Stop asking “What Computer are You On”! Instead use Active Directory and Group Policy to search for you! In this post, we are going to set Active Directory to automatically record where users login. And when a user calls, Active Directory Users and Computers will let us instantly remote into their computer and will find out what computer a user logged into. In short, you will be able to click on any computer in your domain and see the current logged in user. All within Active Directory Users and Computers!
Delegate Control in Active Directory
Every computer in your domain has an attribute named “Managed By”. This attribute allows you to manually specify who manages (or uses) this computer. As a note, this ManagedBy attribute is different than the new Primary Computer Attribute. In order for us to see what user used a computer, we need to delegate a single extra Active Directory permission.
Within Active Directory Users and Computers, right click on the OU (or OUs) containing your domain computers. Next, select Properties, then the Security Tab, and finally the Advanced button. Select Add. We are going to apply this permission to Domain Users. For the Applies To button, select Descendant Computer objects.
Scroll down the properties list until you come to Read Managed By and Write Managed By. Check both of these options and hit OK three times. Domain Users can now write to the ManagedBy attribute for the computers in the OUs that you selected.
Tracking User Logins with Group Policy
Create a new GPO named something like Script: Set ManagedBy Attribute. Edit the GPO and navigate to User Configuration\Policies\Windows Settings\Scripts. Now, you have a choice to make. Our script is going to look at the current logged in user and write that User’s name to the computer account. This can be done on logon or logoff. Here are the pros and cons:
Logon: The computer attribute will always have the current logged in user because it processes on logon. It will make the logon slightly slower. If your users constantly change computers, this would probably be the better route.
Logoff: The computer attribute may not always be accurate. Because it writes on logoff, you will only be able to see the last logged on user (not the current user). If your environment is very static, this would be the solution to go with. As a bonus, your logon speed is not impacted.
For our environment, we went with the logon route. It is more important to see the current logged in user. Now that you’ve decided, copy this script into either the logon or logoff scripts folder for that GPO. Save it with a .VBS extension.
Set objSysInfo = CreateObject("ADSystemInfo")
On Error Resume Next
Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)
objComputer.Put "managedBy", objSysInfo.Username
Add the script as a logon or logoff script in the GPO now. Finish any other GPO edits that you desire (such as comments). Be sure to link the GPO to an OU containing your Users. After logging on as a user to any computer, you can easily test the GPO. Find the computer that the user used, open its properties, and select the Managed By tab. You should see something like this:
Pretty cool but it gets better! Open up the AD search tool and search for that computer. You should see something like this:
If you don’t see the owner column, select view and choose columns to add the owner column. In part 2, learn how to automatically remote into a user’s computer through Active Directory Tasks!
Finally, if you want to learn more about Active Directory Management and how it will make your life easier, then subscribe to DeployHappiness and get great weekly tips (plus your free guide to the Windows 8 Administrative Start Menu)!
Special Thanks to Pber for putting together the VB script for me!