1

How can I change this setting from a batch file? For any given user, how can I make it so they can only log onto the computer named abc? A vbs or powershell script would be my second choice.

enter image description here

jftuga
  • 5,572
  • 4
  • 39
  • 50
  • VBS and Powershell really need to start being your *first* choice for things like this - they're designed to do this kind of work and batch files are not. – Rob Moir Apr 10 '11 at 22:11

1 Answers1

5

You need to update the "userWorkstations" AD attribute for the users.

In VBS it would be something Like: 

On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Set ObjRootDSE = GetObject("LDAP://RootDSE")
strOU = "OU=SCRIPT,DC=Company,DC=local"

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand =   CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE 
objCommand.Properties("Sort On") = "SN"

objCommand.CommandText = _
    "SELECT Name, displayName, distinguishedName FROM 'LDAP://" & strOU & " ' WHERE objectCategory='user'" 

Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF

    usrDN = objRecordSet.Fields("distinguishedName").Value
    Set objUser = GetObject("LDAP://" & objRecordSet.Fields("distinguishedName").Value)

    Err.Clear
    Set objCnt = GetObject("LDAP://" & usrDN)
        If (Err.Number > 0) Then
        Else 
            objUser.userWorkstations = "abc"
            objUser.SetInfo
        End If 
    objRecordSet.MoveNext

    Loop
objRecordSet.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
objConnection.Close
Set objConnection = Nothing
WScript.Quit

This takes all users in the top level "SCRIPT" OU and modifies the userWorkstation attribute for each. Obviously you can manipulate it as needed.

Also, as Greg pointed out the attribute is not an array and to specify more than one workstation you would use: 

objUser.userWorkstations = "computer1,computer2,computer3"
jftuga
  • 5,572
  • 4
  • 39
  • 50
HostBits
  • 11,776
  • 1
  • 24
  • 39
  • 1
    Good answer. You may want to point out that userWorkstations is not a typically multi-valued array like some other attributes, but a single comma-separate string. – Greg Askew Apr 10 '11 at 16:14
  • This would be much simpler in powershell, I'll post an answer if I have a chance later today (hopefully someone else will beat me to it) – Jim B Apr 11 '11 at 15:04
  • +50 This worked great after I adding a constant for ADS_SCOPE_SUBTREE of 2 and not including spaces in the userWorkstations list. Thank you! – jftuga Apr 13 '11 at 18:14
  • Ahh yes, Looks like I pulled that out accidentally from the source script. Glad it helped! – HostBits Apr 13 '11 at 19:35