# ad-managed-by-logon PowerShell logon script that automatically links users and computers in Active Directory at each login: - Sets the **computer's "Managed By"** tab to the logged-in user - Sets the **user's "Notes"** field (Telephones tab) to the computer name and login timestamp This gives you a two-way lookup: find who last used a machine from the computer object, or find which machine a user last logged into from the user object. ## How It Works 1. User logs in → GPO fires the logon script 2. Script finds the **user's DN** and the **computer's DN** in AD 3. Sets the computer's `managedBy` attribute → user's DN 4. Sets the user's `info` attribute → `Last logon: COMPUTERNAME (2026-04-21 09:15)` 5. Skips writes if values are already correct (no unnecessary AD replication) 6. Skips entirely for local (non-domain) logins The script tries the **ActiveDirectory PowerShell module** first. If RSAT isn't installed on the client, it falls back to **ADSI/DirectorySearcher** which requires no modules at all. ## What You'll See in ADUC **Computer object → Managed By tab:** Shows the last user who logged in. **User object → Telephones tab → Notes field:** Shows `Last logon: PC-LAB-01 (2026-04-21 09:15)` ## Prerequisites ### 1. Delegate AD Permissions (Computer Objects) By default, regular users can't write to computer objects. You need to delegate the `managedBy` attribute on the OU(s) containing your computer accounts. **Steps (AD Users & Computers):** 1. Right-click the **OU** containing your computer objects → **Delegate Control** 2. Click **Next**, then **Add** → select **Authenticated Users** (or a specific group) → **OK** 3. Select **Create a custom task to delegate** → **Next** 4. Choose **Only the following objects in the folder** → tick **Computer objects** → **Next** 5. Tick **Property-specific**, then scroll down and tick: - **Write Managed By** 6. **Next** → **Finish** Repeat for each OU containing computers you want tracked. ### 2. User Notes Field (No Delegation Needed) Users can write their own `info` attribute by default in AD — it's part of the "Personal Information" property set. No extra delegation is required for this. ### 3. (Optional) RSAT on Clients The script works without RSAT via the ADSI fallback. If you want the cleaner AD module path, install RSAT: ```powershell # Windows 10/11 Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 ``` ## Deployment via GPO 1. Copy `Set-ComputerManagedBy.ps1` to your **NETLOGON** share (or a SYSVOL subfolder): ``` \\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1 ``` 2. Open **Group Policy Management**, create or edit a GPO linked to the OU(s) with your users. 3. Navigate to: ``` User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff) → Logon ``` 4. Click **Show Files** (optional, to confirm the path), then **Add**: - **Script Name:** `\\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1` - **Parameters:** *(leave blank)* 5. Move to the **PowerShell Scripts** tab if using the newer GPO editor, and add it there instead if preferred. 6. Run `gpupdate /force` on a test machine and log in to verify. ## Logging The script logs to `%TEMP%\Set-ComputerManagedBy.log` on each client. The log auto-rotates at 256 KB. Check this file to troubleshoot permission or lookup issues. ## Verifying It Works After a user logs in, check both sides: **Computer side:** ```powershell Get-ADComputer COMPUTERNAME -Properties managedBy | Select-Object Name, managedBy ``` **User side:** ```powershell Get-ADUser USERNAME -Properties info | Select-Object Name, info ``` Or visually in ADUC: Computer → Managed By tab, and User → Telephones tab → Notes.