You can store various useful information in the description of computer objects in Active Directory. For example, information about the computer model, hardware inventory, or the last logged-on username. In this article, we’ll look at how to automatically fill and update information in the Description field of computer objects in Active Directory using PowerShell.
Update the Computer Description Field in Active Directory with PowerShell
For example, you want the Description field for computers and servers in the Active Directory Users and Computers console to display information about the manufacturer, model, and serial number of the computer. You can get this information on your local machine from WMI using the following PowerShell command:
Get-WMIObject Win32_ComputerSystemProduct | Select Vendor, Name, IdentifyingNumber
The WMI query returns the following data:
- Vendor – HP
- Name – Proliant DL 360 G5
- IdentifyingNumber – CZJ733xxxx
Get the name of the current computer from the environment variable and assign it to the $computer
variable:
$computer = $env:COMPUTERNAME
Then save the information about the computer’s hardware:
$computerinfo= Get-WMIObject Win32_ComputerSystemProduct
$Vendor = $computerinfo.vendor
$Model = $computerinfo.Name
$SerialNumber = $computerinfo.identifyingNumber
Let’s see what values are assigned to the variables:
$computer
$vendor
$Model
$SerialNumber
It remains to write the received data in the Description field of the computer account in Active Directory. Run the following PowerShell script:
$ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
$ComputerSearcher.SearchRoot = "LDAP://$("DC=$(($ENV:USERDNSDOMAIN).Replace(".",",DC="))")"
$ComputerSearcher.Filter = "(&(objectCategory=Computer)(CN=$Computer))"
$computerObj = [ADSI]$ComputerSearcher.FindOne().Path
$computerObj.Put( "Description", "$vendor|$Model|$SerialNumber" )
$computerObj.SetInfo()
Set-ADComputer $computer –Description "$vendor|$Model|$SerialNumber”
Verify that the computer Description field in the ADUC console shows the manufacturer and model information.
Such a script will only update the current computer description attribute in AD. You can remotely populate Descriptions for all domain computers using Get-ADComputer and foreach
loop. But it’s much more convenient to have computers automatically update their information in AD when a user logs in or a computer boots up.
To do this, you need to create a Group Policy with a PowerShell logon script and apply it to all computers:
- Open the domain Group Policy Management Console (
gpmc.msc
), create a GPO and assign it to the OU with computers; - Expand the GPO: User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff) -> Logon;
- Go to the PowerShell Scripts tab;
- Click the Show Files button and create a FillCompDesc.ps1 file with the following code:
# write information about the computer hardware/model in the Description field in Active Directory
$computer = $env:COMPUTERNAME
$computerinfo= Get-WMIObject Win32_ComputerSystemProduct
$Vendor = $computerinfo.vendor
$Model = $computerinfo.Name
$SerialNumber = $computerinfo.identifyingNumber
$DNSDOMAIN= (Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem).Domain
$ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
$ComputerSearcher.SearchRoot = "LDAP://$("DC=$(($DNSDOMAIN).Replace(".",",DC="))")"
$ComputerSearcher.Filter = "(&(objectCategory=Computer)(CN=$Computer))"
$computerObj = [ADSI]$ComputerSearcher.FindOne().Path
$computerObj.Put( "Description", "$vendor|$Model|$SerialNumber" )
$computerObj.SetInfo()You can optionally log PowerShell script actions for easier troubleshooting. - Click the Add button and set the following script parameters:
Script name:FillCompDesc.ps1
Script Parameters:-ExecutionPolicy Bypass
In this case, you don’t have to change the PowerShell execution policy settings or sign your PS1 script file to run the PowerShell script. - Delegate AD permissions to a specific OU for the Authenticated Usersdomain group. Assign rights to change the Description attribute of all Computer objects in OU (the
Write Description
permission). This will allow domain users and computers to change the value in the Description attribute of computer objects; - After restarting computers in the target OU and updating Group Policy settings, the Description field in AD will be automatically filled in. This field will contain information about the computer’s hardware. You can troubleshoot GPOs using the
gpresult
tool or using the tips from the article Common problems causing group policy to not apply.
