# ad-managed-by-logon PowerShell logon script that automatically sets the Active Directory computer object's **"Managed By"** attribute to the currently logged-in user. This gives you a quick way to see who last logged into any machine by checking the Managed By tab in AD Users & Computers. ## How It Works 1. User logs in → GPO fires the logon script 2. Script finds the **user's DN** and the **computer's DN** in AD 3. Sets the computer's `managedBy` attribute to the user's DN 4. Skips the write if it's already correct (no unnecessary AD writes) 5. Skips entirely for local (non-domain) logins The script tries the **ActiveDirectory PowerShell module** first. If RSAT isn't installed on the client, it falls back to **ADSI/DirectorySearcher** which requires no modules at all. ## Prerequisites ### 1. Delegate AD Permissions By default, regular users can't write to computer objects. You need to delegate the `managedBy` attribute on the OU(s) containing your computer accounts. **Steps (AD Users & Computers):** 1. Right-click the **OU** containing your computer objects → **Delegate Control** 2. Click **Next**, then **Add** → select **Authenticated Users** (or a specific group) → **OK** 3. Select **Create a custom task to delegate** → **Next** 4. Choose **Only the following objects in the folder** → tick **Computer objects** → **Next** 5. Tick **Property-specific**, then scroll down and tick: - **Write Managed By** 6. **Next** → **Finish** Repeat for each OU containing computers you want tracked. ### 2. (Optional) RSAT on Clients The script works without RSAT via the ADSI fallback. If you want the cleaner AD module path, install RSAT: ```powershell # Windows 10/11 Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 ``` ## Deployment via GPO 1. Copy `Set-ComputerManagedBy.ps1` to your **NETLOGON** share (or a SYSVOL subfolder): ``` \\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1 ``` 2. Open **Group Policy Management**, create or edit a GPO linked to the OU(s) with your users. 3. Navigate to: ``` User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff) → Logon ``` 4. Click **Show Files** (optional, to confirm the path), then **Add**: - **Script Name:** `\\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1` - **Parameters:** *(leave blank)* 5. Move to the **PowerShell Scripts** tab if using the newer GPO editor, and add it there instead if preferred. 6. Run `gpupdate /force` on a test machine and log in to verify. ## Logging The script logs to `%TEMP%\Set-ComputerManagedBy.log` on each client. The log auto-rotates at 256 KB. Check this file to troubleshoot permission or lookup issues. ## Verifying It Works After a user logs in: 1. Open **AD Users & Computers** 2. Find the computer object → **Properties** → **Managed By** tab 3. You should see the last logged-in user's name and details Alternatively, in PowerShell: ```powershell Get-ADComputer COMPUTERNAME -Properties managedBy | Select-Object Name, managedBy ```