I'm using a similar script for a few customers the other way around =>
it writes the user's name into the description attribute of the computer
he's logging onto.
To limit the replication impact in AD, the script first checks if the
value needs to be updated which is not often the case, as users don't
roam much to other machines. It also check if the user is a member of
specific administrator groups (such as client admins) which won't update
the computer object either as they logon to various clients by nature of
their job.
Realize that you'll need to grant an appopriate group (e.g.
All-Users-SiteXYZ) the rights to update the description field on
computer objects in the respective OU. This is not required when
leveraging the homepage attribute on the user object as mentioned in the
previous post, since every user has the permission to update this
attribute by default via the SELF security principal. Nevertheless, we
preferred to have this information bound to the computer object.
Ideally you might actually want to use the "managedBy" attribute of the
respective computer object to _link_ the user to the computer => this
way you could view all computers that the user is actively logging onto
via the "managedObjects" attribute on the user account. These attributes
are linked together quite similar to the membership of a user in a
group, or to the manager and directReports attributes on a user object -
the difference here is (sadly enough), that the managedObjects attribute
is not shown in the AD User&Computers MMC that is used by many delegated
admins to manage their objects. Also, you can't add the "managedBy"
attribute in the list colums. This left us with leveraging the
description attribute of the computer object as a good compromise. If
you have a nice webpage to display the info (or an extension in ADUC),
you should decide to use the mangedBy/managedObjects attributes.
Find the code below, if you're interested to use it. Note that this is
an old script that a few people have worked on a couple of years ago. As
such there is room for improvement... However, it's running successfully
in various large AD environments so think of it as "proven in
production".
/Guido
' Script to update the description attribute of a computer object with
the CN of the user
' who is interactively logging onto the computer. Script should be
integrated into
' general logon script. User requires WRITE permission on description
attribute of
' Computer object.
Option Explicit
Const AD_PROVIDER = "LDAP:"
' ------ Customize here -----
'Const CTX_DOMAIN = "dc=child1,dc=root,dc=net"
Const CTX_DOMAIN = "dc=mydom,dc=net"
Dim sAdmins ' List
of ADMIN groups. Members of these will not update the description
attribute
Dim i '
Anonymous counter variable
Dim oGrp '
Reference to admin group object for membership test
Dim oSysInfo ' Reference to
AdSystemInfo object
Dim sUserDn, sComputerDn ' distinguished names of
current user and computer
Dim oUserObject, oComputerObject ' and the corresponding
object references
Dim sUserFullName ' Full name /
display name of the user
Dim bVerbose ' TRUE for
detailed Log-Infos, FALSE for error logging only
' ------ Customize here -----
bVerbose = FALSE
' Define list of groups whose direct members should be excluded
from the processing below
sAdmins = Array("gg_Site1_AdminClient", "gg_Site1_Admins")
' NOTE: This only works on Windows 2000 (or later) PCs that are
member of the AD domain
Set oSysInfo = CreateObject("ADSystemInfo")
sUserDn = oSysInfo.UserName ' Get the DN of
the current user
sComputerDn = oSysInfo.ComputerName ' and of this
computer
If bVerbose Then Wscript.Echo " Computer-Object: "& sComputerDN
' Get a reference of the user object
Set oUserObject = GetObject(AD_PROVIDER & "//" & sUserDn)
' Avoid getting all attributes, as we only need the CN
oUserObject.GetInfoEx Array("cn"), 0
sUserFullName = oUserObject.Get("cn")
' Loop through all Admin groups and check if the user is member
of any
i = LBound(sAdmins)
Do While i <= UBound(sAdmins)
Set oGrp = FindGroup(sAdmins(i))
If Not (oGrp Is Nothing) Then
If oGrp.IsMember(AD_PROVIDER & "//" & sUserDn)
Then
Wscript.Echo " Skip this script as the
user " & sUserFullName & " is member of the group " & sAdmins(i)
WScript.Quit 0 ' Forget the
rest
End If
End If
i = i + 1
Loop
' The user is NOT an administrator, proceed ...
