Updating Domain Computer Objects with User and Machine Information

KB ID 0001340 Dtd 24/08/17

Problem

I can’t really take the credit for this, I was at a client’s site a few weeks ago, and they were doing this. I thought ‘That’s cool, I’ll have a play with that when I get the chance”.

Essentially, you update the description of the Computer object(s) in AD so that they list;

  • The last user who logged on.
  • What time they logged on.
  • What AD ‘Site’ the machine is in.
  • Model of the PC/Laptop.
  • Serial Number of the machine.
  • Operating System.
  • 32 or 64 bit.

I tested it in VMware so my machine type and serial number are a little misleading but this is what it looks like.

Show Computer Logged on User in AD

Now I can think of loads of situations when that information would be very helpful?

Solution

So how do you do it? Well to make a change to a computer’s ‘Description’ filed in AD, requires some rights, locate the OU (or OUs) that contain your computers/servers and open the advanced properties on their security tab.

Rights to Computer Objects

You can either ‘Add’ (as shown), or select the existing ‘Authenticated Users’ object from the list.

Rights to Computer Objects Authenticated Users

Change the ‘Applies to’ section to ‘Descendant Computer Objects’.

Decendant Computer Objects

Scroll down and tick, ‘Write Description’

Write Description Decendant Computer Objects

Isn’t that dangerous? Well not really, it gives users the right to change a computer objects description field, they would need to have the technical ability to do so. And if they did it would get overwritten the next time a user logged onto that machine anyway.

Download the ComputerDescriptionLogonStamp.zip file, and extract the two files you find inside it, into your domain netlogon share (\\{your-domain-name}\netlogon). Edit the domain name in the ComputerDescriptionLogonStamp.bat file so it matches YOUR domain name not mine!

Computer Information Script

Now create a new Group Policy Object, linked to your USERS.

User Login Script Policy

Edit the policy, and navigate to;

User Configuration > Windows Settings > Scripts > Logon

User Login Script Group Policy

Add in the UNC path to the ComputerDescriptionLogonStamp.bat file (Note: Make sure you use a UNC path, to your Netlogon folder, and you do NOT browse locally to the file, if the path looks like;  C:\windows\sysvol\pnl.con\sysvol\ComputerDescriptionLogonStamp.bat IT WON’T WORK.)

User Login Script GPO

Close the Group policy editor, then either wait, or force a group policy update.

Windows – Forcing Domain Group Policy

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

2 Comments

  1. That’s brilliant! I always wanted to get those information from the machines and never found anything as well explained as that.
    Thank you so much!

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *