In this article, you will learn how to store a user's current logged-on computer in the user object and how to retrieve it from Active Directory Users and Computers (ADUC).

Ruben Zimmermann

Ruben is an infrastructure specialist who specializes in Active Directory, public key infrastructure (PKI), and System Center Operations Manager. He automates in VBS, PowerShell and C#. Ruben lives in Suzhou, China, and you can follow him on Twitter @Ruben8Z.

Making the currently logged-on computer retrievable from Active Directory and showing it directly within ADUC can be useful for troubleshooting.

ADUC displaying the current logged on computer

ADUC displaying the current logged on computer

To store information in Active Directory, you have to follow these steps:

  1. Allow user objects to update an (unused) attribute by themselves
  2. Create a VBScript that writes the current logged-on computer into that attribute
  3. Create and link a Group Policy Object (GPO) that calls the script on user logon processes

And these are the steps to retrieve information from ADUC:

  1. Modify the Active Directory object to customize the ADUC context menu
  2. Place a subfolder in netlogon to ensure the script has domain-wide distribution
  3. Write a VBScript that receives the selected user, gathers required information from Active Directory, and displays it

Allow user objects to update an Active Directory attribute ^

As a domain administrator, open ADUC and activate the advanced features.

Enabling Advanced Features in ADUC

Enabling Advanced Features in ADUC

Right-click the organizational unit (OU) where user accounts are located, and go to Properties > Security > Advanced > SELF > Edit.

ADUC showing the Permissions tab for a user's OU

Change to the Properties tab, scroll down, and tick Allow for the Read and Write street attribute.

(Microsoft uses the "st" attribute to store and display the street address.)

Permitting SELF to change the street attribute

Permitting SELF to change the street attribute

Confirm all open windows by clicking OK and close ADUC.

VBScript to store the computer name in the user object ^

Open Notepad or another text editor of your choice and place the following lines of code into it.

Creating and linking a Group Policy Object (GPO) ^

Open the Group Policy Management Console (GPMC), select the OU where users are located, and either create a new GPO or modify an existing one. Navigate to User Configuration > Windows Settings > Scripts (Logon/Logoff) > Logon.

Navigating to the script storage in GPMC

Navigating to the script storage in GPMC

Copy the script into the folder revealed by clicking on Show Files. Confirm the open windows and close the GPO configuration. After refreshing, the GPO will look like the picture below.

GPMC showing the GPO containing the script

GPMC showing the GPO containing the script

Close GPMC.

Customizing the ADUC user context menu ^

The Admin-Context-Menu attribute in Active Directory allows placing custom entries in the context menu of computers, users, groups and other objects in ADUC. It is in the Configuration partition of Active Directory and requires modifying Enterprise Admin permissions.

Open ADSIEDIT.MSC as an enterprise admin, navigate to Configuration > CN=Configuration, CN=DisplaySpecifiers > CN=409 > CN=user-Display, and choose Properties:

ADSI showing display properties for the user object

ADSI showing display properties for the user object

Select adminContextMenu, click Edit, and add the following line:

  • 5 specifies the order; if already in use, choose another number
  • IT: Show the currently logged-on computer; the text appears in the context menu
  • mfst is the name of this domain
  • ADUCExtensions is a folder we need to be create

Confirm the dialog boxes and close ADSIEDIT.

Place a subfolder in netlogon ^

This ensure that the script has domain-wide distribution. Log on to a domain controller, navigate to the netlogon share, and create a folder named ADUCExtensions. Keep the permissions but ensure that nobody except administrators can change the folder content.

VBScript to retrieve the computer name ^

The script below retrieves the computer name from the selected user object. Open Notepad or another text editor of your choice and place the following lines of code into it.

Name the file AD_Get-UserInfos.vbs and store it in the previously created folder ADUCExtensions.

Allow some time to replicate the changes and then see if everything works.

Questions and comments are welcome as usual. Please use the feedback form below.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

2+
Share
8 Comments
  1. Mike Kanakos 1 year ago

    pretty cool trick! Nice article, super clear and to the point.

    2+

  2. peter 1 year ago

    looks cool, but before I go too far, will this method show all computers and servers the user is logged into without running the code multiple times.

    Thanks

    0

  3. Author
    Ruben Zimmermann 1 year ago

    Hi Peter,

    with this solution you will only have the current logged on computer stored in the user object.

    If you have the requirement to store all computers a user logs on a modification of the first script is required.

    Let me know if you need it.

    0

  4. Randy 1 year ago

    The SELF user has all attrributes grayed out.  I cannot change them.  I am not sure if I can disable inheritance or not without causing a problem (in case that is stopping me).  I am a domain admin.

    0

    • Author
      Ruben Zimmermann 1 year ago

      Hi Randy,

      it's hard to answering without seeing your screen or knowing your environment. What I suggest though would be:

      - Create a new OU / Sub-OU
      - Move 1 or 2 users into that OU
      - Customize the aCL
      - Test the solution above
      - Check if something is not working anymore. If there is move the users back to origin

      According to my experience. You can safely stop inheritance, clear all permissions and and only the ones that you think of. If something is not working you can check the option again and restore the permissions. --> Test it with a test-user before doing it in production 😉

      Hope it could help.

      0

  5. Viktor 7 months ago

    Script AD_Get-UserInfos.vbs.vbs not running. 

    Line 31

    char 1

    Error: Subsript out of range

    Code: 800A0009

    Source: Microsoft VBScript runtime error

    I don't know VBA at all

    0

    • Swapnil Kambli 7 months ago

      Hi Viktor,

      Subscript out of range is thrown in vbs when an empty array is accessed for data.
      you can check the array for emptiness with the following code.

      If UBound(wshArguments) >= 0 Then
      Set objUser = GetObject(wshArguments(0))
      End If

      0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account