Fun with AD Custom Attributes: Storing User Logon and Hardware Information on the AD Computer Object Lockstep Technology Group

Some time ago one of my consumers with about 300 deployed computers called me in a panic. They had just gotten a pandemic alert for a pc named “ATLLAPTOP205”. This client needed to know who was logged into that computing device. Normally that could be done by simply querying the laptop at once, however the user had already powered off the laptop and gone home.

There was no way to question the computing device to see the logged on user. The client said, “Can’t you simply examine Active Directory to see who was the last person to logon to the computer?” By default, you can’t try this, but wouldn’t be great if that you can!Since then, I’ve carried out the activities in this article for that client, and they have found it extremely useful as they presently do not maintain an inventory in their computers. I find that this is a standard observe among swiftly starting to be companies. With that in mind, this text will exhibit a technique of inventorying hardware and user information by writing the info to the laptop object in AD. This way which you could use Active Directory Users and Computers or PowerShell to find basic hardware and user data about a pc quickly.

It could easily be prolonged to servers with some slight modifications. Additionally, the same technique may be extended to bring together more information from each desktop think individuals of the local Administrators group. Of course, a product equivalent to SCCM would do all of this out of the box. If your company owns SCCM, make sure you leverage that as a substitute of using this method. Feel free to touch Lockstep if you require information with SCCM or the steps defined in this article.

You will want to download the PowerShell script using the down load link at the end of this article. After downloading, place it on a community share that Domain Computers can read. This can be on a standard file server or on a Domain Controller. I want to use the NETLOGON folder as it is shared with the accurate permissions by default. Domain Computers needs to have read only access to this script.

On a side note, never give write/modify permissions on any scripts you use in your atmosphere. This includes logon/logoff scripts or scripts used for reporting or installing purposes. These become easy lateral stream attack vectors for an attacker that has compromised a single user or desktop. One system or user compromise may end up in large compromise.