6

The last place I worked had AD setup in a way that in the Description field of each computer account in the AD users and computers console, it would say who logged in last and when. How do you set it up for that?

MDMarra
  • 100,183
  • 32
  • 195
  • 326
Matt
  • 63
  • 1
  • 3
  • I have seen add-ons that did that. Here is a similar question with many good ideas: http://serverfault.com/questions/44862/best-way-to-find-the-computer-a-user-last-logged-on-from – KCotreau Jun 02 '11 at 14:39

3 Answers3

6

Most likely, permission to edit that field was delegated to the users and a login script that would write that attribute was deployed via GPO. There's no built-in functionality to accomplish this.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
3

Here's a user logon script I put together long ago, it adds the user's login name, timestamp and IP address to the description of the computer object in AD. You can use this as-is or change it to suit you better. Instructions for implementing it after the script...

On Error Resume Next

Set objSysInfo = CreateObject("ADSystemInfo") 'Bind to AD
Set objNet = CreateObject("WScript.Network")

strCompDN = objSysInfo.ComputerName 'DN for computer, e.g. "CN=VISTAWORKSTATION,OU=Child OU Name,OU=Parent OU Name,DC=domain,DC=com"
Set objComp = GetObject("LDAP://" & strCompDN) 'IADsComputer object

strUserDN = objSysInfo.UserName 'DN for user, e.g. "CN=John Smith,OU=Child OU Name,OU=Parent OU Name,DC=domain,DC=com"
Set objUser = GetObject("LDAP://" & strUserDN) 'IADsUser object

strUsrLogin = LCase(objNet.UserName)

strNow = Now
strDateStamp = DatePart("yyyy",strNow) & _
    Right("0" & DatePart("m",strNow), 2) & _
    Right("0" & DatePart("d",strNow), 2) & _
    "@" & _
    Right("0" & DatePart("h",strNow), 2) & _
    Right("0" & DatePart("n",strNow), 2)

'RegExp object used to perform a simple match on IP address
Set objRE = New RegExp
objRE.IgnoreCase = True
'Note this regexp pattern isn't "correct" for matching an IPv4 address properly, but since WMI will return an
'array of IP addresses, this is sufficient to distinguish IPv4 vs IPv6
objRE.Pattern = "^\d+\.\d+\.\d+\.\d+$"

strIP = ""

'Connect to WMI and retreive all network adapters
Set objWMI = GetObject("winmgmts:")
Set colNICs = objWMI.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration")

'Get the IP(s) assigned to whichever network adapter has our default gateway
If colNICs.Count > 0 Then
    For Each objNIC in colNICs
        If IsArray(objNIC.DefaultIPGateway) Then
            arrIP = objNIC.IPAddress
            For i = 0 To UBound(arrip)
                If objRE.Test(arrIP(i)) Then strIP = strIP & " " & arrIP(i)
            Next
            strMAC = objNIC.MACAddress
        End If    
    Next
End If

strIP = Trim(strIP)

objComp.Description = strDateStamp & " " & strUsrLogin & " " & strIP
objComp.Put "extensionAttribute1", strUsrLogin
objComp.Put "extensionAttribute2", strIP
objComp.Put "extensionAttribute3", strMAC

objComp.SetInfo

Save the script somewhere sensible like the SYSVOL share on your DCs. Then assign it as a user logon script using group policy.

Finally, because regular users can't normally change the description on a computer object, you need to give them permission to do it, like so:

  1. Open AD Users & Computers.
  2. Right-click yourdomain in the navigation tree on the left, then select Delegate Control.
  3. The Delegation of Control Wizard appears. Click Next.
  4. On the Users or Group Page, add “Authenticated Users” and click Next.
  5. On the Tasks to Delegate page, select the custom task option and click Next.
  6. On the Active Directory Object Type page, select only Computer objects, then click next.
  7. On the Permissions page, check the Property-specific box, then check the corresponding permissions boxes in the list:
    • Write Description
    • Write extensionAttribute1
    • Write extensionAttribute2
    • Write extensionAttribute3
    • Write extensionAttribute4
    • Write extensionAttribute5
    • Write extensionAttribute6
    • Write extensionAttribute7
    • Write extensionAttribute8
    • Write extensionAttribute9
    • Write extensionAttribute10
    • Write extensionAttribute11
    • Write extensionAttribute12
    • Write extensionAttribute13
    • Write extensionAttribute14
    • Write extensionAttribute15
  8. Click Next
  9. Verify that the summary of the delegation operation appears correct, then Click Finish.
ThatGraemeGuy
  • 15,314
  • 12
  • 51
  • 78
2

Adding to MarkM's answer, after the delegation is done a vbscript like this would do what you want:

Set objADSystemInfo = CreateObject("ADSystemInfo")
Set objLDAPComp = GetObject("LDAP://" & objADSystemInfo.ComputerName)

objLDAPComp.Description = objADSystemInfo.UserName & " " & Now()
objLDAPComp.SetInfo

This would result in the computer's description field being set to something along the lines of
CN=Joe Blow,OU=The Users,DC=example,DC=com 6/2/2011 10:55:00 AM

Chris S
  • 77,337
  • 11
  • 120
  • 212