Thus, you can add any information in the Description field of the computer objects in AD. For example, the name of the last logged-on user, department (you can get this information using the Get-ADUser cmdlet), the computer’s IP address, or any other relevant information you need.
Adding the Last Logged On Username to the Computer Description in AD
The PowerShell script above can be used to add any other information to the description of the computer objects in AD. For example, it is useful when the description of the computer shows the currently logged-on user. Let’s also add the name of the domain controller the user is authenticated to (LOGONSERVER
).
Change a single line in the PowerShell logon script to:
$computerObj.Put("Description","$vendor|$Model|$SerialNumber|$env:username|$env:LOGONSERVER")
Logoff and sign in under your user account. Check that the computer description attribute now shows the name of the current user and the logonserver (domain controller) you authenticated to.
In order to parse the data from the Description attribute, you can use the following PowerShell code:
$ComputerName = 'PC-MUN22s7b2'
$vendor,$Model,$SerialNumber,$Username,$LogonServer = ((Get-ADComputer -identity $ComputerName -Properties *).description).split("|")
We split the Description field value (separated by | ) into several separate variables. To get the username on the specified remote computer, just run:
$Username
You can get the name of the computer that a specific user is currently logged on using the following PowerShell script:
$user='*M.Becker*'
Get-ADComputer -Filter "description -like '$user'" -properties *|select name,description |ft
12 comments
I think change $computer to $computer.Name to make the Get-WMIObject work:
$vendor = (Get-WMIObject -ComputerName $computer.Name Win32_ComputerSystemProduct).Vendor
$name = (Get-WMIObject -ComputerName $computer.Name Win32_ComputerSystemProduct).Name
$identifyingNumber = (Get-WMIObject -ComputerName $computer.Name Win32_ComputerSystemProduct).IdentifyingNumber
$vendor
You probably missed a step
That was the ticket Park, Thanks
Great, thanks for this script information. And indeed Park’s comment was the solution.
RPC server is unavailable?
I’d like to use this in a login script (deployed via GPO) for each system to write their information to their own AD computer account. The easy part is giving the Domain Users group editing rights to the Description field of all AD computer objects (Delegate Control option in ADUC). But is there a Powershell solution (Remote PS or other) for writing to AD without distributing RSAT and/or ActiveDirectory cmdlets?
You can use the following vbs script to update AD computer properties without installing AD for Windows PowerShell module on a client desktops:
Set WshNetwork = WScript.CreateObject(“WScript.Network”)
Set objWMI = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2”)
For Each objSMBIOS in objWMI.ExecQuery(“Select * from Win32_SystemEnclosure”)
identifyingNumber = replace(objSMBIOS.SerialNumber, “,”, “.”)
vendor = replace(objSMBIOS.Manufacturer, “,”, “.”)
Next
For Each objComputer in objWMI.ExecQuery(“Select * from Win32_ComputerSystem”)
model_name= trim(replace(objComputer.Model, “,”, “.”))
