Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / How to Change Computer Object Attributes in Active Directory

March 12, 2024

How to Change Computer Object Attributes in Active Directory

A separate account of type Computer is created for a computer when you join it to an Active Directory domain. A computer object in AD has several mandatory attributes: sAMAccountName, distinguishedName, SID, Windows version and build (operatingSystem, operatingSystemVersion), userAccountControl, lastLogonTimeStamp, etc. In the non-mandatory computer attributes, you can store information about its owner, location, description, IP address. This article shows you how to change the attribute values of an AD computer account using ADUC and PowerShell.

Contents:
  • Modify Computer Properties using the Active Directory (ADUC) Snap-In
  • PowerShell: Changing Computer Attribute Values with Set-ADComputer
  • How to Add UserName and IP Adress to AD Computer Properties

Modify Computer Properties using the Active Directory (ADUC) Snap-In

An administrator can use the ADUC graphical snap-in interface to change the values of the computer attributes in the Active Directory.

Open the Active Directory Users and Computers console (dsa.msc), Find the account of the computer you need (how to search objects in AD), and open its properties. Here you can set a computer description, its location, assign the responsible user (Managed by), etc.

Computer properties in Active Directory

The Attribute Editor tab allows you to set the values of other computer attributes. Be careful when editing mandatory computer attributes. The object attribute editor in AD does not check the data entered (it only checks the data type and length of the value), so if the values of the computer’s attributes are incorrect, it may break the workstation’s trust relationship with the domain.

Change computer properties in AD

PowerShell: Changing Computer Attribute Values with Set-ADComputer

You can use the Set-ADComputer cmdlet (from the PowerShell Active Directory module) to change the attributes of a computer account in Active Directory.

For example, you want to add the location, company name, and department it belongs to a computer’s properties in AD.

To change the value of basic computer attributes, you can use built-in parameters such as  -Description, -DisplayName, -DNSHostName, -HomePage, -Location, etc. For example, set the computer’s location:

Set-ADComputer –Identity LON-MAN01 –Location "UK/London"

You can also change the value of any computer attribute using the -Add, -Replace, -Clear, and -Remove parameters. Set a new computer account description:

Set-ADComputer -Identity LON-MAN01 -Add @{"description"="Infrastructure management server"}

If you need to set more than one computer parameter, you can use this PowerShell script:

$Server = Get-ADComputer -Identity LON-MAN01
$Server.company = "Woshub"
$Server.department = "IT"
Set-ADComputer -Instance $Server

The Get-ADComputer command allows you to list the current attribute values:

Get-ADComputer LON-MAN01 -properties *|select-object dNSHostName,operatingSystem,company,department, description

Set-ADComputer - update computer object properties using powershell

You can now find all the computers in AD that belong to Contoso’s IT department:

Get-ADComputer -Filter {(company -eq 'woshub') -and (department -eq "IT")} -properties *|select-object dNSHostName,operatingSystem,company,department,description | ft

The Set-ADComputer cmdlet also allows you to disable or enable a computer object account in AD:

Set-ADComputer lon-pc-h1221 -Enabled $false

Set-ADComputer - enable computer in AD

How to Add UserName and IP Adress to AD Computer Properties

You can automatically add certain information to computer properties. For example, you might want the computer’s attributes in AD to include its current IP address and the name of the last logged-on user. We’ll use the Description attribute to store the IP address of the computer, and the ManagedBy attribute to store the username currently logged on to the computer.

Delegate AD permissions to the Domain Users group on the OU containing the computer accounts to change values in the Computer object attributes: ManagedBy and description (Write Description + Write Managed By).

delegate ad permissions Write Description and Write Managed By

Then create a new Group Policy with the following PowerShell logon script (User Configuration -> Policies -> Windows Settings -> Scripts -> Logon) to be run when a user logs on to the computer:

$curhostname=$env:computername
$env:HostIP = (
Get-NetIPConfiguration |
Where-Object {
$_.IPv4DefaultGateway -ne $null -and
$_.NetAdapter.Status -ne "Disconnected"
}
).IPv4Address.IPAddress
$currus_cn=(get-aduser $env:UserName -properties *).DistinguishedName
$ADComp = Get-ADComputer -Identity $curhostname
$ADComp.ManagedBy = $currus_cn
$ADComp.description = $env:HostIP
Set-ADComputer -Instance $ADComp

This PowerShell script runs under a user account, detects the computer’s IP address and the current user’s CanonicalName (CN), and saves them to the computer properties in AD. The AD PowerShell module must be installed on the user computers for the script to work (you can deploy the RSAT-AD-PowerShell module without installing RSAT).

You must link this GPO to the OU containing the computers and enable the policy Configure user Group Policy Loopback Processing mode (check the article).

The ADUC console now displays the IP addresses of the computers. The Managed by tab of Computer Properties contains a link to the user account last logged on to this machine.

show IP address and currently logged username in the Active Directory computer properties

Now you can quickly find computers in a domain by IP address:

get-adcomputer -filter {description -like "192.168.15.*"} -properties *|select name,description,managedBy

Or you find all computers in a domain where a particular user account is logged on (the Get-ADUser cmdlet is used to get the DistinguishedName of the user).

$user='a.adams'
$user_cn=(get-aduser $user -properties *).DistinguishedName
Get-ADComputer -Filter "ManagedBy -eq '$user_cn'" -properties *|select name,description,managedBy|ft

find computers in AD that a specific uses is logged on

Similarly, you can write any information about a workstation or user into the properties of computer accounts in AD and use it to search for computers in AD by those criteria. The article at the link describes how to add the last logged username and host hardware information to the computer description in AD.

0 comment
2
Facebook Twitter Google + Pinterest
Active DirectoryPowerShell
previous post
How to Block a Domain or Website on Windows Defender Firewall with PowerShell?
next post
How to Run Disk Cleanup (Cleanmgr.exe) on Windows Server

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Get-ADDomainController: Getting Domain Controllers Info via PowerShell

July 8, 2022

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Generating Strong Random Password with PowerShell

January 31, 2020

How to Find Inactive Computers and Users in...

March 11, 2024

Configuring Proxy Settings on Windows Using Group Policy...

February 27, 2023

Zerologon (CVE-2020-1472): Critical Active Directory Vulnerability

March 15, 2024

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Using WMI Filters to Target Group Policies in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Using Managed Service Accounts (MSA and gMSA) in Active Directory
  • How to Set a User Thumbnail Photo in Active Directory
  • Restoring Active Directory Domain Controller from a Backup
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top