Windows OS Hub / Active Directory / How to Automatically Fill the Computer Description in Active Directory

June 8, 2023 Active DirectoryGroup PoliciesPowerShellWindows Server 2019

How to Automatically Fill the Computer Description in Active Directory

You can store various useful information in the description of computer objects in Active Directory. For example, information about the computer model, hardware inventory, or the last logged-on username. In this article, we’ll look at how to automatically fill and update information in the Description field of computer objects in Active Directory using PowerShell.

Contents:

Update the Computer Description Field in Active Directory with PowerShell

For example, you want the Description field for computers and servers in the Active Directory Users and Computers console to display information about the manufacturer, model, and serial number of the computer. You can get this information on your local machine from WMI using the following PowerShell command:
Get-WMIObject Win32_ComputerSystemProduct | Select Vendor, Name, IdentifyingNumber
The WMI query returns the following data:

  • Vendor – HP
  • Name – Proliant DL 360 G5
  • IdentifyingNumber – CZJ733xxxx

Get-WMIObject Win32_ComputerSystemProduct

Get the name of the current computer from the environment variable and assign it to the $computer variable:

$computer = $env:COMPUTERNAME

Then save the information about the computer’s hardware:

$computerinfo= Get-WMIObject Win32_ComputerSystemProduct
$Vendor = $computerinfo.vendor
$Model = $computerinfo.Name
$SerialNumber = $computerinfo.identifyingNumber

Let’s see what values are assigned to the variables:

$computer
$vendor
$Model
$SerialNumber

It remains to write the received data in the Description field of the computer account in Active Directory. Run the following PowerShell script:

$ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
$ComputerSearcher.SearchRoot = "LDAP://$("DC=$(($ENV:USERDNSDOMAIN).Replace(".",",DC="))")"
$ComputerSearcher.Filter = "(&(objectCategory=Computer)(CN=$Computer))"
$computerObj = [ADSI]$ComputerSearcher.FindOne().Path
$computerObj.Put( "Description", "$vendor|$Model|$SerialNumber" )
$computerObj.SetInfo()

You can also make changes to the computer description using the Set-ADComputer cmdlet. However, this requires the Active Directory Module for Windows PowerShell (from the RSAT administration toolkit) to be installed on the computer.
Set-ADComputer $computer –Description "$vendor|$Model|$SerialNumber”

If you want to use the cmdlets from the AD PowerShell module, you can copy the module files to all computers without installing RSAT.

Verify that the computer Description field in the ADUC console shows the manufacturer and model information.

populated computer description fileld in active directory

Such a script will only update the current computer description attribute in AD. You can remotely populate Descriptions for all domain computers using Get-ADComputer and foreach loop. But it’s much more convenient to have computers automatically update their information in AD when a user logs in or a computer boots up.

To do this, you need to create a Group Policy with a PowerShell logon script and apply it to all computers:

  1. Open the domain Group Policy Management Console (gpmc.msc), create a GPO and assign it to the OU with computers;
  2. Expand the GPO: User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff) -> Logon;
  3. Go to the PowerShell Scripts tab;
  4. Click the Show Files button and create a FillCompDesc.ps1 file with the following code:
    # write information about the computer hardware/model in the Description field in Active Directory
    $computer = $env:COMPUTERNAME
    $computerinfo= Get-WMIObject Win32_ComputerSystemProduct
    $Vendor = $computerinfo.vendor
    $Model = $computerinfo.Name
    $SerialNumber = $computerinfo.identifyingNumber
    $DNSDOMAIN= (Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem).Domain
    $ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
    $ComputerSearcher.SearchRoot = "LDAP://$("DC=$(($DNSDOMAIN).Replace(".",",DC="))")"
    $ComputerSearcher.Filter = "(&(objectCategory=Computer)(CN=$Computer))"
    $computerObj = [ADSI]$ComputerSearcher.FindOne().Path
    $computerObj.Put( "Description", "$vendor|$Model|$SerialNumber" )
    $computerObj.SetInfo()
    You can optionally log PowerShell script actions for easier troubleshooting.
  5. Click the Add button and set the following script parameters:
    Script name: FillCompDesc.ps1
    Script Parameters: -ExecutionPolicy Bypass run powershell logon script using Group Policy
    In this case, you don’t have to change the PowerShell execution policy settings or sign your PS1 script file to run the PowerShell script.
  6. Delegate AD permissions to a specific OU for the Authenticated Usersdomain group. Assign rights to change the Description attribute of all Computer objects in OU (the Write Description permission). This will allow domain users and computers to change the value in the Description attribute of computer objects;delegate permissions on write computer description-permissions in ad for auth users group
  7. After restarting computers in the target OU and updating Group Policy settings, the Description field in AD will be automatically filled in. This field will contain information about the computer’s hardware.  
    You can troubleshoot GPOs using the gpresult tool or using the tips from the article Common problems causing group policy to not apply.

Thus, you can add any information in the Description field of the computer objects in AD. For example, the name of the last logged-on user, department (you can get this information using the Get-ADUser cmdlet), the computer’s IP address, or any other relevant information you need.

Note. The drawback of this approach is that any authenticated AD user can change or delete the description of any computer in Active Directory.

Adding the Last Logged On Username to the Computer Description in AD

The PowerShell script above can be used to add any other information to the description of the computer objects in AD. For example, it is useful when the description of the computer shows the currently logged-on user. Let’s also add the name of the domain controller the user is authenticated to (LOGONSERVER).

Change a single line in the PowerShell logon script to:

$computerObj.Put("Description","$vendor|$Model|$SerialNumber|$env:username|$env:LOGONSERVER")

Logoff and sign in under your user account. Check that the computer description attribute now shows the name of the current user and the logonserver (domain controller) you authenticated to.

show logged on username in computer description filed in ADUC

In order to parse the data from the Description attribute, you can use the following PowerShell code:

$ComputerName = 'PC-MUN22s7b2'
$vendor,$Model,$SerialNumber,$Username,$LogonServer = ((Get-ADComputer -identity  $ComputerName -Properties *).description).split("|")

We split the Description field value  (separated by | ) into several separate variables. To get the username on the specified remote computer, just run:

$Username

get username from active directory computer description with powershell

You can get the name of the computer that a specific user is currently logged on using the following PowerShell script:

$user='*M.Becker*'
Get-ADComputer -Filter "description -like '$user'" -properties *|select name,description |ft

12 comments
1
Facebook Twitter Google + Pinterest

Related Reading

Installing Language Pack in Windows 10/11 with PowerShell

September 15, 2023

Configure Email Forwarding for Mailbox on Exchange Server/Microsoft...

September 14, 2023

How to View and Change BIOS (UEFI) Settings...

September 13, 2023

How to Create UEFI Bootable USB Drive to...

September 11, 2023

Redirect HTTP to HTTPS in IIS (Windows Server)

September 7, 2023