Add full deployment and delegation documentation
This commit is contained in:
@@ -1,3 +1,80 @@
|
||||
# ad-managed-by-logon
|
||||
|
||||
PowerShell logon script that sets the Active Directory computer object's "Managed By" attribute to the currently logged-in user
|
||||
PowerShell logon script that automatically sets the Active Directory computer object's **"Managed By"** attribute to the currently logged-in user. This gives you a quick way to see who last logged into any machine by checking the Managed By tab in AD Users & Computers.
|
||||
|
||||
## How It Works
|
||||
|
||||
1. User logs in → GPO fires the logon script
|
||||
2. Script finds the **user's DN** and the **computer's DN** in AD
|
||||
3. Sets the computer's `managedBy` attribute to the user's DN
|
||||
4. Skips the write if it's already correct (no unnecessary AD writes)
|
||||
5. Skips entirely for local (non-domain) logins
|
||||
|
||||
The script tries the **ActiveDirectory PowerShell module** first. If RSAT isn't installed on the client, it falls back to **ADSI/DirectorySearcher** which requires no modules at all.
|
||||
|
||||
## Prerequisites
|
||||
|
||||
### 1. Delegate AD Permissions
|
||||
|
||||
By default, regular users can't write to computer objects. You need to delegate the `managedBy` attribute on the OU(s) containing your computer accounts.
|
||||
|
||||
**Steps (AD Users & Computers):**
|
||||
|
||||
1. Right-click the **OU** containing your computer objects → **Delegate Control**
|
||||
2. Click **Next**, then **Add** → select **Authenticated Users** (or a specific group) → **OK**
|
||||
3. Select **Create a custom task to delegate** → **Next**
|
||||
4. Choose **Only the following objects in the folder** → tick **Computer objects** → **Next**
|
||||
5. Tick **Property-specific**, then scroll down and tick:
|
||||
- **Write Managed By**
|
||||
6. **Next** → **Finish**
|
||||
|
||||
Repeat for each OU containing computers you want tracked.
|
||||
|
||||
### 2. (Optional) RSAT on Clients
|
||||
|
||||
The script works without RSAT via the ADSI fallback. If you want the cleaner AD module path, install RSAT:
|
||||
|
||||
```powershell
|
||||
# Windows 10/11
|
||||
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
|
||||
```
|
||||
|
||||
## Deployment via GPO
|
||||
|
||||
1. Copy `Set-ComputerManagedBy.ps1` to your **NETLOGON** share (or a SYSVOL subfolder):
|
||||
```
|
||||
\\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1
|
||||
```
|
||||
|
||||
2. Open **Group Policy Management**, create or edit a GPO linked to the OU(s) with your users.
|
||||
|
||||
3. Navigate to:
|
||||
```
|
||||
User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff) → Logon
|
||||
```
|
||||
|
||||
4. Click **Show Files** (optional, to confirm the path), then **Add**:
|
||||
- **Script Name:** `\\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1`
|
||||
- **Parameters:** *(leave blank)*
|
||||
|
||||
5. Move to the **PowerShell Scripts** tab if using the newer GPO editor, and add it there instead if preferred.
|
||||
|
||||
6. Run `gpupdate /force` on a test machine and log in to verify.
|
||||
|
||||
## Logging
|
||||
|
||||
The script logs to `%TEMP%\Set-ComputerManagedBy.log` on each client. The log auto-rotates at 256 KB. Check this file to troubleshoot permission or lookup issues.
|
||||
|
||||
## Verifying It Works
|
||||
|
||||
After a user logs in:
|
||||
|
||||
1. Open **AD Users & Computers**
|
||||
2. Find the computer object → **Properties** → **Managed By** tab
|
||||
3. You should see the last logged-in user's name and details
|
||||
|
||||
Alternatively, in PowerShell:
|
||||
|
||||
```powershell
|
||||
Get-ADComputer COMPUTERNAME -Properties managedBy | Select-Object Name, managedBy
|
||||
```
|
||||
|
||||
Reference in New Issue
Block a user