Next
Set objSysInfo = CreateObject(“ADSystemInfo”)
Set objComputer = GetObject(“LDAP://” & objSysInfo.ComputerName)
your_Desc = WshNetwork.UserName & ” (” & identifyingNumber & ” – ” & vendor & ” ” & model_name & “)”
if not objComputer.Description = your_Desc and not left(objComputer.Description,1) = “_” then
objComputer.Description = your_Desc
objComputer.SetInfo
end if
Hello friend, how do I add in the description only the login of the user and server
$computerObj.Put(“Description”,”$env:username|$env:LOGONSERVER”)
$computerObj.Put( “Description”, “$vendor|$Model|$SerialNumber” )
Didn’t work for me. I had to change put to invokeSet
Hello, i try make same with another field (office) i modify delegation but in script i can’t put this :
# Recupere nom uc
$computer = $env:COMPUTERNAME
#information UC via les WMI, simplification pour la suite en variable UCinfo
$UCinfo= Get-WMIObject Win32_ComputerSystemProduct
#info vendeur
$Vendeur = $UCinfo.vendor
#Modele du poste
$Modele = $UCinfo.Name
#utilisateur
$user = (Get-WmiObject -Class win32_process | Where-Object name -Match explorer).getowner().user
#date
$date = Get-Date -Format “yyyy/MM/dd_HH:mm”
#ouvre session CIM & récupère IP active (site et TT)
$cimSession = New-CimSession
$ip =(Get-CimInstance -CimSession $cimSession -ClassName Win32_NetworkAdapterConfiguration -Filter “IPEnabled = ‘True'”).IPAddress[0]
$cimSession | Remove-CimSession
#recup site
If($ip -like “10.93*”)
{
$site= “Poste sur site”
}else {
$site= “Poste en TT”}
$user = $env:USERNAME
$UserSearcher = New-Object DirectoryServices.DirectorySearcher
$UserSearcher.SearchRoot = “LDAP://$(“DC=$(($ENV:USERDNSDOMAIN).Replace(“.”,”,DC=”))”)”
$UserSearcher.Filter = “(&(objectCategory=*)(objectClass=*)(CN=$user))”
$UserObj = [ADSI]$UserSearcher.FindOne().Path
$UserObj.Put( “physicaldeliveryofficename”, “$computer ;$date ;$ip ;$modele”)
$UserObj.SetInfo()
Can you help me ?
thx
i find lonely.
# Recupere nom uc
$computer = $env:COMPUTERNAME
#information UC via les WMI, simplification pour la suite en variable UCinfo
$UCinfo= Get-WMIObject Win32_ComputerSystemProduct
#info vendeur
$Vendeur = $UCinfo.vendor
#Modele du poste
$Modele = $UCinfo.Name
#utilisateur
$user = (Get-WmiObject -Class win32_process | Where-Object name -Match explorer).getowner().user
#date
$date = Get-Date -Format “yyyy/MM/dd_HH:mm”
#ouvre session CIM & récupère IP active (site et TT)
$cimSession = New-CimSession
$ip =(Get-CimInstance -CimSession $cimSession -ClassName Win32_NetworkAdapterConfiguration -Filter “IPEnabled = ‘True'”).IPAddress[0]
$cimSession | Remove-CimSession
#recup site
If($ip -like “10.93*”)
{
$site= “Poste sur site”
}else {
$site= “Poste en TT”}
#utilise ADSI pour completer les champs attributs (delegation description faite)
$ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
$ComputerSearcher.SearchRoot = “LDAP://$(“DC=$(($ENV:USERDNSDOMAIN).Replace(“.”,”,DC=”))”)”
$ComputerSearcher.Filter = “(&(objectCategory=Computer)(CN=$Computer))”
$computerObj = [ADSI]$ComputerSearcher.FindOne().Path
$computerObj.Put( “Description”, “$user ; $date ; $site ; $ip ; $modele”)
$computerObj.SetInfo()
#Redéfinit nom user et incrémenter “bureau” dans l’ad (delegation physicaldeliveryofficename faite)
$user = $env:USERNAME
$UserSearcher = New-Object DirectoryServices.DirectorySearcher
$UserSearcher.SearchRoot = “LDAP://$(“DC=$(($ENV:USERDNSDOMAIN).Replace(“.”,”,DC=”))”)”
$UserSearcher.Filter = “(&(objectCategory=person)(anr=$user))”
$UserObj = [ADSI]$UserSearcher.FindOne().Path
$UserObj.Put( “physicaldeliveryofficename”, “$computer ;Derniere connexion : $date ;IP : $ip ;Modele : $modele”)
$UserObj.SetInfo()