Windows OS Hub / Active Directory / How to Automatically Fill the Computer Description in Active Directory

June 8, 2023 Active DirectoryGroup PoliciesPowerShellWindows Server 2019

How to Automatically Fill the Computer Description in Active Directory

You can store various useful information in the description of computer objects in Active Directory. For example, information about the computer model, hardware inventory, or the last logged-on username. In this article, we’ll look at how to automatically fill and update information in the Description field of computer objects in Active Directory using PowerShell.

Contents:

Update the Computer Description Field in Active Directory with PowerShell

For example, you want the Description field for computers and servers in the Active Directory Users and Computers console to display information about the manufacturer, model, and serial number of the computer. You can get this information on your local machine from WMI using the following PowerShell command:
Get-WMIObject Win32_ComputerSystemProduct | Select Vendor, Name, IdentifyingNumber
The WMI query returns the following data:

  • Vendor – HP
  • Name – Proliant DL 360 G5
  • IdentifyingNumber – CZJ733xxxx

Get-WMIObject Win32_ComputerSystemProduct

Get the name of the current computer from the environment variable and assign it to the $computer variable:

$computer = $env:COMPUTERNAME

Then save the information about the computer’s hardware:

$computerinfo= Get-WMIObject Win32_ComputerSystemProduct
$Vendor = $computerinfo.vendor
$Model = $computerinfo.Name
$SerialNumber = $computerinfo.identifyingNumber

Let’s see what values are assigned to the variables:

$computer
$vendor
$Model
$SerialNumber

It remains to write the received data in the Description field of the computer account in Active Directory. Run the following PowerShell script:

$ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
$ComputerSearcher.SearchRoot = "LDAP://$("DC=$(($ENV:USERDNSDOMAIN).Replace(".",",DC="))")"
$ComputerSearcher.Filter = "(&(objectCategory=Computer)(CN=$Computer))"
$computerObj = [ADSI]$ComputerSearcher.FindOne().Path
$computerObj.Put( "Description", "$vendor|$Model|$SerialNumber" )
$computerObj.SetInfo()

You can also make changes to the computer description using the Set-ADComputer cmdlet. However, this requires the Active Directory Module for Windows PowerShell (from the RSAT administration toolkit) to be installed on the computer.
Set-ADComputer $computer –Description "$vendor|$Model|$SerialNumber”

If you want to use the cmdlets from the AD PowerShell module, you can copy the module files to all computers without installing RSAT.

Verify that the computer Description field in the ADUC console shows the manufacturer and model information.

populated computer description fileld in active directory

Such a script will only update the current computer description attribute in AD. You can remotely populate Descriptions for all domain computers using Get-ADComputer and foreach loop. But it’s much more convenient to have computers automatically update their information in AD when a user logs in or a computer boots up.

To do this, you need to create a Group Policy with a PowerShell logon script and apply it to all computers:

  1. Open the domain Group Policy Management Console (gpmc.msc), create a GPO and assign it to the OU with computers;
  2. Expand the GPO: User Configuration -> Policies -> Windows Settings -> Scripts (Logon / Logoff) -> Logon;
  3. Go to the PowerShell Scripts tab;
  4. Click the Show Files button and create a FillCompDesc.ps1 file with the following code:
    # write information about the computer hardware/model in the Description field in Active Directory
    $computer = $env:COMPUTERNAME
    $computerinfo= Get-WMIObject Win32_ComputerSystemProduct
    $Vendor = $computerinfo.vendor
    $Model = $computerinfo.Name
    $SerialNumber = $computerinfo.identifyingNumber
    $DNSDOMAIN= (Get-WmiObject -Namespace root\cimv2 -Class Win32_ComputerSystem).Domain
    $ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
    $ComputerSearcher.SearchRoot = "LDAP://$("DC=$(($DNSDOMAIN).Replace(".",",DC="))")"
    $ComputerSearcher.Filter = "(&(objectCategory=Computer)(CN=$Computer))"
    $computerObj = [ADSI]$ComputerSearcher.FindOne().Path
    $computerObj.Put( "Description", "$vendor|$Model|$SerialNumber" )
    $computerObj.SetInfo()
    You can optionally log PowerShell script actions for easier troubleshooting.
  5. Click the Add button and set the following script parameters:
    Script name: FillCompDesc.ps1
    Script Parameters: -ExecutionPolicy Bypass run powershell logon script using Group Policy
    In this case, you don’t have to change the PowerShell execution policy settings or sign your PS1 script file to run the PowerShell script.
  6. Delegate AD permissions to a specific OU for the Authenticated Usersdomain group. Assign rights to change the Description attribute of all Computer objects in OU (the Write Description permission). This will allow domain users and computers to change the value in the Description attribute of computer objects;delegate permissions on write computer description-permissions in ad for auth users group
  7. After restarting computers in the target OU and updating Group Policy settings, the Description field in AD will be automatically filled in. This field will contain information about the computer’s hardware.  
    You can troubleshoot GPOs using the gpresult tool or using the tips from the article Common problems causing group policy to not apply.

