Update README for two-way user/computer tracking (Notes field)
This commit is contained in:
@@ -1,20 +1,32 @@
|
||||
# ad-managed-by-logon
|
||||
|
||||
PowerShell logon script that automatically sets the Active Directory computer object's **"Managed By"** attribute to the currently logged-in user. This gives you a quick way to see who last logged into any machine by checking the Managed By tab in AD Users & Computers.
|
||||
PowerShell logon script that automatically links users and computers in Active Directory at each login:
|
||||
|
||||
- Sets the **computer's "Managed By"** tab to the logged-in user
|
||||
- Sets the **user's "Notes"** field (Telephones tab) to the computer name and login timestamp
|
||||
|
||||
This gives you a two-way lookup: find who last used a machine from the computer object, or find which machine a user last logged into from the user object.
|
||||
|
||||
## How It Works
|
||||
|
||||
1. User logs in → GPO fires the logon script
|
||||
2. Script finds the **user's DN** and the **computer's DN** in AD
|
||||
3. Sets the computer's `managedBy` attribute to the user's DN
|
||||
4. Skips the write if it's already correct (no unnecessary AD writes)
|
||||
5. Skips entirely for local (non-domain) logins
|
||||
3. Sets the computer's `managedBy` attribute → user's DN
|
||||
4. Sets the user's `info` attribute → `Last logon: COMPUTERNAME (2026-04-21 09:15)`
|
||||
5. Skips writes if values are already correct (no unnecessary AD replication)
|
||||
6. Skips entirely for local (non-domain) logins
|
||||
|
||||
The script tries the **ActiveDirectory PowerShell module** first. If RSAT isn't installed on the client, it falls back to **ADSI/DirectorySearcher** which requires no modules at all.
|
||||
|
||||
## What You'll See in ADUC
|
||||
|
||||
**Computer object → Managed By tab:** Shows the last user who logged in.
|
||||
|
||||
**User object → Telephones tab → Notes field:** Shows `Last logon: PC-LAB-01 (2026-04-21 09:15)`
|
||||
|
||||
## Prerequisites
|
||||
|
||||
### 1. Delegate AD Permissions
|
||||
### 1. Delegate AD Permissions (Computer Objects)
|
||||
|
||||
By default, regular users can't write to computer objects. You need to delegate the `managedBy` attribute on the OU(s) containing your computer accounts.
|
||||
|
||||
@@ -30,7 +42,11 @@ By default, regular users can't write to computer objects. You need to delegate
|
||||
|
||||
Repeat for each OU containing computers you want tracked.
|
||||
|
||||
### 2. (Optional) RSAT on Clients
|
||||
### 2. User Notes Field (No Delegation Needed)
|
||||
|
||||
Users can write their own `info` attribute by default in AD — it's part of the "Personal Information" property set. No extra delegation is required for this.
|
||||
|
||||
### 3. (Optional) RSAT on Clients
|
||||
|
||||
The script works without RSAT via the ADSI fallback. If you want the cleaner AD module path, install RSAT:
|
||||
|
||||
@@ -67,14 +83,16 @@ The script logs to `%TEMP%\Set-ComputerManagedBy.log` on each client. The log au
|
||||
|
||||
## Verifying It Works
|
||||
|
||||
After a user logs in:
|
||||
|
||||
1. Open **AD Users & Computers**
|
||||
2. Find the computer object → **Properties** → **Managed By** tab
|
||||
3. You should see the last logged-in user's name and details
|
||||
|
||||
Alternatively, in PowerShell:
|
||||
After a user logs in, check both sides:
|
||||
|
||||
**Computer side:**
|
||||
```powershell
|
||||
Get-ADComputer COMPUTERNAME -Properties managedBy | Select-Object Name, managedBy
|
||||
```
|
||||
|
||||
**User side:**
|
||||
```powershell
|
||||
Get-ADUser USERNAME -Properties info | Select-Object Name, info
|
||||
```
|
||||
|
||||
Or visually in ADUC: Computer → Managed By tab, and User → Telephones tab → Notes.
|
||||
|
||||
Reference in New Issue
Block a user