Limiting a user to certain logon workstations is a common administrative task. Doing this is a very repetitive if you have to restrict users to certain computers. Even at that, Microsoft limits you to only 64 workstations when you are entering them in using the GUI. Although you can add additional computers in the AD attribute editor, it is still a huge (comma separated) pain!
To understand the problem, we will do it manually once. Open the user’s properties, go to the Account tab then click “Log on To”. Then add each computer one at a time. It will not take wildcards.
What if you could add a lab of computers just by typing the users name and computer name or prefix? What if you could add an entire site to a guest user automatically? Well you can using PowerShell! – you had to know that line was coming 🙂
To get started you will need to have the Quest Powershell cmdlet to run this script. If you do not have it click here to download it and see our other recommended tools.
We start by prompting for the users name and storing it in $User. Next we prompt for the computer name that you would like to add and store it as $Newcomputer. This is all the info that the script will ask for. The next part is where we query AD for the name of the computer you typed in and store it as $computerGroup. If you have a lab of computers that need to be added you can type the prefix (ex: SMELAB).
Before adding the computer or computers to the users account we have to make sure that it will not overwrite any computers that already exist in that attribute. To do this we query the users account for the userWorkstations property. We take these properties format them ot comma seprated string and store them as $oldcomputer.
From here, we join the old group of computers and the new group of computers and store them as $Newgroup. Concatenation is really cool! From here all that is left is to add the $Newgroup back to the users userWorkstations property. We do one last query at the end to show you the updated value.
To show an example I have ran the script for my user Chris to add all computers in GLYLab.
The script above is an image so I have added it as text below:
#Gathering information $User = Read-Host 'Which User Would you like to use' $Newcomputer = Read-Host 'Which computer would you like to add' $computerGroup = Get-QADComputer $Newcomputer -IncludedProperties name | Select-Object name $computerGroup = $computerGroup.name $computerGroup = $computerGroup -join',' #Collect exsiting computers [string]$oldcomputer = Get-QADUser $user -IncludedProperties userWorkstations | Select-Object userWorkstations [string]$oldcomputer = $oldcomputer.Trimstart("@{userWorkstations") [string]$oldcomputer = $oldcomputer.Trimstart("=") [string]$oldcomputer = $oldcomputer.Trim("}") #combining exsiting and new $Newgroup= "$oldcomputer," + "$computerGroup" #Set new group of computers Set-QADUser $user -objectAttributes @{userworkstations=@($Newgroup)} #Show final group of computers Get-QADUser $user -IncludedProperties userWorkstations | Select-Object userWorkstations
If you have any questions at all, just leave comment!
Can more than 64 workstations added using the scripts. I would like to add 120 workstations, would that work? Thank you.
I don’t think so. I believe the 64 entries are a hard limit in Active Directory.
Very descriptive. I hope there will be no problems to encounter. Thanks for this!
No problem Richard!
Well explained. I got it, Well, probably this might sometimes a problem.
Hi,
Above mention code is great, I need some more requirement in it if you guys help me out it would be great…I have list of machine and user account such as
Workstation : PC1, PC2 ,PC3
User : User 1, User 2, User 3
I want to User 1,2,3 to add a logon to computer name of PC1, PC2 & PC3. I have windows 2003 domino. If you will able to help me out with any power shell script or Batch file script or vbs script it will be great help…Thanks in advance !!!
Do you want it so that User 1 can only use PC1, User 2 can only use PC2, etc?
Yes, Any PowerShell script you have for this?