Set-ADUSer Property while logon script

This topic contains 1 reply, has 2 voices, and was last updated by  Don Jones 6 days, 4 hours ago.

  • Author
    Posts
  • #104264

    Oleg Fedyanin
    Participant

    Hello!
    I'd like to collect information about last logon computer name from computers in out environment by logon script.
    I've run script for testing purposes on my DC like this:

    $computer = $env:COMPUTERNAME
    $username = $env:USERNAME
    $daterimestamp = date
    $var = $computer + ' - ' + $daterimestamp
    $var
    Set-ADUser -Identity $username -HomePage $var
    #Get-ADUser -Identity $username -Properties HomePage
    

    This script set property HomePage for ADUser account for two purposes:
    1) I see a computer name which a user have logged on last time sucessfully while opening ADUser account property
    2) I can retrieve this information by runing Get-ADUser cmdlet during an inventory

    I would like to run the script by GPO (user configuration – scripts – logon), but:
    1) The script must be run under the administrative right to write changes to ADUSer account
    2) The computer on which the script runs must have ActiveDirectory module to run Get-AD* cmdlets

    If I use:

    $computer = $env:COMPUTERNAME
    $username = $env:USERNAME
    $daterimestamp = date
    $var = $computer + ' - ' + $daterimestamp
    $var
    Invoke-Command -ComputerName DC -ScriptBlock {
    Set-ADUser -Identity $username -HomePage $var}
    

    the script doesn't see my variable $username and tells me that parameter Identity is null.

    Could you advise me how to resolve this issue? Or maybe there is another approach to get this result!
    Thank you!

  • #104266

    Don Jones
    Keymaster

    In terms of this part:

    Invoke-Command -ComputerName DC -ScriptBlock {
    Set-ADUser -Identity $username -HomePage $var}
    

    Please see the "Remote Variables" chapter in https://leanpub.com/thebigbookofpowershellgotchas/read#leanpub-auto-remote-variables.

    In terms of security, the above still won't work in terms of a logon script. By default, ordinary users do not have permission to remote into a server, and it would be unwise to open that up.

    What you want is JEA, which is something you'd install and run on the server. JEA is Microsoft's PowerShell-based, supported means of doing exactly this. You (a) set up a new endpoint that (b) allows users to connect to it by name but (c) runs commands under an administrative account. It contains (d) only the Set-ADUser command, ideally only a proxy version of that which only allows -Identity and -HomeDir parameters. This prevents users from doing anything other than the exact command you want.

    This will take some learning on your part to set up, but it is well worth the time, as you'll be able to solve many other problems using JEA once you master it. Start at https://docs.microsoft.com/en-us/powershell/jea/overview, and note that there are several PowerShell Summit tutorials on JEA, which we've recorded at http://youtube.com/powershellorg.

You must be logged in to reply to this topic.