' Get reference to computer object
Set oComputerObject = GetObject(AD_PROVIDER & "//" &
sComputerDn)
' First retrieve and check the current value of the description
attribute
' We don't want to update it unless it really does change. This
avoids unnecessary replication...
oComputerObject.GetInfoEx Array("description"), 0
Dim sCurDescription
sCurDescription = ""
On Error Resume Next
sCurDescription = oComputerObject.Get("description")
If bVerbose Then Wscript.Echo " Current Description: "&
sCurDescription
If sCurDescription <> sUserFullName Then
' It DOES need to be modified!
If bVerbose Then Wscript.Echo " New Description: "&
sUserFullName
oComputerObject.Put "description", sUserFullName ' Ok, do
it
oComputerObject.SetInfo
' and save it!
' check if attribute was udpated correctly
oComputerObject.GetInfoEx Array("description"), 0
sCurDescription = oComputerObject.Get("description")
If sCurDescription <> sUserFullName Then
' Update of description attribute failed!
Wscript.Echo " *** Update Failed
***********************************************************"
Wscript.Echo " Could not update attribute with
new text!"
Wscript.Echo " => this is likely due to missing
permissions on the computer object"
Wscript.Echo " => user needs WRITE permissions
on 'description' attribute of computer object"
End If
Else
If bVerbose Then Wscript.Echo " No need to update -
Done"
End If
' End of main script
Function FindGroup(sGroupName)
' A simple function to return a group object reference from the CN
' Important note: This assumes that all CN-s are unique. This is not
enforced by AD!!!
' In case that several objects with the same CN are defined, then only
one of them will be
' returned, dependend on the order by which the result list is returned
from AD.
'
' The function uses ADO to lookup the AdsPath and get a reference
' If the group cannot be found, then NOTHING is returned
Dim oConnect, oCommand, oRs
Dim sFilterString
Dim sAdsPath
' Create ADO connection to Active Directory
Set oConnect = CreateObject("ADODB.Connection")
oConnect.Provider = "ADsDSOObject"
oConnect.Open "DS Query"
sFilterString = "(&(objectClass=group)(cn=" & sGroupName & "))"
Set oCommand = CreateObject("ADODB.Command")
Set oCommand.ActiveConnection = oConnect
oCommand.CommandText = "<" & AD_PROVIDER & "//" & CTX_DOMAIN &
">;" & sFilterString & ";aDsPath;subTree"
Set oRs = oCommand.Execute
If oRs.EOF AND oRs.BOF Then ' Check if we've
got nothing ...
' Release all object references
Set oRs = Nothing
Set oCommand = Nothing
Set oConnect = Nothing
Set FindGroup = Nothing
Exit Function
End If
oRs.MoveFirst
sAdsPath = oRs.Fields("adsPath").Value ' This is what
we're working on !
' Release all object references
Set oRs = Nothing
Set oCommand = Nothing
Set oConnect = Nothing
Set FindGroup = GetObject(sAdsPath)
End Function
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Sullivan
Sent: Freitag, 2. Dezember 2005 14:22
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting computer name from a username
Since we dont use the webpage in the user account properties, we have a
startup script that puts the username into the webpage properties.
Wherever the user has logged in from, it will enter the computer name in
the webpage box. It changes with each login. Let me know if you/anyone
else is interested
Mike O'Sullivan
IT Expert
College of Veterinary Medicine
352.392.4700x4343
>>> [EMAIL PROTECTED] 12/1/2005 4:49:39 AM >>>
Hi,
Is there a way you can tell which computer a user has logged onto just
from his username?
--
Shane De Jager
Technical Developer
INTERGAGE
High-performance, updateable Web sites
Switchboard +44 (0)845 456 1022
==
www.intergage.co.uk
[EMAIL PROTECTED]
Are you aware of our referral scheme? Learn how you could profit
personally from passing us leads.
Click here to pass a referral: www.intergage.co.uk/referrals
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
