Automatically fill the computer description field in Active Directory

In this article I introduce a VBScript script that populates the description field of the Active Directory computer object with the account name of the last user who logged on to this machine.

As a systems administrator, you’ve probably noticed that computer objects in Active Directory have a description field that is shown in the default view of the Active Directory users and computers MMC console. It’s very rare to see an IT department that makes regular use of this field for something useful – never mind keeping it up to date!

I thought that it would be a good idea to automatically populate this field with the last user to logon to the computer object. With a slight tweak to our AD security and a little bit of scripting, it’s quite easily achieved. I also added even more information to the field so I could see the system service tag and model number.

Active Directory description field

Active Directory description field

In order for this process to work, we will need to allow our authenticated domain users to edit the description values on computer objects. Be aware that by doing this, a malicious or cheeky user on your network could change the description on computer objects to anything they want. Given that mine were all empty, anyway, and that they get overwritten each time someone logs in, I didn’t think this would be a significant problem for me. To grant this access, perform the following steps:

  1. Open Active Directors Users and Computers MMC
  2. Ensure you have ‘Advanced Features’ enabled (On the ‘view’ menu)
  3. Right click on your domain, and select ‘properties’ from the context menu
  4. On the ‘security’ tab, click the ‘advanced’ button
  5. Click the ‘add’ button, type ‘Authenticated Users’. Then click OK.
  6. In the permission entry dialogue, set the ‘apply to’ pull-down menu to ‘Descendant Computer Objects’, then in the permissions section, tick the allow options for ‘Write Description’

Permission entry dialogue
Permission entry dialogue

Once you’ve done this, click ‘OK’ on all, then close the ADUC MMC window.

The next stage is to put the script together. You can modify your script to get and insert any data you require, my example saves the username, service tag, and computer make/model – I’ve added a few comments to show what's going on:

If you run this script as a regular user, then check ADUC, you should find that the computer object that the script was run from, has now a description field set.

All that remains now is to add the VBScript to the user login script. I do this via GPO (User configuration > Policies > Windows Settings > Scripts > Logon).
Once your GPO is updated, restart another system, and login again – once more, you should see that computers AD object updated. Now you can stil back and relax while you watch your computer objects in AD fill up with useful information in the description field.

Want to write for 4sysops? We are looking for new authors.

Read 4sysops without ads and for free by becoming a member!

1+
Share
49 Comments
  1. ht 7 years ago

    i do not have "descendant computer objects" on my apply to drop down. i'm running server 2003 enterprise sp2

    0

  2. Geoff Kendal 7 years ago

    @ht If you enable advanced features in 'Active Directory Users & Computers' does the option then become visible?

    0

  3. ht 7 years ago

    @geoff yes that is enabled

    0

  4. Sam Willden 7 years ago

    What's the best way to prevent this from applying to my terminal server and other servers? i tried applying a deny write description permission to the machine itself, but it seems it is still overwriting. Should i reapply the delegate permission to the machine folders only, or apply a different kind of deny at the server or server OU level? any help greatly appreciated.

    0

  5. Sam Willden 7 years ago

    Also, this is working for most machines, but is failing to write the serial number to AD on my HP 3405, 3505 and HP 500b models. 'wmic bios get serialnumber' works fine. any idea's?

    0

  6. Sam Willden 7 years ago

    I came across an issue with HP Pro 3405, 3505 and HP 500B desktops (worked for my 6300 and all laptop series out of the box), where the script would not report the serial number. It updated the computer object description field with username and model just fine so i knew the script was executing correctly with correct permissions to the computer objects.
    I tested on the local machine using wmi queries: "wmi bios get serialnumber" which worked. i then used "wmi systemenclosure get serialnumber" ( i spotted the system enclosure reference after analysing the vb.

    when I changed For Each objSMBIOS in objWMI.ExecQuery("Select * from Win32_systemenclosure")
    serviceTag = replace(objSMBIOS.SerialNumber, ",", ".")
    manufacturer = replace(objSMBIOS.Manufacturer, ",", ".")
    to
    For Each objSMBIOS in objWMI.ExecQuery("Select * from Win32_BIOS")
    it began to work, but also wrote 'AMI', (my BIOS manufacturer), into the AD description field! I then removed the manufacturer line, and " " & manufacturer & " " from later in the script.
    It now works brilliantly and saves me time updating AD. Thanks to Geoff Kendall for the original script Joseph Moody for deployhappiness and the original idea for this kind of project after stumbling onto the site and troubleshooting assistance.

    0

  7. James 7 years ago

    My Domain Controller is also 2003. I too cannot find the "descendant computer objects" in the drop down list.

    I guess this is a problem with versions... but did anyone work out a way of getting that option to appear in the Server2003 system?

    0

  8. Jason 7 years ago

    Thanks for this - works a treat. Could you possibly show me how to pipe the Chassis Type in there. It's from the SystemEnclosure section again but pipes differently than the other properties.

