jessikitty/ad-managed-by-logon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
ad-managed-by-logon/README.md
T

3.7 KiB
Raw Permalink Blame History

ad-managed-by-logon

PowerShell logon script that automatically links users and computers in Active Directory at each login:

  • Sets the computer's "Managed By" tab to the logged-in user
  • Sets the user's "Notes" field (Telephones tab) to the computer name and login timestamp

This gives you a two-way lookup: find who last used a machine from the computer object, or find which machine a user last logged into from the user object.

How It Works

  1. User logs in → GPO fires the logon script
  2. Script finds the user's DN and the computer's DN in AD
  3. Sets the computer's managedBy attribute → user's DN
  4. Sets the user's info attribute → Last logon: COMPUTERNAME (2026-04-21 09:15)
  5. Skips writes if values are already correct (no unnecessary AD replication)
  6. Skips entirely for local (non-domain) logins

The script tries the ActiveDirectory PowerShell module first. If RSAT isn't installed on the client, it falls back to ADSI/DirectorySearcher which requires no modules at all.

What You'll See in ADUC

Computer object → Managed By tab: Shows the last user who logged in.

User object → Telephones tab → Notes field: Shows Last logon: PC-LAB-01 (2026-04-21 09:15)

Prerequisites

1. Delegate AD Permissions (Computer Objects)

By default, regular users can't write to computer objects. You need to delegate the managedBy attribute on the OU(s) containing your computer accounts.

Steps (AD Users & Computers):

  1. Right-click the OU containing your computer objects → Delegate Control
  2. Click Next, then Add → select Authenticated Users (or a specific group) → OK
  3. Select Create a custom task to delegateNext
  4. Choose Only the following objects in the folder → tick Computer objectsNext
  5. Tick Property-specific, then scroll down and tick:
    • Write Managed By
  6. NextFinish

Repeat for each OU containing computers you want tracked.

2. User Notes Field (No Delegation Needed)

Users can write their own info attribute by default in AD — it's part of the "Personal Information" property set. No extra delegation is required for this.

3. (Optional) RSAT on Clients

The script works without RSAT via the ADSI fallback. If you want the cleaner AD module path, install RSAT:

# Windows 10/11
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Deployment via GPO

  1. Copy Set-ComputerManagedBy.ps1 to your NETLOGON share (or a SYSVOL subfolder):

    \\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1

  2. Open Group Policy Management, create or edit a GPO linked to the OU(s) with your users.

  3. Navigate to:

    User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff) → Logon

  4. Click Show Files (optional, to confirm the path), then Add:

    • Script Name: \\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1
    • Parameters: (leave blank)

  5. Move to the PowerShell Scripts tab if using the newer GPO editor, and add it there instead if preferred.

  6. Run gpupdate /force on a test machine and log in to verify.

Logging

The script logs to %TEMP%\Set-ComputerManagedBy.log on each client. The log auto-rotates at 256 KB. Check this file to troubleshoot permission or lookup issues.

Verifying It Works

After a user logs in, check both sides:

Computer side:

Get-ADComputer COMPUTERNAME -Properties managedBy | Select-Object Name, managedBy

User side:

Get-ADUser USERNAME -Properties info | Select-Object Name, info

Or visually in ADUC: Computer → Managed By tab, and User → Telephones tab → Notes.

Reference in New Issue View Git Blame Copy Permalink