I'm using a similar script for a few customers the other way around =>
it writes the user's name into the description attribute of the computer
he's logging onto. 

To limit the replication impact in AD, the script first checks if the
value needs to be updated which is not often the case, as users don't
roam much to other machines. It also check if the user is a member of
specific administrator groups (such as client admins) which won't update
the computer object either as they logon to various clients by nature of
their job.  

Realize that you'll need to grant an appopriate group (e.g.
All-Users-SiteXYZ) the rights to update the description field on
computer objects in the respective OU. This is not required when
leveraging the homepage attribute on the user object as mentioned in the
previous post, since every user has the permission to update this
attribute by default via the SELF security principal. Nevertheless, we
preferred to have this information bound to the computer object.  

Ideally you might actually want to use the "managedBy" attribute of the
respective computer object to _link_ the user to the computer => this
way you could view all computers that the user is actively logging onto
via the "managedObjects" attribute on the user account. These attributes
are linked together quite similar to the membership of a user in a
group, or to the manager and directReports attributes on a user object -
the difference here is (sadly enough), that the managedObjects attribute
is not shown in the AD User&Computers MMC that is used by many delegated
admins to manage their objects. Also, you can't add the "managedBy"
attribute in the list colums.  This left us with leveraging the
description attribute of the computer object as a good compromise. If
you have a nice webpage to display the info (or an extension in ADUC),
you should decide to use the mangedBy/managedObjects attributes.

Find the code below, if you're interested to use it. Note that this is
an old script that a few people have worked on a couple of years ago. As
such there is room for improvement... However, it's running successfully
in various large AD environments so think of it as "proven in


' Script to update the description attribute of a computer object with
the CN of the user
' who is interactively logging onto the computer. Script should be
integrated into 
' general logon script.  User requires WRITE permission on description
attribute of
' Computer object.

        Option Explicit
        Const AD_PROVIDER = "LDAP:"
        ' ------ Customize here -----
        'Const CTX_DOMAIN = "dc=child1,dc=root,dc=net"
        Const CTX_DOMAIN = "dc=mydom,dc=net"
        Dim sAdmins                                             ' List
of ADMIN groups. Members of these will not update the description
        Dim i                                                   '
Anonymous counter variable
        Dim oGrp                                                '
Reference to admin group object for membership test
        Dim oSysInfo                                    ' Reference to
AdSystemInfo object
        Dim sUserDn, sComputerDn                ' distinguished names of
current user and computer
        Dim oUserObject, oComputerObject        ' and the corresponding
object references
        Dim sUserFullName                               ' Full name /
display name of the user
        Dim bVerbose                                    ' TRUE for
detailed Log-Infos, FALSE for error logging only

        ' ------ Customize here -----
        bVerbose = FALSE
        ' Define list of groups whose direct members should be excluded
from the processing below
        sAdmins = Array("gg_Site1_AdminClient", "gg_Site1_Admins")

