Adding current logged on user to Managed By attribute of computer

This topic contains 3 replies, has 2 voices, and was last updated by Profile photo of Bojan Zivkovic Bojan Zivkovic 3 years ago.

  • Author
    Posts
  • #14549
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    Hi, I am in the process of learning PowerShell which impresses me more and more as days go by. My task is to automatically add currently logged on user to Managed By attribute of computer object, where user is currently logged on, in Active Directory. For sure, this can be done with PS script, triggered via GPO as logon or logoff script. Obviously users have to be given right to read/write Managed By attribute of computer object in AD. I have found .vbs script below but I want strictly to use PowerShell script.

    How to solve this task?

    Set objSysInfo = CreateObject("ADSystemInfo")

    On Error Resume Next
    Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)

    objComputer.Put "managedBy", objSysInfo.Username
    objComputer.SetInfo

  • #14606
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    I have to be patient, after some time Managed By attribute was populated with logged on user DN. Great!!!

  • #14570
    Profile photo of Dave Wyatt
    Dave Wyatt
    Moderator

    There are a couple of ways you could convert that to PowerShell. You could continue to use the ADSystemInfo COM object, which is possible, but kind of a pain. That would look like this:

    $sysInfo = New-Object -ComObject ADSystemInfo
    $flags = [System.Reflection.BindingFlags]::GetProperty
    
    $userDN = $sysInfo.GetType().InvokeMember('UserName', $flags, $null, $sysInfo, $null, $null)
    $computerDN = $sysInfo.GetType().InvokeMember('ComputerName', $flags, $null, $sysInfo, $null, $null)
    

    At which point you have your two Distinguished Names in variables, and you can update the managedBy field in AD using whatever PowerShell method you prefer (AD cmdlets, Quest AD cmdlets, ADSI, whatever.)

    Alternatively, you could identify the user and computer in other ways. This approach should work in a single-domain scenario, but I'm not sure if you'd run into trouble if multiple domains are involved. This example assumes the use of the Microsoft AD cmdlets:

    $mySid = [System.Security.Principal.WindowsIdentity]::GetCurrent().User
    
    $userAccount = Get-ADUser -Identity $mySid.Value
    Set-ADComputer -Identity $env:COMPUTERNAME -ManagedBy $userAccount
    

    Edit: If for some reason Set-ADComputer can't find the computer account based on $env:COMPUTERNAME alone (which shouldn't be a problem, as far as I know), you can check Win32_ComputerSystem for your domain name and send that along to the -Server parameter of Set-ADComputer.

  • #14605
    Profile photo of Bojan Zivkovic
    Bojan Zivkovic
    Participant

    I used this PowerShell script:

    $searcher = new-object System.DirectoryServices.DirectorySearcher
    $searcher.filter="(&(ObjectClass=computer)(Name=$env:computername))"
    $find = $searcher.FindOne()
    $thispc = $find.GetDirectoryEntry()

    $searcher.filter="(&(ObjectClass=user)(samAccountName=$env:username))"
    $find = $searcher.FindOne()
    $me = $find.GetDirectoryEntry()

    $thispc.InvokeSet("ManagedBy",$($me.DistinguishedName))
    $thispc.SetInfo()

    It works when I execute script locally on Windows 8.1 using PowerShell ISE, Managed By attribute of that computer is populated with DN of logged user. But nothing happens when user logs on, gpresult /r shows that GPO is applied but Managed By attribute stays empty. I used script as logon script deployed using GPO.

You must be logged in to reply to this topic.