jessikitty/ad-managed-by-logon
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7f23edc31e276beee4d523d5ba23479f581aeef4
ad-managed-by-logon/README.md
T

3.0 KiB
Raw Blame History

ad-managed-by-logon

PowerShell logon script that automatically sets the Active Directory computer object's "Managed By" attribute to the currently logged-in user. This gives you a quick way to see who last logged into any machine by checking the Managed By tab in AD Users & Computers.

How It Works

  1. User logs in → GPO fires the logon script
  2. Script finds the user's DN and the computer's DN in AD
  3. Sets the computer's managedBy attribute to the user's DN
  4. Skips the write if it's already correct (no unnecessary AD writes)
  5. Skips entirely for local (non-domain) logins

The script tries the ActiveDirectory PowerShell module first. If RSAT isn't installed on the client, it falls back to ADSI/DirectorySearcher which requires no modules at all.

Prerequisites

1. Delegate AD Permissions

By default, regular users can't write to computer objects. You need to delegate the managedBy attribute on the OU(s) containing your computer accounts.

Steps (AD Users & Computers):

  1. Right-click the OU containing your computer objects → Delegate Control
  2. Click Next, then Add → select Authenticated Users (or a specific group) → OK
  3. Select Create a custom task to delegateNext
  4. Choose Only the following objects in the folder → tick Computer objectsNext
  5. Tick Property-specific, then scroll down and tick:
    • Write Managed By
  6. NextFinish

Repeat for each OU containing computers you want tracked.

2. (Optional) RSAT on Clients

The script works without RSAT via the ADSI fallback. If you want the cleaner AD module path, install RSAT:

# Windows 10/11
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Deployment via GPO

  1. Copy Set-ComputerManagedBy.ps1 to your NETLOGON share (or a SYSVOL subfolder):

    \\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1

  2. Open Group Policy Management, create or edit a GPO linked to the OU(s) with your users.

  3. Navigate to:

    User Configuration → Policies → Windows Settings → Scripts (Logon/Logoff) → Logon

  4. Click Show Files (optional, to confirm the path), then Add:

    • Script Name: \\domain.local\NETLOGON\Scripts\Set-ComputerManagedBy.ps1
    • Parameters: (leave blank)

  5. Move to the PowerShell Scripts tab if using the newer GPO editor, and add it there instead if preferred.

  6. Run gpupdate /force on a test machine and log in to verify.

Logging

The script logs to %TEMP%\Set-ComputerManagedBy.log on each client. The log auto-rotates at 256 KB. Check this file to troubleshoot permission or lookup issues.

Verifying It Works

After a user logs in:

  1. Open AD Users & Computers
  2. Find the computer object → PropertiesManaged By tab
  3. You should see the last logged-in user's name and details

Alternatively, in PowerShell:

Get-ADComputer COMPUTERNAME -Properties managedBy | Select-Object Name, managedBy
Reference in New Issue View Git Blame Copy Permalink