        ' NOTE: This only works on Windows 2000 (or later) PCs that are
member of the AD domain
        Set oSysInfo = CreateObject("ADSystemInfo")
        sUserDn = oSysInfo.UserName                     ' Get the DN of
the current user
        sComputerDn = oSysInfo.ComputerName             ' and of this
        If bVerbose Then Wscript.Echo "  Computer-Object: "& sComputerDN
        ' Get a reference of the user object
        Set oUserObject = GetObject(AD_PROVIDER & "//" & sUserDn)
        ' Avoid getting all attributes, as we only need the CN
        oUserObject.GetInfoEx Array("cn"), 0
        sUserFullName = oUserObject.Get("cn")
        ' Loop through all Admin groups and check if the user is member
of any
        i = LBound(sAdmins)
        Do While i <= UBound(sAdmins)
                Set oGrp = FindGroup(sAdmins(i))
                If Not (oGrp Is Nothing) Then
                        If oGrp.IsMember(AD_PROVIDER & "//" & sUserDn)
                                Wscript.Echo "  Skip this script as the
user " & sUserFullName & " is member of the group " & sAdmins(i)
                                WScript.Quit 0          ' Forget the
                        End If
                End If
                i = i + 1
        ' The user is NOT an administrator, proceed ...
        ' Get reference to computer object
        Set oComputerObject = GetObject(AD_PROVIDER & "//" &
        ' First retrieve and check the current value of the description
        ' We don't want to update it unless it really does change. This
avoids unnecessary replication...
        oComputerObject.GetInfoEx Array("description"), 0
        Dim sCurDescription
        sCurDescription = ""
        On Error Resume Next
        sCurDescription = oComputerObject.Get("description")
        If bVerbose Then Wscript.Echo "  Current Description: "&
        If sCurDescription <> sUserFullName Then
' It DOES need to be modified!
            If bVerbose Then Wscript.Echo "  New Description: "&
            oComputerObject.Put "description", sUserFullName    ' Ok, do
' and save it!
                ' check if attribute was udpated correctly
                oComputerObject.GetInfoEx Array("description"), 0
                sCurDescription = oComputerObject.Get("description")
                If sCurDescription <> sUserFullName Then                
                        ' Update of description attribute failed!
                        Wscript.Echo "  *** Update Failed
                        Wscript.Echo "  Could not update attribute with
new text!"
                        Wscript.Echo "  => this is likely due to missing
permissions on the computer object"
                        Wscript.Echo "  => user needs WRITE permissions
on 'description' attribute of computer object"
                End If
                If bVerbose Then Wscript.Echo "  No need to update -
        End If

' End of main script

Function FindGroup(sGroupName)
' A simple function to return a group object reference from the CN
' Important note: This assumes that all CN-s are unique. This is not
enforced by AD!!!
' In case that several objects with the same CN are defined, then only
one of them will be 
' returned, dependend on the order by which the result list is returned
from AD.
' The function uses ADO to lookup the AdsPath and get a reference
' If the group cannot be found, then NOTHING is returned

        Dim oConnect, oCommand, oRs
        Dim sFilterString
        Dim sAdsPath
        ' Create ADO connection to Active Directory
        Set oConnect = CreateObject("ADODB.Connection")
        oConnect.Provider = "ADsDSOObject"
        oConnect.Open "DS Query"
        sFilterString = "(&(objectClass=group)(cn=" & sGroupName & "))"
        Set oCommand = CreateObject("ADODB.Command")
        Set oCommand.ActiveConnection = oConnect
        oCommand.CommandText = "<" & AD_PROVIDER & "//" & CTX_DOMAIN &
">;" & sFilterString & ";aDsPath;subTree"
        Set oRs = oCommand.Execute
        If oRs.EOF AND oRs.BOF Then                     ' Check if we've
got nothing ...
                ' Release all object references
                Set oRs = Nothing
                Set oCommand = Nothing
                Set oConnect = Nothing
                Set FindGroup = Nothing
                Exit Function
        End If
        sAdsPath = oRs.Fields("adsPath").Value          ' This is what
we're working on !
        ' Release all object references
        Set oRs = Nothing
        Set oCommand = Nothing
        Set oConnect = Nothing
        Set FindGroup = GetObject(sAdsPath)

End Function

-----Original Message-----
[mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Sullivan
Sent: Freitag, 2. Dezember 2005 14:22
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting computer name from a username

Since we dont use the webpage in the user account properties, we have a
startup script that puts the username into the webpage properties.
Wherever the user has logged in from, it will enter the computer name in
the webpage box.  It changes with each login.  Let me know if you/anyone
else is interested

Mike O'Sullivan
IT Expert
College of Veterinary Medicine

>>> [EMAIL PROTECTED] 12/1/2005 4:49:39 AM >>>

Is there a way you can tell which computer a user has logged onto just
from his username?

Shane De Jager
Technical Developer

High-performance, updateable Web sites

Switchboard   +44 (0)845 456 1022

Are you aware of our referral scheme? Learn how you could profit
personally from passing us leads.

Click here to pass a referral: www.intergage.co.uk/referrals 
List info   : http://www.activedir.org/List.aspx 
List FAQ    : http://www.activedir.org/ListFAQ.aspx 
List archive:

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to