At its core, Active Directory is a database designed to store a multitude of objects. Each of these objects have hundreds of attributes, or properties, attached to them. Some attributes are automatically filled when the object is created. For example, the displayName attribute will automatically have the name of the object in it. Other attributes, like the comment field or description are left blank. These blank comments allow you to easily extend the database scope to your own nefarious purposes! With a few scripts, you can setup Active Directory Inventory for Hardware. With PowerShell, you can then query or manipulate this data in nearly anyway!
Getting the Model
Tell me – how many models do you have your environment? What is the exact computer count per model? In all but the smallest environments, this is not an easy question to answer. Getting the answer for a single computer is easy. You could launch system information:
Or you could directly query WMI:
And it is this last one that opens the door to automation.
Scripting Your Active Directory Inventory for Hardware
The VB script below queries WMI for the model. It then writes the model the computer’s AD object. It stores the model in the comment attribute.
strComment = GetComputerSystem UpdateComment(strComment) Function GetComputerSystem strComputer = "." Set objWMIService = GetObject("winmgmts:" _ & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2") Set colcomputersystem = objWMIService.ExecQuery _ ("Select * from Win32_computersystem") For each objcomputersystem in colcomputersystem Getcomputersystem = objcomputersystem.Model Next End Function Sub UpdateComment(strComment) Set objSysInfo = CreateObject("ADSystemInfo") On Error Resume Next Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName) 'WScript.Echo objComputer.Get("Name") & ": Adding " & strComment objComputer.Put "Comment", strComment objComputer.SetInfo End Sub
To use this script effectively, set it up as a shutdown script. This will ensure that startups or logins are not slowed. You will also need to delegate the SELF principal the ability to modify the comment field. Within Active Directory Users and Computers, right click on the OU (or OUs) containing your domain computers. Next, select Properties, then the Security Tab, and finally the Advanced button. Select Add. We are going to apply this permission to SELF (literally the object itself). For the Applies To button, select Descendant Computer objects. Scroll down the properties list until you come to Write All Properties. Alternatively, you can use the info attribute and specifically delegate SELF the Write permission to info. Check both of these options and hit OK three times. SELF can now write to the Comment attribute for the computers in the OUs that you selected. On a restart, your computers should update their comment field. You can verify this by enabling advanced features and opening up the Attribute editor. Scroll down to the comment field and you should see this:
Manipulating the Comment Field in PowerShell
You could then use PowerShell (with the Quest AD cmdlets) to manipulate this data. Here is an example: Get-QADComputer GAMCN* -IncludedProperties Comment | Select-Object Name,Comment | Format-Table -AutoSize
If you wanted to filter out all but one model, you could run this: Get-QADComputer GAMCN* -IncludedProperties Comment | where Comment -match “Optiplex 380” | Select-Object Name,Comment | Format-Table -AutoSize If you wanted to get a count for a particular model – you could run this: (Get-QADComputer GAMCN* -IncludedProperties Comment | where Comment -match “Optiplex 380”).count Does this help your inventory needs? We already inventory what computers a user uses and we now have our computer models. Slowly, we are creating an Active Directory Inventory for Hardware. What other information would you like Active Directory to store? What custom attributes would you like to create? What ways have you extended Active Directory for your environment?
Be sure to read the other articles in this series for detailed troubleshooting steps. If you want to learn more about Active Directory and how it will make your life easier, then subscribe to DeployHappiness and get great weekly tips (plus your free guide to the Windows 8 Administrative Start Menu)!
should i save that script in notepad as .ps1 or .bat ?
You will want to save it as a .vbs file.
Hi there, would it be hard to modify this to also pull down the serial number? I know WMIC does with “wmic bios get serialnumber”, but i’m not 100% clear on how you would add this and set it to also place it in the description right after computer model.
Thanks!
See this guide: https://deployhappiness.com/find-serial-numbers-in-active-directory/
I used AD as a rough inventory a long time ago, and with my current employer I am looking at implementing something similar again. I haven’t used this script yet…
It does raise a few questions:
1 When is it better to script and when is it better to discover?
If you script this is a sort of passive data collection, slower, may use resources unnecessarily, potentially more thorough, will not start any sirens – hopefully.