    0

  9. Natty 7 years ago

    Works well.
    I removed the WshNetwork.UserName as I have added the script into my OSD Task in SCCM as I use SCCM to track users.

    Cheers,

    0

  10. schmultzburger 6 years ago

    Active Directory does increment the USN each time a change is made. The USN is stored as a 64 bit number, so the maximum USN in AD is:

    9,223,372,036,854,775,806

    That’s 2 to the power of 64 minus 1. This means that if you had 100,000,000 changes every second in Active Directory, your USN would reach the maximum number in year 31,241.

    0

  11. Geoff, I have added the write description to our ADUC for Authenticated users, and set up the script in GPO and it runs fine for Domain Admins, but errors out on line 20 with Access is denied Code: 80070005 Source: Active Directory. I have verified that the users can get to the scripts directory and execute the script, but it errors as described. Domain Admins can run it just fine. Can you point me in the right direction to correct this? TIA

    0

  12. Wendy68 6 years ago

    Hi - one my my admins wrote a version of this in 2005. Now with W7 we are not using login scripts so it runs as a scheduled task a few seconds after login. We also pull location (taken from IP named range) which is great as it will change if the user logs the machine at another corp location; and last logged in date/time as suggested earlier. awesome for support to know if the user really has restarted when we asked them too; and for BA on the fleet. We have an exception group for machines that we don't want to update their descriptions (useful for meeting room machines) and its also set to preclude updates from Server Account logins - they are distinguished by their OU. We use all this in conjunction with another tool that rights out to a file share location the following - by domain, computers - user who have logged onto a specific computer name/s (first login only) and also by computer, all users who have logged on. Shows date and time. Between the two it answers a whole lot of questions!

    0

  13. Abid 6 years ago

    Dear All,

    I need few changes in the final script to add IP address of a computer with all other details mentioned above. Please help.

    Thanks
    Abid

    0

  14. eril 5 years ago

    any way to limit the write computer attribute to an OU instead of opening it up for the entire domain?

    0

  15. eric 5 years ago

    Somebody mentioned writing this in powershell. How can this be done without having to install the AD module on every client? Everything I see requires set/get-adcomputer, which requires teh AD module.

    0

  16. Alexander 5 years ago

    Hey Geoff,

    Thanks for the guide. Unfortunately I would like to be able to run on each individual machine, locally. How would the script look like, if it should be able to run locally?

    best,
    Alexander

    0

  17. Sergey Mozhzhukhin 5 years ago

    Some computers (Acer, HP) do not have service tag in Win32_SystemEnclosure.
    Win32_BIOS should be checked first.

    For Each objSMBIOS in objWMI.ExecQuery("Select * from Win32_BIOS")
    serviceTag = replace(objSMBIOS.SerialNumber, ",", ".")
    Next

    For Each objSMBIOS in objWMI.ExecQuery("Select * from Win32_SystemEnclosure")
    if Trim(serviceTag)="" then
    serviceTag = replace(objSMBIOS.SerialNumber, ",", ".")
    End If
    manufacturer = replace(objSMBIOS.Manufacturer, ",", ".")
    Next

    0

  18. Ken Whitmore 4 years ago

    Our AD server is on Server 2003 and I'm not seeing the "Child Computer Objects" option. I do see "Computer objects", but I guess that may include servers as well. I don't see "Write Description" in the Permissions list for "Computer objects".

    Is there a way to achieve the same required limitations on Server 2003?

    0

  19. noncodingguy 4 years ago

    says im missing a )

    0

  20. key 4 years ago

    Thanks for the script, it's working great.

    How to add additional field for date/time login?

     

    1+

  21. Ed Hammond 3 years ago

    This method of granting rights in AD worked better for me.  Use on an OU, not all of your domain.

    1) Right-click the OU/container where computer accounts reside and choose "Delegate Permissions" (do NOT do it for the whole AD as this will allow editing description of any computer object including Domain Controllers)
    2) Click "Next" and in the next dialog add "Domain Users" group
    3) In the next dialog select "Create a custom task to delegate"
    4) Select "only the following objects in the folder" and check "computer objects" in the listbox
    5) Click Next. In the next dialog make sure only "Property specific" is checked under "Show these permissions"
    6) Check "Write description"
    7) Click Next and Finish

    2+

  22. Sameer Sami 3 years ago

    This looks really good - however I have not been able to get it to work.

    Server 2012 R2 domain with Windows 10 - I have done the top bit and copied the script and saved as VBS and attached as a Logon Script - I have tested it but nothing happens.

    Do I need to edit the script in any way?

    0

  23. Brennero 2 years ago

    Great script! The information is really useful

    0

  24. Donato 1 year ago

    The script looks exactly what I need but for one thing.   Instead of account name of the last user who logged on to this machine can this be changed to the primary user account name who logged on to the domain machine ?

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account