From bf7f0762c10c298a88f744e3797e60847623b2dd Mon Sep 17 00:00:00 2001 From: jessikitty Date: Tue, 21 Apr 2026 15:21:04 +1000 Subject: [PATCH] Split into separate try/catch blocks so ManagedBy failure does not block Notes --- Set-ComputerManagedBy.ps1 | 196 +++++++++++++++++++++----------------- 1 file changed, 111 insertions(+), 85 deletions(-) diff --git a/Set-ComputerManagedBy.ps1 b/Set-ComputerManagedBy.ps1 index b693706..1a0f074 100644 --- a/Set-ComputerManagedBy.ps1 +++ b/Set-ComputerManagedBy.ps1 @@ -9,6 +9,8 @@ 1. Sets the computer object's "managedBy" attribute to the user's DN 2. Sets the user object's "info" attribute (Notes / Telephones tab) to the computer name + Each operation runs independently - if one fails the other still runs. + PREREQUISITES: - AD permissions must be delegated so that Authenticated Users (or Domain Users) can WRITE the "managedBy" attribute on Computer objects in the relevant OU(s). @@ -63,93 +65,117 @@ try { # -- Build the notes string ---------------------------------------------------- $notesValue = "Last logon: $computerName ($loginTimestamp)" -try { - if ($useADModule) { - # -- AD Module path ---------------------------------------------------- +# -- Resolve user and computer DNs -------------------------------------------- +$userDN = $null +$userObj = $null +$computerDN = $null + +if ($useADModule) { + try { $userObj = Get-ADUser -Identity $currentUser -Properties info -ErrorAction Stop - $computerObj = Get-ADComputer -Identity $computerName -Properties managedBy -ErrorAction Stop - - # Set computer ManagedBy - if ($computerObj.managedBy -eq $userObj.DistinguishedName) { - Write-Log "ManagedBy already set to $currentUser. No change needed." - } else { - Set-ADComputer -Identity $computerName -ManagedBy $userObj.DistinguishedName -ErrorAction Stop - Write-Log "SUCCESS: Set ManagedBy on '$computerName' to '$($userObj.DistinguishedName)'" - } - - # Set user Notes (info attribute) - if ($userObj.info -eq $notesValue) { - Write-Log "User notes already current. No change needed." - } else { - Set-ADUser -Identity $currentUser -Replace @{info = $notesValue} -ErrorAction Stop - Write-Log "SUCCESS: Set Notes on '$currentUser' to '$notesValue'" - } - - } else { - # -- ADSI fallback (no module required) -------------------------------- - $rootDSE = [ADSI]"LDAP://RootDSE" - $domainDN = $rootDSE.defaultNamingContext - - $searcher = New-Object DirectoryServices.DirectorySearcher - $searcher.SearchRoot = [ADSI]"LDAP://$domainDN" - - # Find the user - $searcher.Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$currentUser))" - $searcher.PropertiesToLoad.AddRange(@("distinguishedName", "info")) - $userResult = $searcher.FindOne() - - if (-not $userResult) { - Write-Log "Could not find user '$currentUser' in AD." "ERROR" - exit 1 - } - $userDN = $userResult.Properties["distinguishedname"][0] - - # Find the computer - $searcher.Filter = "(&(objectCategory=computer)(sAMAccountName=$computerName$))" - $searcher.PropertiesToLoad.Clear() - $searcher.PropertiesToLoad.AddRange(@("distinguishedName", "managedBy")) - $computerResult = $searcher.FindOne() - - if (-not $computerResult) { - Write-Log "Could not find computer '$computerName' in AD." "ERROR" - exit 1 - } - - $computerDN = $computerResult.Properties["distinguishedname"][0] - - # Set computer ManagedBy - $currentManagedBy = $null - if ($computerResult.Properties["managedby"].Count -gt 0) { - $currentManagedBy = $computerResult.Properties["managedby"][0] - } - - if ($currentManagedBy -eq $userDN) { - Write-Log "ManagedBy already set to $currentUser. No change needed." - } else { - $computerEntry = [ADSI]"LDAP://$computerDN" - $computerEntry.Put("managedBy", $userDN) - $computerEntry.SetInfo() - Write-Log "SUCCESS: Set ManagedBy on '$computerName' to '$userDN'" - } - - # Set user Notes (info attribute) - $currentNotes = $null - if ($userResult.Properties["info"].Count -gt 0) { - $currentNotes = $userResult.Properties["info"][0] - } - - if ($currentNotes -eq $notesValue) { - Write-Log "User notes already current. No change needed." - } else { - $userEntry = [ADSI]"LDAP://$userDN" - $userEntry.Put("info", $notesValue) - $userEntry.SetInfo() - Write-Log "SUCCESS: Set Notes on '$currentUser' to '$notesValue'" - } + $userDN = $userObj.DistinguishedName + } catch { + Write-Log "Could not find user '$currentUser' in AD: $($_.Exception.Message)" "ERROR" + exit 1 + } + try { + $computerObj = Get-ADComputer -Identity $computerName -Properties managedBy -ErrorAction Stop + $computerDN = $computerObj.DistinguishedName + } catch { + Write-Log "Could not find computer '$computerName' in AD: $($_.Exception.Message)" "ERROR" + } +} else { + $rootDSE = [ADSI]"LDAP://RootDSE" + $domainDN = $rootDSE.defaultNamingContext + + $searcher = New-Object DirectoryServices.DirectorySearcher + $searcher.SearchRoot = [ADSI]"LDAP://$domainDN" + + # Find the user + $searcher.Filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName=$currentUser))" + $searcher.PropertiesToLoad.AddRange(@("distinguishedName", "info")) + $userResult = $searcher.FindOne() + + if (-not $userResult) { + Write-Log "Could not find user '$currentUser' in AD." "ERROR" + exit 1 + } + $userDN = $userResult.Properties["distinguishedname"][0] + + # Find the computer + $searcher.Filter = "(&(objectCategory=computer)(sAMAccountName=$computerName$))" + $searcher.PropertiesToLoad.Clear() + $searcher.PropertiesToLoad.AddRange(@("distinguishedName", "managedBy")) + $computerResult = $searcher.FindOne() + + if (-not $computerResult) { + Write-Log "Could not find computer '$computerName' in AD." "ERROR" + } else { + $computerDN = $computerResult.Properties["distinguishedname"][0] } -} catch { - Write-Log "FAILED: $($_.Exception.Message)" "ERROR" - exit 1 } +# -- Task 1: Set computer ManagedBy (separate try/catch) ----------------------- +if ($computerDN -and $userDN) { + try { + if ($useADModule) { + if ($computerObj.managedBy -eq $userDN) { + Write-Log "ManagedBy already set to $currentUser. No change needed." + } else { + Set-ADComputer -Identity $computerName -ManagedBy $userDN -ErrorAction Stop + Write-Log "SUCCESS: Set ManagedBy on '$computerName' to '$userDN'" + } + } else { + $currentManagedBy = $null + if ($computerResult.Properties["managedby"].Count -gt 0) { + $currentManagedBy = $computerResult.Properties["managedby"][0] + } + + if ($currentManagedBy -eq $userDN) { + Write-Log "ManagedBy already set to $currentUser. No change needed." + } else { + $computerEntry = [ADSI]"LDAP://$computerDN" + $computerEntry.Put("managedBy", $userDN) + $computerEntry.SetInfo() + Write-Log "SUCCESS: Set ManagedBy on '$computerName' to '$userDN'" + } + } + } catch { + Write-Log "FAILED to set ManagedBy: $($_.Exception.Message)" "ERROR" + } +} else { + Write-Log "Skipping ManagedBy - computer object not found." "WARN" +} + +# -- Task 2: Set user Notes (separate try/catch) ------------------------------- +if ($userDN) { + try { + if ($useADModule) { + if ($userObj.info -eq $notesValue) { + Write-Log "User notes already current. No change needed." + } else { + Set-ADUser -Identity $currentUser -Replace @{info = $notesValue} -ErrorAction Stop + Write-Log "SUCCESS: Set Notes on '$currentUser' to '$notesValue'" + } + } else { + $currentNotes = $null + if ($userResult.Properties["info"].Count -gt 0) { + $currentNotes = $userResult.Properties["info"][0] + } + + if ($currentNotes -eq $notesValue) { + Write-Log "User notes already current. No change needed." + } else { + $userEntry = [ADSI]"LDAP://$userDN" + $userEntry.Put("info", $notesValue) + $userEntry.SetInfo() + Write-Log "SUCCESS: Set Notes on '$currentUser' to '$notesValue'" + } + } + } catch { + Write-Log "FAILED to set Notes: $($_.Exception.Message)" "ERROR" + } +} + +Write-Log "Script finished." exit 0