Alternative that can kick start your data collection is to use a network discovery tool. My tool of preference is https://www.softperfect.com/products/networkscanner/
This is a free tool that lets you run WMI queries on remote machines – you still need credentials with permissions (although it allows multiple credential sets) and the remote computer needs to allow remote queries.
IF YOU ARE WORKING IN AN ESTABLISHED IT ENVIRONMENT CHECK WITH SECURITY TEAM OR YOUR MANAGER BEFORE USING A NETWORK SCANNING TOOL – IT MAY SET OFF IDS SYSTEMS AND CAUSE YOU GRIEF/UNEMPLOYMENT.
2 Why use comments field?
I had used description field previously, as far as I can see the description field is more commonly shown. AD is extensible but if you add any further fields to the schema they are there for every object forever and cannot be removed.
Does anyone use fields other than comment or description?
3 Why use hardware name?
I previously used the MAC as an identifier on the machine because it gives a “serial” (entirely unsecure because a MAC can be manipulated) that I could query through AD, or DHCP, or command line. These may or may not be integrated in your environment.
Just because I like neat MAC was also an advantage because it was always the same number of characters, I would then manually append the primary user’s name to the description.
The (Dell) service tag is simple, secure, and already stuck on every computer. It can be queried via WMIC but it is a “random” string (not user friendly) and not as meaningful or as easily found as a MAC (cmd prompt then type getmac or if you are on the same subnet ping the pc then use arp -a).
Does anyone else have good candidates for a pseudo-serial, or information that it is helpful to include?
4 How do you leverage the data?
When I did this previously there was a 3rd party AD management tool that included description in the search. In my current environment ADUC can search description/comments but only via the advanced interface – a bit clunky, my preferred tool ADAC can only search and then sort by description – also clunky.
To get my co-workers to use whatever I do it needs to be simple, not 100% but pretty sure it needs to be via GIU.
Can anyone give a good recall method to find the data entered?
Love this post, quick question however. I am currently the server admin tech at a military installation with about 2,000 computer systems attached. We run a 24 hour operation with a large amount of computers they claim are “mission critical”. If I run this script without the shutting down / restarting instance, how detrimental will it be to the scripts accuracy. Awaiting reply! Thanks
Thanks Kyle! As long as the computers aren’t replaced often, it will be fairly accurate.
It may be better if you deploy this script as a scheduled task and set it to run once a week. Then the computer won’t need to restart to update the information.
Great Script, this series has been very helpful!
Keep up the great work!
Thank you Chris!
I’d like to change the field the script writes to instead of the comment field. I presume that it’s in the last couple of lines I can change to the description field for example?
Yep! Just do a find-replace. Replace comment with your attribute name. Ensure that you have the correction ad permissions set.
Hi,
I ran into some problems while running your script. Got a Microsoft VBScript compilation error on line 17, char 7. It says that ‘)’ is expected on that line. Do you have any ideas why this would be happening?
John/Sam: Make sure that your line 7 starts with the & symbol and ends with a ). It should look like: & “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2”)
Sometimes, this blog will mess up on script copying/pasting.
Thx for the help – it worked like a charm. You’ve made my day !
Wonderful! 🙂
Hi,
I liked the idea of the script, but failed short on executing it. Firstly, I coulnd’t find the attribute Comment Read nor Comment Write attribute (Using a windows server 2012). Secondly when I ran your script, I got a Microsoft VBScript compilation error, stating that there should be a ‘)’ on line 7, character 17.
Do you have any thoughts on those problems?
That dang write comment value is not there! I modified the post a little bit so that others don’t have this same issue. You can get around this by either delegating SELF the write all properties value (which allows it to write to the comment attribute) or by modifying the script to use a different visible attribute (like info). I would probably go with the first route.
Great site !
Thank you Terry! Come back some more!