” ” & model
I am logged in with the same domain account….not sure where to start looking….
Mike, no you don’t need RSAT on client computers.
Did you remember to give “write description” permissions to authenticated users in your AD domain?
(see Permission entry dialogue)
working great here.
Except for the “if not” exclusion. I wish Rafi or Geoff would get back to me on this part.
Thanks ;o)
Hi mike,
Maybe go over the part again where we change permissions on the computer objects… You skint need RSAT, but standard AD permissions will generate an error unless modified.
Geoff. maybe you could help me out fine polish ingmy script. i cant get the “if not” logic to work
Jesper, I missed the request for excluding certain workstations! I’m using my phone to write this, but will post an update soon…
hello, thanks for this script it’s really nice,
I tried it successfully but now I’m kind of afraid of the USN thing, my search around this topic didn’t show up anything relevant.
Anyone could confirm that it won’t affect negatively AD?
I’m planning on adding the current date and user as well, so the computer description will change very often (several time a day, I’m not worried about the replication)
thanks again!
Jesper & Ersatyle:
Please update the last section of the script with the following code. It will prevent updating computers where the info does not change (USN should not be an issue, but it will save on replication traffic). It will also allow us to exclude certain computers from updating description, by ignoring those that have an existing descriptions starting with an underscore (_) char. I will update the code in the article to include this shortly.
‘ Build up description field data and save into computer object if different from current description
‘ We also do not update computers with a description that starts with an underscore (_)
newDescription = WshNetwork.UserName & ” (” & serviceTag & ” – ” & manufacturer & ” ” & model & “)”
if not objComputer.Description = newDescription and not left(objComputer.Description,1) = “_” then
objComputer.Description = newDescription
objComputer.SetInfo
end if
The script in the main article has now been updated to include the suggested changes!
Thanks for everyones input so far!
Geoff thanks a bunch!
at first i got “script error in line xx” because of theese characters ( “ ” ‘ )
i got the script working by changing them to ( ” and ‘ )
thx again.
/jesper
lol this comment system is rediculous
side note: this script combined with “user group policy loopback processing mode” works really well. (merge mode)
this way you can target computer OU’s instead of user OU’s
(Desktop OU, Laptop OU, etc) – leaving Servers and misc computers “unharmed”
Dear Geoff Kendal,
Could you help me add more Display Name field in the beginning of Computer Despcription.
Many Thanks.
Hi Shindu,
I suggest you post in the new 4sysops forums! http://4sysops.com/forums/
We’ll be able to help you there!