hey joe - good questions - let me clarify: 1. no we purposely don't - this would cause excessive replication and as you've mentioned, there's no guarantee that we would be able to write the value. But the goal of this information is not to show who is _currently_ logged on a machine (I wouldn't use a distributed system to store this information), actually it doesn't store any time information with the username. Instead it's goal is to document the general relationship between computers and users, which allows helpdesk folks and location admins to easier localize a user's PC or vice versa.
2. naturally, the logon-script solution will only account for those folks that logon interactively. This will never be as accurate as a point in time check against a workstation. However, as mobile users will have logged on interactively to their notebook at one time in the past, their user name is also associated with their notebook in AD. Doesn't matter if they hibernate or disconnect afterwards. 3. good to know - I wasn't aware of that. Still prefer not to request a write operation if I don't have to. I've received a few other questions offline, mainly around how do I grant the permissions for users to change the description attribute on computer objects, so that a user can write to it: if users should be granted permissions to write to the description attribute of all computer objects in a specific OU, this can be done by using the advanced permission options for that OU. Doing so allows the admin to choose the type of objects for which to apply specific permissions to. In this case you would first go to the "Properties" tab and then choose the option to "Apply onto" Computer objects. Then grant the "Write description" permission for the appropriate group. So what's the appropriate group? This depends on your situation - you could use "Authenticated Users" allowing any user in the domain to update the attribute, or you'd use a location specific group of which all users of the respective location are members (this will limit the scope of users who can update the computer description attribute, which is usually a good thing). Naturally, you can also use DSACLs to set the permissions via commandline: DSACLS "OU=Computers,OU=Location-XYZ,DC=mydom,DC=net" /I:S /G mydom\AllUsers-Location-XYZ:WP;description;computer /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sonntag, 4. Dezember 2005 16:23 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Getting computer name from a username The few questions/comments I thought of are... 1. Do you clear the attribute you set when the user logs of?? If you do, how do you account for hibernation, etc that wouldn't let you do anything. 2. What if someone comes up with cached creds and then reconnects the computer (wireless or even purposeful disconnect/reconnect)? 3. If you send an update for an attribute to AD that is identical to the value that is there it will accept it like you made the change but no change is really made to reduce overhead. MS thought of that one. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Sunday, December 04, 2005 9:01 AM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: RE: [ActiveDir] Getting computer name from a username I'm using a similar script for a few customers the other way around => it writes the user's name into the description attribute of the computer he's logging onto. To limit the replication impact in AD, the script first checks if the value needs to be updated which is not often the case, as users don't roam much to other machines. It also check if the user is a member of specific administrator groups (such as client admins) which won't update the computer object either as they logon to various clients by nature of their job. Realize that you'll need to grant an appopriate group (e.g. All-Users-SiteXYZ) the rights to update the description field on computer objects in the respective OU. This is not required when leveraging the homepage attribute on the user object as mentioned in the previous post, since every user has the permission to update this attribute by default via the SELF security principal. Nevertheless, we preferred to have this information bound to the computer object. Ideally you might actually want to use the "managedBy" attribute of the respective computer object to _link_ the user to the computer => this way you could view all computers that the user is actively logging onto via the "managedObjects" attribute on the user account. These attributes are linked together quite similar to the membership of a user in a group, or to the manager and directReports attributes on a user object - the difference here is (sadly enough), that the managedObjects attribute is not shown in the AD User&Computers MMC that is used by many delegated admins to manage their objects. Also, you can't add the "managedBy" attribute in the list colums. This left us with leveraging the description attribute of the computer object as a good compromise. If you have a nice webpage to display the info (or an extension in ADUC), you should decide to use the mangedBy/managedObjects attributes. Find the code below, if you're interested to use it. Note that this is an old script that a few people have worked on a couple of years ago. As such there is room for improvement... However, it's running successfully in various large AD environments so think of it as "proven in production". /Guido ' Script to update the description attribute of a computer object with the CN of the user ' who is interactively logging onto the computer. Script should be integrated into ' general logon script. User requires WRITE permission on description attribute of ' Computer object. Option Explicit Const