Thus, you can add any information in the Description field of the computer objects in AD. For example, the name of the last logged-on user, department (you can get this information using the Get-ADUser cmdlet), the computer’s IP address, or any other relevant information you need.

Note. The drawback of this approach is that any authenticated AD user can change or delete the description of any computer in Active Directory.

Adding the Last Logged On Username to the Computer Description in AD

The PowerShell script above can be used to add any other information to the description of the computer objects in AD. For example, it is useful when the description of the computer shows the currently logged-on user. Let’s also add the name of the domain controller the user is authenticated to (LOGONSERVER).

Change a single line in the PowerShell logon script to:

$computerObj.Put("Description","$vendor|$Model|$SerialNumber|$env:username|$env:LOGONSERVER")

Logoff and sign in under your user account. Check that the computer description attribute now shows the name of the current user and the logonserver (domain controller) you authenticated to.

show logged on username in computer description filed in ADUC

In order to parse the data from the Description attribute, you can use the following PowerShell code:

$ComputerName = 'PC-MUN22s7b2'
$vendor,$Model,$SerialNumber,$Username,$LogonServer = ((Get-ADComputer -identity  $ComputerName -Properties *).description).split("|")

We split the Description field value  (separated by | ) into several separate variables. To get the username on the specified remote computer, just run:

$Username

get username from active directory computer description with powershell

You can get the name of the computer that a specific user is currently logged on using the following PowerShell script:

$user='*M.Becker*'
Get-ADComputer -Filter "description -like '$user'" -properties *|select name,description |ft

12 comments
1
Facebook Twitter Google + Pinterest

Related Reading

How to Connect VPN Before Windows Logon

November 14, 2023

Using WPAD (Web Proxy Auto-Discovery Protocol) on Windows

November 7, 2023

Send Emails with Microsoft Graph API and PowerShell

November 6, 2023

Zabbix: How to Get Data from PowerShell Scripts

October 27, 2023

Tracking Printer Usage with Windows Event Viewer Logs

October 19, 2023

12 comments

Park Richard April 19, 2016 - 8:46 pm

I think change $computer to $computer.Name to make the Get-WMIObject work:
 
$vendor = (Get-WMIObject -ComputerName $computer.Name Win32_ComputerSystemProduct).Vendor
$name = (Get-WMIObject -ComputerName $computer.Name Win32_ComputerSystemProduct).Name
$identifyingNumber = (Get-WMIObject -ComputerName $computer.Name Win32_ComputerSystemProduct).IdentifyingNumber
$vendor

Reply
admin April 22, 2016 - 5:48 am

You probably missed a step

Assign the name of Active Directory account you want to change to the variable $computer:

$computer = "PC-Name-p01"
Reply
Don July 1, 2016 - 10:07 pm

That was the ticket Park, Thanks

Reply
Paul November 21, 2018 - 11:14 am

Great, thanks for this script information. And indeed Park’s comment was the solution.

Reply
Brandon February 15, 2019 - 2:00 pm

RPC server is unavailable?

Reply
Dimarc67 July 18, 2019 - 8:51 pm

I’d like to use this in a login script (deployed via GPO) for each system to write their information to their own AD computer account. The easy part is giving the Domain Users group editing rights to the Description field of all AD computer objects (Delegate Control option in ADUC). But is there a Powershell solution (Remote PS or other) for writing to AD without distributing RSAT and/or ActiveDirectory cmdlets?

Reply
admin July 23, 2019 - 11:11 am

You can use the following vbs script to update AD computer properties without installing AD for Windows PowerShell module on a client desktops:

Set WshNetwork = WScript.CreateObject(“WScript.Network”)
Set objWMI = GetObject(“winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2”)

For Each objSMBIOS in objWMI.ExecQuery(“Select * from Win32_SystemEnclosure”)
identifyingNumber = replace(objSMBIOS.SerialNumber, “,”, “.”)
vendor = replace(objSMBIOS.Manufacturer, “,”, “.”)
Next

For Each objComputer in objWMI.ExecQuery(“Select * from Win32_ComputerSystem”)
model_name= trim(replace(objComputer.Model, “,”, “.”))
Next

Set objSysInfo = CreateObject(“ADSystemInfo”)
Set objComputer = GetObject(“LDAP://” & objSysInfo.ComputerName)

your_Desc = WshNetwork.UserName & ” (” & identifyingNumber & ” – ” & vendor & ” ” & model_name & “)”
if not objComputer.Description = your_Desc and not left(objComputer.Description,1) = “_” then
objComputer.Description = your_Desc
objComputer.SetInfo
end if

