September 23, 2015

While there are various solutions on the market that will allow you to extend your visibility into your domain, it is not always feasible to introduce a new product into your setup. In many cases, what you have now is what you will have for quite some time. That being the case, it is crucial to be able to leverage existing technologies in ways that can provide additional benefits for yourself, and other system administrators. One such example is being able to see what user is currently logged into a domain computer. While you can manually query this information via WMIC and QWINSTA, it is typically more beneficial to have this information automatically populated somewhere for you to quickly view when needed.

The following steps will guide you through the process of setting up a solution to have a user's username automatically populate within the ManagedBy attribute within Active Directory whenever they log into their computer.

I. Delegate Control for Domain Users
The first thing you will need to do is to configure Domain Users with the ability to Write to the ManagedBy attribute within Active Directory. For Windows Server 2008 and 2008 R2, this can be accomplished by following the steps outlined below.

  1.) Launch Active Directory User and Computers
  2.) Right-Click on the OU containing your Domain Computers
  3.) Select Delegate Control
  4.) Click Next
  5.) Add "Domain Users"
  6.) Click Next
  7.) Select "Create a custom task to delegate"
  8.) Click Next
  9.) Select "Only the following objects in the folder"
  10.) Select "Computer objects"
  11.) Click Next
  12.) Select the checkbox for "Property-specific"
  13.) Select "Read Managed By" and "Write Managed By"
  14.) Click Next
  15.) Click Finish

II. Create a Logon Script
Now that Domain Users have permission to Write to the ManagedBy, you will need to create a way for their Username to be automatically written to this attribute. For this, you can use the following VBScript code.

  Set objSysInfo = CreateObject("ADSystemInfo")
  On Error Resume Next
  Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
  objComputer.Put "managedBy", objSysInfo.Username

III. Creating a GPO to Deploy Logon Script
Finally, you can wrap this all together by creating a new Group Policy Object in order to deploy the VBScript as a Logon Script. Again, the following steps should work on Windows Server 2008 and 2008 R2.

  1.) Launch the Group Policy Management application
  2.) Create a new GPO linked to an OU containing your Users
  3.) Note the Unique ID for this new GPO
  4.) Copy your VBScript file into the corresponding Scripts directory, using the GPO's Unique ID.

Example: \sysvol\[DOMAIN NAME]\Policies\{UNIQUE POLICY ID}\User\Scripts\Logon

  5.) In the Group Policy Management Editor for your new GPO, navigate to:

User Configuration -> Policies -> Windows Settings -> Scripts (Logon/Logoff)

  6.) Double-Click on Logon
  7.) Click Add
  8.) Click Browse and select your new Logon Script
  9.) Click OK and Apply the new script

With this solution in-place, you can now query Active Directory in order to see who is currently logged into a domain computer. While this may not be as "snazzy" as what you might have with some sort of paid-for solution, this process won't set you back any money whatsoever, nor does it take very long to setup.


Post a Comment

Subscribe to RSS Feed Follow me on Twitter!