AD_PROVIDER = "LDAP:" ' ------ Customize here ----- 'Const CTX_DOMAIN = "dc=child1,dc=root,dc=net" Const CTX_DOMAIN = "dc=mydom,dc=net" Dim sAdmins ' List of ADMIN groups. Members of these will not update the description attribute Dim i ' Anonymous counter variable Dim oGrp ' Reference to admin group object for membership test Dim oSysInfo ' Reference to AdSystemInfo object Dim sUserDn, sComputerDn ' distinguished names of current user and computer Dim oUserObject, oComputerObject ' and the corresponding object references Dim sUserFullName ' Full name / display name of the user Dim bVerbose ' TRUE for detailed Log-Infos, FALSE for error logging only ' ------ Customize here ----- bVerbose = FALSE ' Define list of groups whose direct members should be excluded from the processing below sAdmins = Array("gg_Site1_AdminClient", "gg_Site1_Admins") ' NOTE: This only works on Windows 2000 (or later) PCs that are member of the AD domain Set oSysInfo = CreateObject("ADSystemInfo") sUserDn = oSysInfo.UserName ' Get the DN of the current user sComputerDn = oSysInfo.ComputerName ' and of this computer If bVerbose Then Wscript.Echo " Computer-Object: "& sComputerDN ' Get a reference of the user object Set oUserObject = GetObject(AD_PROVIDER & "//" & sUserDn) ' Avoid getting all attributes, as we only need the CN oUserObject.GetInfoEx Array("cn"), 0 sUserFullName = oUserObject.Get("cn") ' Loop through all Admin groups and check if the user is member of any i = LBound(sAdmins) Do While i <= UBound(sAdmins) Set oGrp = FindGroup(sAdmins(i)) If Not (oGrp Is Nothing) Then If oGrp.IsMember(AD_PROVIDER & "//" & sUserDn) Then Wscript.Echo " Skip this script as the user " & sUserFullName & " is member of the group " & sAdmins(i) WScript.Quit 0 ' Forget the rest End If End If i = i + 1 Loop ' The user is NOT an administrator, proceed ... ' Get reference to computer object Set oComputerObject = GetObject(AD_PROVIDER & "//" & sComputerDn) ' First retrieve and check the current value of the description attribute ' We don't want to update it unless it really does change. This avoids unnecessary replication... oComputerObject.GetInfoEx Array("description"), 0 Dim sCurDescription sCurDescription = "" On Error Resume Next sCurDescription = oComputerObject.Get("description") If bVerbose Then Wscript.Echo " Current Description: "& sCurDescription If sCurDescription <> sUserFullName Then ' It DOES need to be modified! If bVerbose Then Wscript.Echo " New Description: "& sUserFullName oComputerObject.Put "description", sUserFullName ' Ok, do it oComputerObject.SetInfo ' and save it! ' check if attribute was udpated correctly oComputerObject.GetInfoEx Array("description"), 0 sCurDescription = oComputerObject.Get("description") If sCurDescription <> sUserFullName Then ' Update of description attribute failed! Wscript.Echo " *** Update Failed ***********************************************************" Wscript.Echo " Could not update attribute with new text!" Wscript.Echo " => this is likely due to missing permissions on the computer object" Wscript.Echo " => user needs WRITE permissions on 'description' attribute of computer object" End If Else If bVerbose Then Wscript.Echo " No need to update - Done" End If ' End of main script Function FindGroup(sGroupName) ' A simple function to return a group object reference from the CN ' Important note: This assumes that all CN-s are unique. This is not enforced by AD!!! ' In case that several objects with the same CN are defined, then only one of them will be ' returned, dependend on the order by which the result list is returned from AD. ' ' The function uses ADO to lookup the AdsPath and get a reference ' If the group cannot be found, then NOTHING is returned Dim oConnect, oCommand, oRs Dim sFilterString Dim sAdsPath ' Create ADO connection to Active Directory Set oConnect = CreateObject("ADODB.Connection") oConnect.Provider = "ADsDSOObject" oConnect.Open "DS Query" sFilterString = "(&(objectClass=group)(cn=" & sGroupName & "))" Set oCommand = CreateObject("ADODB.Command") Set oCommand.ActiveConnection = oConnect oCommand.CommandText = "<" & AD_PROVIDER & "//" & CTX_DOMAIN & ">;" & sFilterString & ";aDsPath;subTree" Set oRs = oCommand.Execute If oRs.EOF AND oRs.BOF Then ' Check if we've got nothing ... ' Release all object references Set oRs = Nothing Set oCommand = Nothing Set oConnect = Nothing Set FindGroup = Nothing Exit Function End If oRs.MoveFirst sAdsPath = oRs.Fields("adsPath").Value ' This is what we're working on ! ' Release all object references Set oRs = Nothing Set oCommand = Nothing Set oConnect = Nothing Set FindGroup = GetObject(sAdsPath) End Function -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike O'Sullivan Sent: Freitag, 2. Dezember 2005 14:22 To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Getting computer name from a username Since we dont use the webpage in the user account properties, we have a startup script that puts the username into the webpage properties. Wherever the user has logged in from, it will enter the computer name in the webpage box. It changes with each login. Let me know if you/anyone else is interested Mike O'Sullivan IT Expert College of Veterinary Medicine 352.392.4700x4343 >>> [EMAIL PROTECTED] 12/1/2005 4:49:39 AM >>> Hi, Is there a way you can tell which computer a user has logged onto just from his username? -- Shane De Jager Technical Developer INTERGAGE High-performance, updateable Web sites Switchboard +44 (0)845 456 1022 == www.intergage.co.uk [EMAIL PROTECTED] Are you aware of our referral scheme? Learn how you could profit personally from passing us leads. Click here to pass a referral: www.intergage.co.uk/referrals List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/