Last User KB ID 0001340
Problem
I can’t really take the credit for this, I was at a client’s site a few weeks ago, and they were doing this. I thought ‘That’s cool, I’ll have a play with that when I get the chance”.
Essentially, you update the description of the Computer object(s) in AD so that they list;
- The last user who logged on.
- What time they logged on.
- What AD ‘Site’ the machine is in.
- Model of the PC/Laptop.
- Serial Number of the machine.
- Operating System.
- 32 or 64 bit.
I tested it in VMware so my machine type and serial number are a little misleading but this is what it looks like.
Now I can think of loads of situations when that information would be very helpful?
Solution : Last User
So how do you do it? Well to make a change to a computer’s ‘Description’ filed in AD, requires some rights, locate the OU (or OUs) that contain your computers/servers and open the advanced properties on their security tab.
You can either ‘Add’ (as shown), or select the existing ‘Authenticated Users’ object from the list.
Change the ‘Applies to’ section to ‘Descendant Computer Objects’.
Scroll down and tick, ‘Write Description’
Isn’t that dangerous? Well not really, it gives users the right to change a computer objects description field, they would need to have the technical ability to do so. And if they did it would get overwritten the next time a user logged onto that machine anyway.
Download the ComputerDescriptionLogonStamp.zip file, and extract the two files you find inside it, into your domain netlogon share (\\{your-domain-name}\netlogon). Edit the domain name in the ComputerDescriptionLogonStamp.bat file so it matches YOUR domain name not mine!
Now create a new Group Policy Object, linked to your USERS.
Edit the policy, and navigate to;
[box]User Configuration > Windows Settings > Scripts > Logon[/box]
Add in the UNC path to the ComputerDescriptionLogonStamp.bat file (Note: Make sure you use a UNC path, to your Netlogon folder, and you do NOT browse locally to the file, if the path looks like; C:\windows\sysvol\pnl.con\sysvol\ComputerDescriptionLogonStamp.bat IT WON’T WORK.)
Close the Group policy editor, then either wait, or force a group policy update.
Windows – Forcing Domain Group Policy
Related Articles, References, Credits, or External Links
NA