ad-managed-by-logon/README.md

# ad-managed-by-logon

PowerShell logon script that automatically links users and computers in Active Directory at each login:

- Sets the **computer's "Managed By"** tab to the logged-in user
- Sets the **user's "Notes"** field (Telephones tab) to the computer name and login timestamp

This gives you a two-way lookup: find who last used a machine from the computer object, or find which machine a user last logged into from the user object.

## How It Works

1. User logs in → GPO fires the logon script
2. Script finds the **user's DN** and the **computer's DN** in AD
3. Sets the computer's `managedBy` attribute → user's DN
4. Sets the user's `info` attribute → `Last logon: COMPUTERNAME (2026-04-21 09:15)`
5. Skips writes if values are already correct (no unnecessary AD replication)
6. Skips entirely for local (non-domain) logins

The script tries the **ActiveDirectory PowerShell module** first. If RSAT isn't installed on the client, it falls back to **ADSI/DirectorySearcher** which requires no modules at all.

## What You'll See in ADUC

**Computer object → Managed By tab:** Shows the last user who logged in.

**User object → Telephones tab → Notes field:** Shows `Last logon: PC-LAB-01 (2026-04-21 09:15)`

## Prerequisites

### 1. Delegate AD Permissions (Computer Objects)

By default, regular users can't write to computer objects. You need to delegate the `managedBy` attribute on the OU(s) containing your computer accounts.

**Steps (AD Users & Computers):**

1. Right-click the **OU** containing your computer objects → **Delegate Control**
2. Click **Next**, then **Add** → select **Authenticated Users** (or a specific group) → **OK**
3. Select **Create a custom task to delegate** → **Next**
4. Choose **Only the following objects in the folder** → tick **Computer objects** → **Next**
5. Tick **Property-specific**, then scroll down and tick:
   - **Write Managed By**
6. **Next** → **Finish**

Repeat for each OU containing computers you want tracked.

### 2. User Notes Field (No Delegation Needed)

Users can write their own `info` attribute by default in AD — it's part of the "Personal Information" property set. No extra delegation is required for this.

### 3. (Optional) RSAT on Clients

The script works without RSAT via the ADSI fallback. If you want the cleaner AD module path, install RSAT:

```powershell
# Windows 10/11
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0
```

## Deployment via GPO

1. Copy `Set-ComputerManagedBy.ps1` to your **NETLOGON** share (or a SYSVOL subfolder):
   ```
   \\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1
   ```

2. Open **Group Policy Management**, create or edit a GPO linked to the OU(s) with your users.

3. Navigate to:
   ```
   User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff) → Logon
   ```

4. Click **Show Files** (optional, to confirm the path), then **Add**:
   - **Script Name:** `\\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1`
   - **Parameters:** *(leave blank)*

5. Move to the **PowerShell Scripts** tab if using the newer GPO editor, and add it there instead if preferred.

6. Run `gpupdate /force` on a test machine and log in to verify.

## Logging

The script logs to `%TEMP%\Set-ComputerManagedBy.log` on each client. The log auto-rotates at 256 KB. Check this file to troubleshoot permission or lookup issues.

## Verifying It Works

After a user logs in, check both sides:

**Computer side:**
```powershell
Get-ADComputer COMPUTERNAME -Properties managedBy | Select-Object Name, managedBy
```

**User side:**
```powershell
Get-ADUser USERNAME -Properties info | Select-Object Name, info
```

Or visually in ADUC: Computer → Managed By tab, and User → Telephones tab → Notes.