You can store various useful information in the description of computer objects in Active Directory. For example, information about the computer model, hardware inventory, or the last logged-on username. In this article, we’ll look at how to automatically fill and update information in the Description field of computer objects in Active Directory using PowerShell.
Update the Computer Description Field in Active Directory with PowerShell
For example, you want the Description field for computers and servers in the Active Directory Users and Computers console to display information about the manufacturer, model, and serial number of the computer. You can get this information on your local machine from WMI using the following PowerShell command:
Get-WMIObject Win32_ComputerSystemProduct | Select Vendor, Name, IdentifyingNumber
The WMI query returns the following data:
- Vendor – HP
- Name – Proliant DL 360 G5
- IdentifyingNumber – CZJ733xxxx
Get the name of the current computer from the environment variable and assign it to the $computer
variable:
$computer = $env:COMPUTERNAME
Then save the information about the computer’s hardware:
$computerinfo= Get-WMIObject Win32_ComputerSystemProduct
$Vendor = $computerinfo.vendor
$Model = $computerinfo.Name
$SerialNumber = $computerinfo.identifyingNumber
Let’s see what values are assigned to the variables:
$computer
$vendor
$Model
$SerialNumber
It remains to write the received data in the Description field of the computer account in Active Directory. Run the following PowerShell script:
$ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
$ComputerSearcher.SearchRoot = "LDAP://$("DC=$(($ENV:USERDNSDOMAIN).Replace(".",",DC="))")"
$ComputerSearcher.Filter = "(&(objectCategory=Computer)(CN=$Computer))"
$computerObj = [ADSI]$ComputerSearcher.FindOne().Path
$computerObj.Put( "Description", "$vendor|$Model|$SerialNumber" )
$computerObj.SetInfo()
Set-ADComputer $computer –Description "$vendor|$Model|$SerialNumber”
If you want to use the cmdlets from the AD PowerShell module, you can copy the module files to all computers without installing RSAT.
Verify that the computer Description field in the ADUC console shows the manufacturer and model information.
Such a script will only update the current computer description attribute in AD. You can remotely populate Descriptions for all domain computers using Get-ADComputer and foreach
loop. But it’s much more convenient to have computers automatically update their information in AD when a user logs in or a computer boots up.
To do this, you need to create a Group Policy with a PowerShell logon script and apply it to all computers:
- Open the domain Group Policy Management Console (
gpmc.msc
), create a GPO and assign it to the OU with computers; - Expand the GPO: User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff) -> Logon;
- Go to the PowerShell Scripts tab;
- Click the Show Files button and create a FillCompDesc.ps1 file with the following code:
# write information about the computer hardware/model in the Description field in Active Directory
$computer = $env:COMPUTERNAME
$computerinfo= Get-WMIObject Win32_ComputerSystemProduct
$Vendor = $computerinfo.vendor
$Model = $computerinfo.Name
$SerialNumber = $computerinfo.identifyingNumber
$DNSDOMAIN= (Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem).Domain
$ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
$ComputerSearcher.SearchRoot = "LDAP://$("DC=$(($DNSDOMAIN).Replace(".",",DC="))")"
$ComputerSearcher.Filter = "(&(objectCategory=Computer)(CN=$Computer))"
$computerObj = [ADSI]$ComputerSearcher.FindOne().Path
$computerObj.Put( "Description", "$vendor|$Model|$SerialNumber" )
$computerObj.SetInfo()You can optionally log PowerShell script actions for easier troubleshooting. - Click the Add button and set the following script parameters:
Script name:FillCompDesc.ps1
Script Parameters:-ExecutionPolicy Bypass
In this case, you don’t have to change the PowerShell execution policy settings or sign your PS1 script file to run the PowerShell script. - Delegate AD permissions to a specific OU for the Authenticated Usersdomain group. Assign rights to change the Description attribute of all Computer objects in OU (the
Write Description
permission). This will allow domain users and computers to change the value in the Description attribute of computer objects; - After restarting computers in the target OU and updating Group Policy settings, the Description field in AD will be automatically filled in. This field will contain information about the computer’s hardware. You can troubleshoot GPOs using the
gpresult
tool or using the tips from the article Common problems causing group policy to not apply.
Thus, you can add any information in the Description field of the computer objects in AD. For example, the name of the last logged-on user, department (you can get this information using the Get-ADUser cmdlet), the computer’s IP address, or any other relevant information you need.
Adding the Last Logged On Username to the Computer Description in AD
The PowerShell script above can be used to add any other information to the description of the computer objects in AD. For example, it is useful when the description of the computer shows the currently logged-on user. Let’s also add the name of the domain controller the user is authenticated to (LOGONSERVER
).
Change a single line in the PowerShell logon script to:
$computerObj.Put("Description","$vendor|$Model|$SerialNumber|$env:username|$env:LOGONSERVER")
Logoff and sign in under your user account. Check that the computer description attribute now shows the name of the current user and the logonserver (domain controller) you authenticated to.
In order to parse the data from the Description attribute, you can use the following PowerShell code:
$ComputerName = 'PC-MUN22s7b2'
$vendor,$Model,$SerialNumber,$Username,$LogonServer = ((Get-ADComputer -identity $ComputerName -Properties *).description).split("|")
We split the Description field value (separated by | ) into several separate variables. To get the username on the specified remote computer, just run:
$Username
You can get the name of the computer that a specific user is currently logged on using the following PowerShell script:
$user='*M.Becker*'
Get-ADComputer -Filter "description -like '$user'" -properties *|select name,description |ft