The few questions/comments I thought of are...

1. Do you clear the attribute you set when the user logs of?? If you do, how
do you account for hibernation, etc that wouldn't let you do anything.  

2. What if someone comes up with cached creds and then reconnects the
computer (wireless or even purposeful disconnect/reconnect)?

3. If you send an update for an attribute to AD that is identical to the
value that is there it will accept it like you made the change but no change
is really made to reduce overhead. MS thought of that one. 

-----Original Message-----
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Sunday, December 04, 2005 9:01 AM
Subject: RE: [ActiveDir] Getting computer name from a username

I'm using a similar script for a few customers the other way around => it
writes the user's name into the description attribute of the computer he's
logging onto. 

To limit the replication impact in AD, the script first checks if the value
needs to be updated which is not often the case, as users don't roam much to
other machines. It also check if the user is a member of specific
administrator groups (such as client admins) which won't update the computer
object either as they logon to various clients by nature of their job.  

Realize that you'll need to grant an appopriate group (e.g.
All-Users-SiteXYZ) the rights to update the description field on computer
objects in the respective OU. This is not required when leveraging the
homepage attribute on the user object as mentioned in the previous post,
since every user has the permission to update this attribute by default via
the SELF security principal. Nevertheless, we preferred to have this
information bound to the computer object.  

Ideally you might actually want to use the "managedBy" attribute of the
respective computer object to _link_ the user to the computer => this way
you could view all computers that the user is actively logging onto via the
"managedObjects" attribute on the user account. These attributes are linked
together quite similar to the membership of a user in a group, or to the
manager and directReports attributes on a user object - the difference here
is (sadly enough), that the managedObjects attribute is not shown in the AD
User&Computers MMC that is used by many delegated admins to manage their
objects. Also, you can't add the "managedBy"
attribute in the list colums.  This left us with leveraging the description
attribute of the computer object as a good compromise. If you have a nice
webpage to display the info (or an extension in ADUC), you should decide to
use the mangedBy/managedObjects attributes.

Find the code below, if you're interested to use it. Note that this is an
old script that a few people have worked on a couple of years ago. As such
there is room for improvement... However, it's running successfully in
various large AD environments so think of it as "proven in production".


' Script to update the description attribute of a computer object with the
CN of the user ' who is interactively logging onto the computer. Script
should be integrated into ' general logon script.  User requires WRITE
permission on description attribute of ' Computer object.

        Option Explicit
        Const AD_PROVIDER = "LDAP:"
        ' ------ Customize here -----
        'Const CTX_DOMAIN = "dc=child1,dc=root,dc=net"
        Const CTX_DOMAIN = "dc=mydom,dc=net"
        Dim sAdmins                                             ' List
of ADMIN groups. Members of these will not update the description attribute
        Dim i                                                   '
Anonymous counter variable
        Dim oGrp                                                '
Reference to admin group object for membership test
        Dim oSysInfo                                    ' Reference to
AdSystemInfo object
        Dim sUserDn, sComputerDn                ' distinguished names of
current user and computer
        Dim oUserObject, oComputerObject        ' and the corresponding
object references
        Dim sUserFullName                               ' Full name /
display name of the user
        Dim bVerbose                                    ' TRUE for
detailed Log-Infos, FALSE for error logging only

        ' ------ Customize here -----
        bVerbose = FALSE
        ' Define list of groups whose direct members should be excluded from
the processing below
        sAdmins = Array("gg_Site1_AdminClient", "gg_Site1_Admins")

