- How to add holidays to the Exchange calendar with PowerShell - Wed, Apr 23 2014
- How to change the domain name in Exchange Server 2010 - Tue, Apr 8 2014
- How to enable Unsolicited Remote Assistance in Windows 7 / 8 - Tue, Oct 1 2013
As a systems administrator, you’ve probably noticed that computer objects in Active Directory have a description field that is shown in the default view of the Active Directory users and computers MMC console. It’s very rare to see an IT department that makes regular use of this field for something useful – never mind keeping it up to date!
I thought that it would be a good idea to automatically populate this field with the last user to logon to the computer object. With a slight tweak to our AD security and a little bit of scripting, it’s quite easily achieved. I also added even more information to the field so I could see the system service tag and model number.
Active Directory description field
In order for this process to work, we will need to allow our authenticated domain users to edit the description values on computer objects. Be aware that by doing this, a malicious or cheeky user on your network could change the description on computer objects to anything they want. Given that mine were all empty, anyway, and that they get overwritten each time someone logs in, I didn’t think this would be a significant problem for me. To grant this access, perform the following steps:
- Open Active Directors Users and Computers MMC
- Ensure you have ‘Advanced Features’ enabled (On the ‘view’ menu)
- Right click on your domain, and select ‘properties’ from the context menu
- On the ‘security’ tab, click the ‘advanced’ button
- Click the ‘add’ button, type ‘Authenticated Users’. Then click OK.
- In the permission entry dialogue, set the ‘apply to’ pull-down menu to ‘Descendant Computer Objects’, then in the permissions section, tick the allow options for ‘Write Description’
Once you’ve done this, click ‘OK’ on all, then close the ADUC MMC window.
The next stage is to put the script together. You can modify your script to get and insert any data you require, my example saves the username, service tag, and computer make/model – I’ve added a few comments to show what's going on:
Set WshNetwork = WScript.CreateObject("WScript.Network") Set objWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2") ' Get service tag and computer manufacturer For Each objSMBIOS in objWMI.ExecQuery("Select * from Win32_SystemEnclosure") serviceTag = replace(objSMBIOS.SerialNumber, ",", ".") manufacturer = replace(objSMBIOS.Manufacturer, ",", ".") Next ' Get computer model For Each objComputer in objWMI.ExecQuery("Select * from Win32_ComputerSystem") model = trim(replace(objComputer.Model, ",", ".")) Next ' Get computer object in AD Set objSysInfo = CreateObject("ADSystemInfo") Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName) ' Build up description field data and save into computer object if different from current description ' We also do not update computers with a description that starts with an underscore (_) newDescription = WshNetwork.UserName & " (" & serviceTag & " – " & manufacturer & " " & model & ")" if not objComputer.Description = newDescription and not left(objComputer.Description,1) = "_" then objComputer.Description = newDescription objComputer.SetInfo end if
If you run this script as a regular user, then check ADUC, you should find that the computer object that the script was run from, has now a description field set.
All that remains now is to add the VBScript to the user login script. I do this via GPO (User configuration > Policies > Windows Settings > Scripts > Logon).
Once your GPO is updated, restart another system, and login again – once more, you should see that computers AD object updated. Now you can stil back and relax while you watch your computer objects in AD fill up with useful information in the description field.
i do not have “descendant computer objects” on my apply to drop down. i’m running server 2003 enterprise sp2
@ht If you enable advanced features in ‘Active Directory Users & Computers’ does the option then become visible?
@geoff yes that is enabled
What’s the best way to prevent this from applying to my terminal server and other servers? i tried applying a deny write description permission to the machine itself, but it seems it is still overwriting. Should i reapply the delegate permission to the machine folders only, or apply a different kind of deny at the server or server OU level? any help greatly appreciated.
Also, this is working for most machines, but is failing to write the serial number to AD on my HP 3405, 3505 and HP 500b models. ‘wmic bios get serialnumber’ works fine. any idea’s?
I came across an issue with HP Pro 3405, 3505 and HP 500B desktops (worked for my 6300 and all laptop series out of the box), where the script would not report the serial number. It updated the computer object description field with username and model just fine so i knew the script was executing correctly with correct permissions to the computer objects.
I tested on the local machine using wmi queries: “wmi bios get serialnumber” which worked. i then used “wmi systemenclosure get serialnumber” ( i spotted the system enclosure reference after analysing the vb.
when I changed For Each objSMBIOS in objWMI.ExecQuery(“Select * from Win32_systemenclosure”)
serviceTag = replace(objSMBIOS.SerialNumber, “,”, “.”)
manufacturer = replace(objSMBIOS.Manufacturer, “,”, “.”)
to
For Each objSMBIOS in objWMI.ExecQuery(“Select * from Win32_BIOS”)
it began to work, but also wrote ‘AMI’, (my BIOS manufacturer), into the AD description field! I then removed the manufacturer line, and ” ” & manufacturer & ” ” from later in the script.
