IT Admin Tips: Determine the Computer(s) a User Logs Into Automatically

While there are various solutions on the market that will allow you to extend your visibility into your domain, it is not always feasible to introduce a new product into your setup. In many cases, what you have now is what you will have for quite some time. That being the case, it is crucial to be able to leverage existing technologies in ways that can provide additional benefits for yourself, and other system administrators. One such example is being able to see what user is currently logged into a domain computer. While you can manually query this information via WMIC and QWINSTA, it is typically more beneficial to have this information automatically populated somewhere for you to quickly view when needed.

The following steps will guide you through the process of setting up a solution to have a user's username automatically populate within the ManagedBy attribute within Active Directory whenever they log into their computer.

I. Delegate Control for Domain Users
The first thing you will need to do is to configure Domain Users with the ability to Write to the ManagedBy attribute within Active Directory. For Windows Server 2008 and 2008 R2, this can be accomplished by following the steps outlined below.

  1.) Launch Active Directory User and Computers
  2.) Right-Click on the OU containing your Domain Computers
  3.) Select Delegate Control
  4.) Click Next
  5.) Add "Domain Users"
  6.) Click Next
  7.) Select "Create a custom task to delegate"
  8.) Click Next
  9.) Select "Only the following objects in the folder"
  10.) Select "Computer objects"
  11.) Click Next
  12.) Select the checkbox for "Property-specific"
  13.) Select "Read Managed By" and "Write Managed By"
  14.) Click Next
  15.) Click Finish

II. Create a Logon Script
Now that Domain Users have permission to Write to the ManagedBy, you will need to create a way for their Username to be automatically written to this attribute. For this, you can use the following VBScript code.

  Set objSysInfo = CreateObject("ADSystemInfo")
  
  On Error Resume Next
  Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
  
  objComputer.Put "managedBy", objSysInfo.Username
  objComputer.SetInfo

III. Creating a GPO to Deploy Logon Script
Finally, you can wrap this all together by creating a new Group Policy Object in order to deploy the VBScript as a Logon Script. Again, the following steps should work on Windows Server 2008 and 2008 R2.

  1.) Launch the Group Policy Management application
  2.) Create a new GPO linked to an OU containing your Users
  3.) Note the Unique ID for this new GPO
  4.) Copy your VBScript file into the corresponding Scripts directory, using the GPO's Unique ID.

Example: \sysvol\[DOMAIN NAME]\Policies\{UNIQUE POLICY ID}\User\Scripts\Logon
  5.) In the Group Policy Management Editor for your new GPO, navigate to:

User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff)
  6.) Double-Click on Logon
  7.) Click Add
  8.) Click Browse and select your new Logon Script
  9.) Click OK and Apply the new script

With this solution in-place, you can now query Active Directory in order to see who is currently logged into a domain computer. While this may not be as "snazzy" as what you might have with some sort of paid-for solution, this process won't set you back any money whatsoever, nor does it take very long to setup.

Read More

IT Admin Tips: Creating AD User Account Alerts

Having visibility into the changes going on within your systems can be critical for an IT professional, especially when it comes to your Active Directory system. I have come up with a quite simple, and very useful, setup that sends an automated alert whenever a User Account is Disabled, Created, or added to a Domain Group. This can help out whenever you have multiple individuals with access to perform these changes within Active Directory, as it will alert you immediately whenever it is performed, and it will provide insight into who has made the change.

In order to configure this setup, you should be familiar with Windows Task Scheduler, and you will need access to a Domain Account with the following:
     - Ability to schedule tasks on your Active Directory server
     - Read access to your Active Directory server's Event Logs
     - A corresponding E-Mail address from which you can send the alerts

Account Created Alert
In order to configure the alert for when a user account is created, you must first create the following PowerShell script:

$Event = Get-EventLog -LogName Security -InstanceId 4720 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
send-mailmessage -from "[UserID Running the Scheduled Task]" -to "[Your E-Mail Address or Distribution List]" -subject "User Account was Created" -body $MailBody -smtpServer [SMTP Server IP]

Once this has been created, you can schedule it within Task Scheduler on your Active Directory server using a Domain Account with the appropriate access (listed above). Ideally, this account would be some sort of "service" account and not associated with a particular IT Admin. In order for this alert to be sent out immediately whenever a user account is created, you will need to configure the task to be triggered whenever Security Event ID 4720 occurs. This is key, as the above PowerShell script will send you an E-Mail with the content of the most recent instance of this Event ID. This will contain the user account that has been created, along with the administrative account that created it.

Account Added to Domain Group Alert
In order to configure the alert for when a user account is added to a Domain Group, you must first create the following PowerShell script:

$Event = Get-EventLog -LogName Security -InstanceId 4728 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
send-mailmessage -from "[UserID Running the Scheduled Task]" -to "[Your E-Mail Address or Distribution List]" -subject "User Account was added to a Domain Group" -body $MailBody -smtpServer [SMTP Server IP]

Just like with the previous alert, you can now schedule it within Task Scheduler on your Active Directory server using the same Domain Account as before. In order for this alert to be sent out immediately whenever a user account is created, you will need to configure the task to be triggered whenever Security Event ID 4728 occurs. Just like with the previous alert, This is a key step. This particular alert will contain the user account that was added to a group, the corresponding domain group, and the administrative account that added it.