        ' NOTE: This only works on Windows 2000 (or later) PCs that are
member of the AD domain
        Set oSysInfo = CreateObject("ADSystemInfo")
        sUserDn = oSysInfo.UserName                     ' Get the DN of
the current user
        sComputerDn = oSysInfo.ComputerName             ' and of this
        If bVerbose Then Wscript.Echo "  Computer-Object: "& sComputerDN
        ' Get a reference of the user object
        Set oUserObject = GetObject(AD_PROVIDER & "//" & sUserDn)
        ' Avoid getting all attributes, as we only need the CN
        oUserObject.GetInfoEx Array("cn"), 0
        sUserFullName = oUserObject.Get("cn")
        ' Loop through all Admin groups and check if the user is member of
        i = LBound(sAdmins)
        Do While i <= UBound(sAdmins)
                Set oGrp = FindGroup(sAdmins(i))
                If Not (oGrp Is Nothing) Then
                        If oGrp.IsMember(AD_PROVIDER & "//" & sUserDn) Then
                                Wscript.Echo "  Skip this script as the user
" & sUserFullName & " is member of the group " & sAdmins(i)
                                WScript.Quit 0          ' Forget the
                        End If
                End If
                i = i + 1
        ' The user is NOT an administrator, proceed ...
        ' Get reference to computer object
        Set oComputerObject = GetObject(AD_PROVIDER & "//" &
        ' First retrieve and check the current value of the description
        ' We don't want to update it unless it really does change. This
avoids unnecessary replication...
        oComputerObject.GetInfoEx Array("description"), 0
        Dim sCurDescription
        sCurDescription = ""
        On Error Resume Next
        sCurDescription = oComputerObject.Get("description")
        If bVerbose Then Wscript.Echo "  Current Description: "&
        If sCurDescription <> sUserFullName Then ' It DOES need to be
            If bVerbose Then Wscript.Echo "  New Description: "&
            oComputerObject.Put "description", sUserFullName    ' Ok, do
' and save it!
                ' check if attribute was udpated correctly
                oComputerObject.GetInfoEx Array("description"), 0
                sCurDescription = oComputerObject.Get("description")
                If sCurDescription <> sUserFullName Then                
                        ' Update of description attribute failed!
                        Wscript.Echo "  *** Update Failed
                        Wscript.Echo "  Could not update attribute with new
                        Wscript.Echo "  => this is likely due to missing
permissions on the computer object"
                        Wscript.Echo "  => user needs WRITE permissions on
'description' attribute of computer object"
                End If
                If bVerbose Then Wscript.Echo "  No need to update - Done"
        End If

' End of main script

Function FindGroup(sGroupName)
' A simple function to return a group object reference from the CN '
Important note: This assumes that all CN-s are unique. This is not enforced
by AD!!!
' In case that several objects with the same CN are defined, then only one
of them will be ' returned, dependend on the order by which the result list
is returned from AD.
' The function uses ADO to lookup the AdsPath and get a reference ' If the
group cannot be found, then NOTHING is returned

        Dim oConnect, oCommand, oRs
        Dim sFilterString
        Dim sAdsPath
        ' Create ADO connection to Active Directory
        Set oConnect = CreateObject("ADODB.Connection")
        oConnect.Provider = "ADsDSOObject"
        oConnect.Open "DS Query"
        sFilterString = "(&(objectClass=group)(cn=" & sGroupName & "))"
        Set oCommand = CreateObject("ADODB.Command")
        Set oCommand.ActiveConnection = oConnect
        oCommand.CommandText = "<" & AD_PROVIDER & "//" & CTX_DOMAIN & ">;"
& sFilterString & ";aDsPath;subTree"
        Set oRs = oCommand.Execute
        If oRs.EOF AND oRs.BOF Then                     ' Check if we've
got nothing ...
                ' Release all object references
                Set oRs = Nothing
                Set oCommand = Nothing
                Set oConnect = Nothing
                Set FindGroup = Nothing
                Exit Function
        End If
        sAdsPath = oRs.Fields("adsPath").Value          ' This is what
we're working on !
        ' Release all object references
        Set oRs = Nothing
        Set oCommand = Nothing
        Set oConnect = Nothing
        Set FindGroup = GetObject(sAdsPath)

End Function

-----Original Message-----
[mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Sullivan
Sent: Freitag, 2. Dezember 2005 14:22
Subject: Re: [ActiveDir] Getting computer name from a username

Since we dont use the webpage in the user account properties, we have a
startup script that puts the username into the webpage properties.
Wherever the user has logged in from, it will enter the computer name in the
webpage box.  It changes with each login.  Let me know if you/anyone else is

Mike O'Sullivan
IT Expert
College of Veterinary Medicine

>>> [EMAIL PROTECTED] 12/1/2005 4:49:39 AM >>>

Is there a way you can tell which computer a user has logged onto just from
his username?

Shane De Jager
Technical Developer

High-performance, updateable Web sites

Switchboard   +44 (0)845 456 1022

Are you aware of our referral scheme? Learn how you could profit personally
from passing us leads.

Click here to pass a referral: 
List info   : 
List FAQ    : 
List archive:

List info   :
List FAQ    :
List archive:
List info   :
List FAQ    :
List archive:

List info   :
List FAQ    :
List archive:

Reply via email to