Stop asking “What Computer are You On”! Instead use Active Directory and Group Policy to search for you! In this post, we are going to set Active Directory to automatically record where users login. And when a user calls, Active Directory Users and Computers will let us instantly remote into their computer and will find out what computer a user logged into. In short, you will be able to click on any computer in your domain and see the current logged in user. All within Active Directory Users and Computers!
Wouldn’t it be nice to find the last user that logged on to a computer and automatically remote in to that computer? To be able to simply type a user’s first name and instantly see their machine? By embedding a script within our Active Directory Users and Computers console, we can easily do this! But first, read Part 1 of this guide before continuing.
The first thing you will need is some type of remote desktop tool. Personally, I use Netsupport. Other products, such as a VNC client, GenControl, or even Remote Assistance, will work great. Next, you will want to create a custom MMC for Active Directory Users and Computers. We will cover those steps in just minute. To give you an idea of how much time you will save, take a look at the picture to the left. This menu is always visible when I am using Active Directory Users and Computer. By clicking on the second to last button (User: NSM into Logged in Computer), I can simply type the name of a user and instantly remote into their computer!
Create the Custom MMC
By customizing a MMC with Active Directory Users and Computers, you will gain several seldom used features. The two biggest are Favorites and TaskPads. Favorites allow quick access and is very useful if your organization has a lot of OUs. TaskPads allow you to add extra features to Active Directory Users and Computers through scripts. Here are the short steps to create the MMC:
- Launch MMC and load the Active Directory Users and Computer Snapin.
- Expand the Snapin until you can left click on an OU.
- Select Action and then New Taskpad View
- Continue through the wizard until it ends.
If needed, a very detailed guide on creating a custom MMC can be found here. When the first wizard closed, it should have opened the New Task wizard. Leave this screen up for a few minutes as we take a look at our remote control script.
I was recently asked “How can I start tracking user logins without modifying Active Directory or writing to a database?” Odd question right? Our reader, let’s call him Jose, had a few issues:
- He wasn’t allowed to modify Active Directory.
- He wasn’t allowed to set up any new servers/hardware/etc. This ruled out writing his computer logins to a database.
- He was allowed to edit Group Policy at his location. He did not have many restrictions there.
To me, it seems like his boss has their priorities a little mixed up – but oh well. Before finding out these restrictions, I referred him to these two articles:
I was hoping that the powers that could modify AD in his company would see the benefits of the solutions above. It turns out that they don’t trust this site… (or Microsoft documentation for that matter).
After a few emails back and forth, I found out what was going on and we came up with a manual hack to speeding up the whole “what computer are you on?” routine that every one of us face. We ended up using an old time tool with a modern deployment method.
With one registry change plus a deployment with Group Policy Preferences, we can stick the Computer Name under the start menu. Instead of a shortcut to Computer (or My Computer), the user sees “Computer: COMPUTERNAME”. This allows you to quickly check a computer name or to easily tell an employee how to find the computer name.
A recent email stated: “My computer isn’t working!” I had several immediate thoughts. First, no one ever emails just to say hi. Second, what computer is this person using?1 So I modified a script that David Lee provided me many years ago. It now queries AD for the username and current computer of any internal person when they email me. This information appears between the full name and subject of the email when using Office Outlook.
To get this information into Outlook, we have to do two things. First, we need to know the computer that a user is using. Second, we need to add a custom field to Outlook and query Active Directory.
Writing the Current Logged in Computer to an AD User Attribute
When an email arrives from an internal user, an Outlook macro looks at an AD user attribute to see the current computer name. I have written about this method a few times before, specifically where a logon script writes the current username to the ManagedBy (or Description) attribute of a computer account. In this case, we will write to an attribute on the user’s account instead of the computer’s account.
First, download this .vbs text file and remove the .txt extension. Open the SetextensionAttribute2.vbs file in notepad. On the second to last line, you will see that the Computername value is written to extensionAttribute2 of the current user. This is sometimes called Custom Attribute 2. If you already use this attribute, change this line and replace any extensionAttribute2 references in the macro that is attached in the next section.
You can test this script by running it manually on your computer. After running it, open Active Directory Administrative Center – find your user – click Extensions – click on Attribute Editor. Scroll down to extensionAttribute2. You should see your computer name listed.
Next, create/edit a GPO that is linked to your staff. Set this script to run as a logon script.
Finally, we need to allow staff to edit their extensionAttribute2 value. Right click on your staff OU in Active Directory Administrative Center and select Properties. Select Security – Advanced. Press Add.
- For the Principal value, enter SELF
- For the Type, leave it at Allow
- For Applies to, change this to Descendant User objects
- Scroll to the very bottom of the Permission Entry screen and press Clear all
- Scroll back up and find Read Custom Attribute 2 and Write Custom Attribute 2. Place a check next to both boxes. Press Ok and apply the permissions. When staff logon to their computer again, their computer name should appear under extensionAttribute2.
Using an Outlook Macro to Import Additional AD Information
Grab this .txt file and copy the contents. In Microsoft Office Outlook, press ALT + F11. This should open the Microsoft Visual Basic for Applications window. In the left side of the window, expand Project1 – expand Microsoft Outlook Object – double click on This Outlook Session. A new blank project window should open. Paste in the contents of the text file. Select File – Save. Your screen should now look like this picture:
Close the Microsoft Visual Basic for Applications window and then go to File – Options – Trust Center – Trust Center Settings. Select Macro Settings and select Notifications for all macros. Press ok and close Outlook Options.
Close Outlook and re-open it. You will receive a warning that you are loading the thisoutlooksession macro. Press enable macros.2
In Outlook, select View – Add Columns. In the Show Columns window, change the Maximum number of lines in compact mode to 3. Still in the Show Columns window, change from Frequently-used fields to User-defined fields. Select Username and add it to the list on the right. Finally, move the Username column so that it is between the From column and Subject column. Press Ok.
New emails from internal addresses will now show a username value and a computer name value if the user is logged in.3 Office Outlook does need to be open when the email is received, or those values will not appear. If you have any questions, comments, or improvements – let me know!