Reply
Edvan Junior April 5, 2022 - 8:01 pm

Hello friend, how do I add in the description only the login of the user and server

Reply
admin April 7, 2022 - 8:15 am

$computerObj.Put(“Description”,”$env:username|$env:LOGONSERVER”)

Reply
Joakim May 6, 2022 - 8:47 pm

$computerObj.Put( “Description”, “$vendor|$Model|$SerialNumber” )
Didn’t work for me. I had to change put to invokeSet

Reply
nait October 28, 2022 - 2:11 pm

Hello, i try make same with another field (office) i modify delegation but in script i can’t put this :

# Recupere nom uc
$computer = $env:COMPUTERNAME
#information UC via les WMI, simplification pour la suite en variable UCinfo
$UCinfo= Get-WMIObject Win32_ComputerSystemProduct
#info vendeur
$Vendeur = $UCinfo.vendor
#Modele du poste
$Modele = $UCinfo.Name
#utilisateur
$user = (Get-WmiObject -Class win32_process | Where-Object name -Match explorer).getowner().user

#date
$date = Get-Date -Format “yyyy/MM/dd_HH:mm”
#ouvre session CIM & récupère IP active (site et TT)
$cimSession = New-CimSession
$ip =(Get-CimInstance -CimSession $cimSession -ClassName Win32_NetworkAdapterConfiguration -Filter “IPEnabled = ‘True'”).IPAddress[0]
$cimSession | Remove-CimSession

#recup site

If($ip -like “10.93*”)
{
$site= “Poste sur site”
}else {
$site= “Poste en TT”}

$user = $env:USERNAME
$UserSearcher = New-Object DirectoryServices.DirectorySearcher
$UserSearcher.SearchRoot = “LDAP://$(“DC=$(($ENV:USERDNSDOMAIN).Replace(“.”,”,DC=”))”)”
$UserSearcher.Filter = “(&(objectCategory=*)(objectClass=*)(CN=$user))”
$UserObj = [ADSI]$UserSearcher.FindOne().Path
$UserObj.Put( “physicaldeliveryofficename”, “$computer ;$date ;$ip ;$modele”)
$UserObj.SetInfo()

Can you help me ?
thx

Reply
nait November 7, 2022 - 1:10 pm

i find lonely.

# Recupere nom uc
$computer = $env:COMPUTERNAME
#information UC via les WMI, simplification pour la suite en variable UCinfo
$UCinfo= Get-WMIObject Win32_ComputerSystemProduct
#info vendeur
$Vendeur = $UCinfo.vendor
#Modele du poste
$Modele = $UCinfo.Name
#utilisateur
$user = (Get-WmiObject -Class win32_process | Where-Object name -Match explorer).getowner().user
#date
$date = Get-Date -Format “yyyy/MM/dd_HH:mm”
#ouvre session CIM & récupère IP active (site et TT)
$cimSession = New-CimSession
$ip =(Get-CimInstance -CimSession $cimSession -ClassName Win32_NetworkAdapterConfiguration -Filter “IPEnabled = ‘True'”).IPAddress[0]
$cimSession | Remove-CimSession
#recup site
If($ip -like “10.93*”)
{
$site= “Poste sur site”
}else {
$site= “Poste en TT”}
#utilise ADSI pour completer les champs attributs (delegation description faite)
$ComputerSearcher = New-Object DirectoryServices.DirectorySearcher
$ComputerSearcher.SearchRoot = “LDAP://$(“DC=$(($ENV:USERDNSDOMAIN).Replace(“.”,”,DC=”))”)”
$ComputerSearcher.Filter = “(&(objectCategory=Computer)(CN=$Computer))”
$computerObj = [ADSI]$ComputerSearcher.FindOne().Path
$computerObj.Put( “Description”, “$user ; $date ; $site ; $ip ; $modele”)
$computerObj.SetInfo()
#Redéfinit nom user et incrémenter “bureau” dans l’ad (delegation physicaldeliveryofficename faite)
$user = $env:USERNAME
$UserSearcher = New-Object DirectoryServices.DirectorySearcher
$UserSearcher.SearchRoot = “LDAP://$(“DC=$(($ENV:USERDNSDOMAIN).Replace(“.”,”,DC=”))”)”
$UserSearcher.Filter = “(&(objectCategory=person)(anr=$user))”
$UserObj = [ADSI]$UserSearcher.FindOne().Path
$UserObj.Put( “physicaldeliveryofficename”, “$computer ;Derniere connexion : $date ;IP : $ip ;Modele : $modele”)
$UserObj.SetInfo()

Reply

Leave a Comment