It now works brilliantly and saves me time updating AD. Thanks to Geoff Kendall for the original script Joseph Moody for deployhappiness and the original idea for this kind of project after stumbling onto the site and troubleshooting assistance.
My Domain Controller is also 2003. I too cannot find the “descendant computer objects” in the drop down list.
I guess this is a problem with versions… but did anyone work out a way of getting that option to appear in the Server2003 system?
Thanks for this – works a treat. Could you possibly show me how to pipe the Chassis Type in there. It’s from the SystemEnclosure section again but pipes differently than the other properties.
Works well.
I removed the WshNetwork.UserName as I have added the script into my OSD Task in SCCM as I use SCCM to track users.
Cheers,
Active Directory does increment the USN each time a change is made. The USN is stored as a 64 bit number, so the maximum USN in AD is:
9,223,372,036,854,775,806
That’s 2 to the power of 64 minus 1. This means that if you had 100,000,000 changes every second in Active Directory, your USN would reach the maximum number in year 31,241.
Geoff, I have added the write description to our ADUC for Authenticated users, and set up the script in GPO and it runs fine for Domain Admins, but errors out on line 20 with Access is denied Code: 80070005 Source: Active Directory. I have verified that the users can get to the scripts directory and execute the script, but it errors as described. Domain Admins can run it just fine. Can you point me in the right direction to correct this? TIA
Hi – one my my admins wrote a version of this in 2005. Now with W7 we are not using login scripts so it runs as a scheduled task a few seconds after login. We also pull location (taken from IP named range) which is great as it will change if the user logs the machine at another corp location; and last logged in date/time as suggested earlier. awesome for support to know if the user really has restarted when we asked them too; and for BA on the fleet. We have an exception group for machines that we don’t want to update their descriptions (useful for meeting room machines) and its also set to preclude updates from Server Account logins – they are distinguished by their OU. We use all this in conjunction with another tool that rights out to a file share location the following – by domain, computers – user who have logged onto a specific computer name/s (first login only) and also by computer, all users who have logged on. Shows date and time. Between the two it answers a whole lot of questions!
Dear All,
I need few changes in the final script to add IP address of a computer with all other details mentioned above. Please help.
Thanks
Abid
any way to limit the write computer attribute to an OU instead of opening it up for the entire domain?
Somebody mentioned writing this in powershell. How can this be done without having to install the AD module on every client? Everything I see requires set/get-adcomputer, which requires teh AD module.
Hey Geoff,
Thanks for the guide. Unfortunately I would like to be able to run on each individual machine, locally. How would the script look like, if it should be able to run locally?
best,
Alexander
Some computers (Acer, HP) do not have service tag in Win32_SystemEnclosure.
Win32_BIOS should be checked first.
For Each objSMBIOS in objWMI.ExecQuery(“Select * from Win32_BIOS”)
serviceTag = replace(objSMBIOS.SerialNumber, “,”, “.”)
Next
For Each objSMBIOS in objWMI.ExecQuery(“Select * from Win32_SystemEnclosure”)
if Trim(serviceTag)=”” then
serviceTag = replace(objSMBIOS.SerialNumber, “,”, “.”)
End If
manufacturer = replace(objSMBIOS.Manufacturer, “,”, “.”)
Next
Our AD server is on Server 2003 and I’m not seeing the “Child Computer Objects” option. I do see “Computer objects”, but I guess that may include servers as well. I don’t see “Write Description” in the Permissions list for “Computer objects”.
Is there a way to achieve the same required limitations on Server 2003?
says im missing a )
Thanks for the script, it’s working great.
How to add additional field for date/time login?
This method of granting rights in AD worked better for me. Use on an OU, not all of your domain.
1) Right-click the OU/container where computer accounts reside and choose “Delegate Permissions” (do NOT do it for the whole AD as this will allow editing description of any computer object including Domain Controllers)
2) Click “Next” and in the next dialog add “Domain Users” group
3) In the next dialog select “Create a custom task to delegate”
4) Select “only the following objects in the folder” and check “computer objects” in the listbox
5) Click Next. In the next dialog make sure only “Property specific” is checked under “Show these permissions”
6) Check “Write description”
7) Click Next and Finish
This looks really good – however I have not been able to get it to work.
Server 2012 R2 domain with Windows 10 – I have done the top bit and copied the script and saved as VBS and attached as a Logon Script – I have tested it but nothing happens.
Do I need to edit the script in any way?
Great script! The information is really useful
The script looks exactly what I need but for one thing. Instead of account name of the last user who logged on to this machine can this be changed to the primary user account name who logged on to the domain machine ?
Hi All,
does anyone know how i can edit this to include PC RAM Size and PC HDD Size.
Regards