diff --git a/README.md b/README.md index cf8e5d4..7f76bd4 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,80 @@ # ad-managed-by-logon -PowerShell logon script that sets the Active Directory computer object's "Managed By" attribute to the currently logged-in user \ No newline at end of file +PowerShell logon script that automatically sets the Active Directory computer object's **"Managed By"** attribute to the currently logged-in user. This gives you a quick way to see who last logged into any machine by checking the Managed By tab in AD Users & Computers. + +## How It Works + +1. User logs in → GPO fires the logon script +2. Script finds the **user's DN** and the **computer's DN** in AD +3. Sets the computer's `managedBy` attribute to the user's DN +4. Skips the write if it's already correct (no unnecessary AD writes) +5. Skips entirely for local (non-domain) logins + +The script tries the **ActiveDirectory PowerShell module** first. If RSAT isn't installed on the client, it falls back to **ADSI/DirectorySearcher** which requires no modules at all. + +## Prerequisites + +### 1. Delegate AD Permissions + +By default, regular users can't write to computer objects. You need to delegate the `managedBy` attribute on the OU(s) containing your computer accounts. + +**Steps (AD Users & Computers):** + +1. Right-click the **OU** containing your computer objects → **Delegate Control** +2. Click **Next**, then **Add** → select **Authenticated Users** (or a specific group) → **OK** +3. Select **Create a custom task to delegate** → **Next** +4. Choose **Only the following objects in the folder** → tick **Computer objects** → **Next** +5. Tick **Property-specific**, then scroll down and tick: + - **Write Managed By** +6. **Next** → **Finish** + +Repeat for each OU containing computers you want tracked. + +### 2. (Optional) RSAT on Clients + +The script works without RSAT via the ADSI fallback. If you want the cleaner AD module path, install RSAT: + +```powershell +# Windows 10/11 +Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 +``` + +## Deployment via GPO + +1. Copy `Set-ComputerManagedBy.ps1` to your **NETLOGON** share (or a SYSVOL subfolder): + ``` + \\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1 + ``` + +2. Open **Group Policy Management**, create or edit a GPO linked to the OU(s) with your users. + +3. Navigate to: + ``` + User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff) → Logon + ``` + +4. Click **Show Files** (optional, to confirm the path), then **Add**: + - **Script Name:** `\\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1` + - **Parameters:** *(leave blank)* + +5. Move to the **PowerShell Scripts** tab if using the newer GPO editor, and add it there instead if preferred. + +6. Run `gpupdate /force` on a test machine and log in to verify. + +## Logging + +The script logs to `%TEMP%\Set-ComputerManagedBy.log` on each client. The log auto-rotates at 256 KB. Check this file to troubleshoot permission or lookup issues. + +## Verifying It Works + +After a user logs in: + +1. Open **AD Users & Computers** +2. Find the computer object → **Properties** → **Managed By** tab +3. You should see the last logged-in user's name and details + +Alternatively, in PowerShell: + +```powershell +Get-ADComputer COMPUTERNAME -Properties managedBy | Select-Object Name, managedBy +```