Set-ADUSer Property while logon script

Welcome Forums General PowerShell Q&A Set-ADUSer Property while logon script

This topic contains 1 reply, has 2 voices, and was last updated by

11 months, 2 weeks ago.

  • Author
  • #104264

    Topics: 2
    Replies: 1
    Points: 0
    Rank: Member

    I'd like to collect information about last logon computer name from computers in out environment by logon script.
    I've run script for testing purposes on my DC like this:

    $computer = $env:COMPUTERNAME
    $username = $env:USERNAME
    $daterimestamp = date
    $var = $computer + ' - ' + $daterimestamp
    Set-ADUser -Identity $username -HomePage $var
    #Get-ADUser -Identity $username -Properties HomePage

    This script set property HomePage for ADUser account for two purposes:
    1) I see a computer name which a user have logged on last time sucessfully while opening ADUser account property
    2) I can retrieve this information by runing Get-ADUser cmdlet during an inventory

    I would like to run the script by GPO (user configuration – scripts – logon), but:
    1) The script must be run under the administrative right to write changes to ADUSer account
    2) The computer on which the script runs must have ActiveDirectory module to run Get-AD* cmdlets

    If I use:

    $computer = $env:COMPUTERNAME
    $username = $env:USERNAME
    $daterimestamp = date
    $var = $computer + ' - ' + $daterimestamp
    Invoke-Command -ComputerName DC -ScriptBlock {
    Set-ADUser -Identity $username -HomePage $var}

    the script doesn't see my variable $username and tells me that parameter Identity is null.

    Could you advise me how to resolve this issue? Or maybe there is another approach to get this result!
    Thank you!

  • #104266

    Topics: 13
    Replies: 4872
    Points: 1,813
    Helping HandTeam Member
    Rank: Community Hero

    In terms of this part:

    Invoke-Command -ComputerName DC -ScriptBlock {
    Set-ADUser -Identity $username -HomePage $var}

    Please see the "Remote Variables" chapter in

    In terms of security, the above still won't work in terms of a logon script. By default, ordinary users do not have permission to remote into a server, and it would be unwise to open that up.

    What you want is JEA, which is something you'd install and run on the server. JEA is Microsoft's PowerShell-based, supported means of doing exactly this. You (a) set up a new endpoint that (b) allows users to connect to it by name but (c) runs commands under an administrative account. It contains (d) only the Set-ADUser command, ideally only a proxy version of that which only allows -Identity and -HomeDir parameters. This prevents users from doing anything other than the exact command you want.

    This will take some learning on your part to set up, but it is well worth the time, as you'll be able to solve many other problems using JEA once you master it. Start at, and note that there are several PowerShell Summit tutorials on JEA, which we've recorded at

The topic ‘Set-ADUSer Property while logon script’ is closed to new replies.