hey joe - good questions - let me clarify:

1. no we purposely don't - this would cause excessive replication and as
you've mentioned, there's no guarantee that we would be able to write
the value. But the goal of this information is not to show who is
_currently_ logged on a machine (I wouldn't use a distributed system to
store this information), actually it doesn't store any time information
with the username. Instead it's goal is to document the general
relationship between computers and users, which allows helpdesk folks
and location admins to easier localize a user's PC or vice versa. 

2. naturally, the logon-script solution will only account for those
folks that logon interactively. This will never be as accurate as a
point in time check against a workstation. However, as mobile users will
have logged on interactively to their notebook at one time in the past,
their user name is also associated with their notebook in AD. Doesn't
matter if they hibernate or disconnect afterwards.

3. good to know - I wasn't aware of that. Still prefer not to request a
write operation if I don't have to.


I've received a few other questions offline, mainly around how do I
grant the permissions for users to change the description attribute on
computer objects, so that a user can write to it: if users should be
granted permissions to write to the description attribute of all
computer objects in a specific OU, this can be done by using the
advanced permission options for that OU. Doing so allows the admin to
choose the type of objects for which to apply specific permissions to.
In this case you would first go to the "Properties" tab and then choose
the option to "Apply onto" Computer objects. Then grant the "Write
description" permission for the appropriate group. 
So what's the appropriate group? This depends on your situation - you
could use "Authenticated Users" allowing any user in the domain to
update the attribute, or you'd use a location specific group of which
all users of the respective location are members (this will limit the
scope of users who can update the computer description attribute, which
is usually a good thing).

Naturally, you can also use DSACLs to set the permissions via
commandline: 
DSACLS "OU=Computers,OU=Location-XYZ,DC=mydom,DC=net" /I:S /G
mydom\AllUsers-Location-XYZ:WP;description;computer


/Guido

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sonntag, 4. Dezember 2005 16:23
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Getting computer name from a username

The few questions/comments I thought of are...

1. Do you clear the attribute you set when the user logs of?? If you do,
how
do you account for hibernation, etc that wouldn't let you do anything.  

2. What if someone comes up with cached creds and then reconnects the
computer (wireless or even purposeful disconnect/reconnect)?

3. If you send an update for an attribute to AD that is identical to the
value that is there it will accept it like you made the change but no
change
is really made to reduce overhead. MS thought of that one. 



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier,
Guido
Sent: Sunday, December 04, 2005 9:01 AM
To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Getting computer name from a username

I'm using a similar script for a few customers the other way around =>
it
writes the user's name into the description attribute of the computer
he's
logging onto. 

To limit the replication impact in AD, the script first checks if the
value
needs to be updated which is not often the case, as users don't roam
much to
other machines. It also check if the user is a member of specific
administrator groups (such as client admins) which won't update the
computer
object either as they logon to various clients by nature of their job.  

Realize that you'll need to grant an appopriate group (e.g.
All-Users-SiteXYZ) the rights to update the description field on
computer
objects in the respective OU. This is not required when leveraging the
homepage attribute on the user object as mentioned in the previous post,
since every user has the permission to update this attribute by default
via
the SELF security principal. Nevertheless, we preferred to have this
information bound to the computer object.  

Ideally you might actually want to use the "managedBy" attribute of the
respective computer object to _link_ the user to the computer => this
way
you could view all computers that the user is actively logging onto via
the
"managedObjects" attribute on the user account. These attributes are
linked
together quite similar to the membership of a user in a group, or to the
manager and directReports attributes on a user object - the difference
here
is (sadly enough), that the managedObjects attribute is not shown in the
AD
User&Computers MMC that is used by many delegated admins to manage their
objects. Also, you can't add the "managedBy"
attribute in the list colums.  This left us with leveraging the
description
attribute of the computer object as a good compromise. If you have a
nice
webpage to display the info (or an extension in ADUC), you should decide
to
use the mangedBy/managedObjects attributes.

Find the code below, if you're interested to use it. Note that this is
an
old script that a few people have worked on a couple of years ago. As
such
there is room for improvement... However, it's running successfully in
various large AD environments so think of it as "proven in production".

/Guido


' Script to update the description attribute of a computer object with
the
CN of the user ' who is interactively logging onto the computer. Script
should be integrated into ' general logon script.  User requires WRITE
permission on description attribute of ' Computer object.

        Option Explicit
        
        Const AD_PROVIDER = "LDAP:"
        
        ' ------ Customize here -----
        'Const CTX_DOMAIN = "dc=child1,dc=root,dc=net"
        Const CTX_DOMAIN = "dc=mydom,dc=net"
        
        Dim sAdmins                                             ' List
of ADMIN groups. Members of these will not update the description
attribute
        Dim i                                                   '
Anonymous counter variable
        Dim oGrp                                                '
Reference to admin group object for membership test
        Dim oSysInfo                                    ' Reference to
AdSystemInfo object
        Dim sUserDn, sComputerDn                ' distinguished names of
current user and computer
        Dim oUserObject, oComputerObject        ' and the corresponding
object references
        Dim sUserFullName                               ' Full name /
display name of the user
        Dim bVerbose                                    ' TRUE for
detailed Log-Infos, FALSE for error logging only

        ' ------ Customize here -----
        bVerbose = FALSE
        ' Define list of groups whose direct members should be excluded
from
the processing below
        sAdmins = Array("gg_Site1_AdminClient", "gg_Site1_Admins")