Account Disabled Alert
In order to configure the alert for when a user account is disabled, you must first create the following PowerShell script:

$Event = Get-EventLog -LogName Security -InstanceId 4725 -Newest 1
$MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated
send-mailmessage -from "[UserID Running the Scheduled Task]" -to "[Your E-Mail Address or Distribution List]" -subject "User Account was Disabled" -body $MailBody -smtpServer [SMTP Server IP]

Just like with the previous two alerts, you can now schedule it within Task Scheduler on your Active Directory server using the same Domain Account as before. In order for this alert to be sent out immediately whenever a user account is created, you will need to configure the task to be triggered whenever Security Event ID 4725 occurs. As with the other alerts, this is important. This particular alert will contain the user account that was disabled, and the administrative account that disabled it.

If you have followed these steps correctly, you will now be able to receive E-Mail alerts whenever someone Creates a new Domain Account, adds an existing one to a Domain Group, or Disables an existing account.

NOTE: If you receive an error stating that "File cannot be loaded because the execution of scripts is disabled on this system" while testing your scheduled script, you will need to manually run the following PowerShell command in order to allow this feature:

Set-ExecutionPolicy Unrestricted

Read More

IT Admin Tips: Exchange ActiveSync Device Reporting (Apple Device Details)

Two years ago, I wrote an article outlining how to output a list of mobile devices that are currently synced to your corporate Exchange server via Exchange ActiveSync. While this method provides you with a very good list of devices that have been synced to your Exchange server, it doesn't quite differentiate on the different Apple products in enough detail.

Running the following script, outlined in the previously discussed article, will give you DeviceModel results such as "iPad2C4" or even "iPhone7C2." If you are trying to determine the particular Apple product's model information, this doesn't quite give you what you are after.

Get-ActiveSyncDevice | Select-Object DeviceModel,FriendlyName,DeviceOS,UserDisplayName | Sort-Object DeviceModel | Export-CSV -Path C:\ActiveSync-Devices.csv -NoTypeInformation

Thankfully, there is a way to determine the actual device information using these semi-cryptic names. Using the below table, you could easily craft a Formula within Excel that would provide you with the detailed device description using what was contained within the PowerShell script ran against your Exchange server.

User-Agent Prefix	Apple Product Information
iPhone	iPhone, 3G or 3GS with iOS 3.x
iPhone1C2	iPhone 3G with iOS 4.x
iPhone2C1	iPhone 3GS with iOS 4.x
iPhone3C1	iPhone 4 GSM
iPhone3C2	iPhone 4 GSM
iPhone3C3	iPhone 4 CDMA
iPhone4C1	iPhone 4S
iPhone5C1	iPhone 5 GSM
iPhone5C2	iPhone 5 CDMA
iPhone5C3	iPhone 5C GSM
iPhone5C4	iPhone 5C CDMA
iPhone6C1	iPhone 5S GSM
iPhone6C2	iPhone 5S CDMA
iPhone7C1	iPhone 6+ CDMA
iPhone7C2	iPhone 6 CDMA
iPod	iPod touch 1st, 2nd or 3rd generation with iOS 3.x
iPod2C1	iPod touch 2nd generation with iOS 4.x
iPod3C1	iPod touch 3rd generation with iOS 4.x
iPod4C1	iPod touch 4th generation
iPod5C1	iPod touch 5th generation
iPad	iPad with iOS 3.2.x
iPad1C1	iPad with iOS 4.2.x
iPad2C1	iPad 2 WiFi
iPad2C2	iPad 2 WiFi + 3G GSM
iPad2C3	iPad 2 WiFi + 3G CDMA
iPad2C4	iPad Mini - WIFI
iPad2C5	iPad Mini - WIFI + LTE
iPad3C1	iPad (3rd generation) WiFi
iPad3C2	iPad (3rd generation) WiFi + 4G Verizon / International
iPad3C3	iPad (3rd generation) WiFi + 4G AT&T / International
iPad3C4	iPad (4th Gen, WiFi Only)
iPad3C5	iPad (4th Gen, GSM, NA LTE)
iPad3C6	iPad (4th Gen, CDMA, LTE)
iPad4C1	iPad Air - WiFi
iPad4C2	iPad Air - WiFi + LTE
iPad4C4	iPad Mini with Retina Display - WIFI
iPad4C5	iPad Mini with Retina Display - WIFI + LTE

Just as an example, I created an Excel Formula to automate this process for me. In order to use the formula, I manually created a new column within the original output from Exchange (Column B), which this formula will be pasted into. I then added a new tab within the document to contain the above table's data. Tab 1, which was the original output, was named "ActiveSync-Devices" and the new tab was named "iOS Strings."

=INDEX('iOS Strings'!B:B,MATCH('ActiveSync-Devices'!A2,'iOS Strings'!A:A, 0))
Using this process, you will be able to expand upon the original PowerShell script in order to obtain further details upon the mobile devices connected to your Exchange ActiveSync.

Read More