        ' NOTE: This only works on Windows 2000 (or later) PCs that are
member of the AD domain
        Set oSysInfo = CreateObject("ADSystemInfo")
        sUserDn = oSysInfo.UserName                     ' Get the DN of
the current user
        sComputerDn = oSysInfo.ComputerName             ' and of this
computer
        If bVerbose Then Wscript.Echo "  Computer-Object: "& sComputerDN
        
        ' Get a reference of the user object
        Set oUserObject = GetObject(AD_PROVIDER & "//" & sUserDn)
        ' Avoid getting all attributes, as we only need the CN
        oUserObject.GetInfoEx Array("cn"), 0
        sUserFullName = oUserObject.Get("cn")
        
        ' Loop through all Admin groups and check if the user is member
of
any
        i = LBound(sAdmins)
        Do While i <= UBound(sAdmins)
                Set oGrp = FindGroup(sAdmins(i))
                If Not (oGrp Is Nothing) Then
                        If oGrp.IsMember(AD_PROVIDER & "//" & sUserDn)
Then
                                Wscript.Echo "  Skip this script as the
user
" & sUserFullName & " is member of the group " & sAdmins(i)
                                WScript.Quit 0          ' Forget the
rest
                        End If
                End If
                i = i + 1
        Loop
        
        ' The user is NOT an administrator, proceed ...
        ' Get reference to computer object
        Set oComputerObject = GetObject(AD_PROVIDER & "//" &
sComputerDn)
        ' First retrieve and check the current value of the description
attribute
        ' We don't want to update it unless it really does change. This
avoids unnecessary replication...
        oComputerObject.GetInfoEx Array("description"), 0
        
        Dim sCurDescription
        sCurDescription = ""
        On Error Resume Next
        sCurDescription = oComputerObject.Get("description")
        If bVerbose Then Wscript.Echo "  Current Description: "&
sCurDescription
        If sCurDescription <> sUserFullName Then ' It DOES need to be
modified!
            If bVerbose Then Wscript.Echo "  New Description: "&
sUserFullName
            oComputerObject.Put "description", sUserFullName    ' Ok, do
it
                oComputerObject.SetInfo
' and save it!
        
                ' check if attribute was udpated correctly
                oComputerObject.GetInfoEx Array("description"), 0
                sCurDescription = oComputerObject.Get("description")
                If sCurDescription <> sUserFullName Then                
                        ' Update of description attribute failed!
                        Wscript.Echo "  *** Update Failed
***********************************************************"
                        Wscript.Echo "  Could not update attribute with
new
text!"
                        Wscript.Echo "  => this is likely due to missing
permissions on the computer object"
                        Wscript.Echo "  => user needs WRITE permissions
on
'description' attribute of computer object"
                End If
        Else
                If bVerbose Then Wscript.Echo "  No need to update -
Done"
        End If

' End of main script




Function FindGroup(sGroupName)
' A simple function to return a group object reference from the CN '
Important note: This assumes that all CN-s are unique. This is not
enforced
by AD!!!
' In case that several objects with the same CN are defined, then only
one
of them will be ' returned, dependend on the order by which the result
list
is returned from AD.
'
' The function uses ADO to lookup the AdsPath and get a reference ' If
the
group cannot be found, then NOTHING is returned

        Dim oConnect, oCommand, oRs
        Dim sFilterString
        Dim sAdsPath
        
        ' Create ADO connection to Active Directory
        Set oConnect = CreateObject("ADODB.Connection")
        oConnect.Provider = "ADsDSOObject"
        oConnect.Open "DS Query"
        
        sFilterString = "(&(objectClass=group)(cn=" & sGroupName & "))"
        Set oCommand = CreateObject("ADODB.Command")
        Set oCommand.ActiveConnection = oConnect
        oCommand.CommandText = "<" & AD_PROVIDER & "//" & CTX_DOMAIN &
">;"
& sFilterString & ";aDsPath;subTree"
        Set oRs = oCommand.Execute
        
        If oRs.EOF AND oRs.BOF Then                     ' Check if we've
got nothing ...
                ' Release all object references
                Set oRs = Nothing
                Set oCommand = Nothing
                Set oConnect = Nothing
                Set FindGroup = Nothing
                Exit Function
        End If
        
        oRs.MoveFirst
        sAdsPath = oRs.Fields("adsPath").Value          ' This is what
we're working on !
        ' Release all object references
        Set oRs = Nothing
        Set oCommand = Nothing
        Set oConnect = Nothing
        
        Set FindGroup = GetObject(sAdsPath)

End Function




-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Sullivan
Sent: Freitag, 2. Dezember 2005 14:22
To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Getting computer name from a username

Since we dont use the webpage in the user account properties, we have a
startup script that puts the username into the webpage properties.
Wherever the user has logged in from, it will enter the computer name in
the
webpage box.  It changes with each login.  Let me know if you/anyone
else is
interested





Mike O'Sullivan
IT Expert
College of Veterinary Medicine
352.392.4700x4343

>>> [EMAIL PROTECTED] 12/1/2005 4:49:39 AM >>>
Hi,

Is there a way you can tell which computer a user has logged onto just
from
his username?



--
Shane De Jager
Technical Developer

INTERGAGE
High-performance, updateable Web sites

Switchboard   +44 (0)845 456 1022
==
www.intergage.co.uk
[EMAIL PROTECTED] 

Are you aware of our referral scheme? Learn how you could profit
personally
from passing us leads.

Click here to pass a referral: www.intergage.co.uk/referrals 
List info   : http://www.activedir.org/List.aspx 
List FAQ    : http://www.activedir.org/ListFAQ.aspx 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to