You can use the Set-ADComputer cmdlet to change the attributes of a computer account object in Active Directory. In this article we will show you how to add the current username and IP address of the connected computer to the properties of the computer in AD using the Set-ADComputer cmdlet. This PowerShell script can be useful when you need to find a domain computer to which a particular user is logged in.
Use Set-ADComputer to change the computer attributes in Active Directory.
The Set-ADComputer cmdlet is part of the Active Directory PowerShell module. This module must be installed (as part of the RSAT) and imported into a PowerShell session. Let’s see how to use the Set-ADComputer cmdlet to update the account properties of the computer.
Let’s try adding your company and department name to the properties of the computer in the AD. First, use the Get-ADComputer cmdlet to check what is specified in the Company, Department and Domain Computer Description fields.
Get-ADComputer lon-man01 – properties *select object dNSHostName,operatingSystem,company,department,description|ft -wrap -auto
As you can see the fields Description, Company and Department are empty for this computer object.
Now let’s try to change the description of the computer with the command :
Set-ADComputer -Identity LON-MAN01 -Add @{Description=Infrastructure Management Server}
You can specify a computer location:
Set-ADComputer – Identity LON-MAN01 – Location CA/Toronto.
If you want to set different computer settings, use the following PowerShell code:
$Server = Get-ADComputer -Identity LON-MAN01
$Server.company = Contoso
$Server.department = IT
Set-ADComputer -Instance $Server
Check if the characteristics of the computer have changed:
Get-ADComputer LON-MAN01 – properties *select object dNSHostName,operatingSystem,company,department,description|ft -wrap -auto
As you can see, the computer attributes contain the necessary information. Based on these attribute values we can then select computers in AD. For example, I want to find all the computers in Contoso’s IT department. A PS job that searches all computers on the basis of these criteria may look as follows
Get-ADComputer -Filter {(company -eq ‘Contoso’) -and (department – such as ‘IT’) -and (department – such as ‘IT’)} -Properties *select object dNSHostName,operatingSystem,company,department,description|ft -wrap -auto
You can also use the Set-ADComputer cmdlet to disable/enable the AD account of the computer object:
Set-ADComputer lon-pc-h1221 -At $false
.
How do I add a username to login to the properties of the AD computer?
Now let’s look at a more interesting and useful example of using Set-ADComputer. Suppose you decide to write the computer’s current IP address and the name of the last user who logged on to the attributes of each computer in Active Directory.
We will use the description attribute to store the IP address of the computer, and the ManagedBy attribute to store the name of the user who is currently logged in to that computer.
First, you must delegate certain AD rights to the user group of the domain (or another security group) in the OU that contains the users’ computers. Allows users to change the values of the following fields for computer objects: ManagedBy and Description (specify description and write Managed By permissions).
Then create a new group policy that contains the following PowerShell login script (User Configuration -> Policies -> Windows Settings -> Scripts -> Logon) that is executed when the user logs in to the computer:
$curhostname=$env:calculation name
$env:HostIP = (
Get-NetIPConfiguration |
Where-Object {
$_.IPv4DefaultGateway -ne $null – and
$_.NetAdapter.Status -ne Disconnected
}
).IPv4Address.IPAddress
$currus_cn=(addressed $env:UserName -properties *).DistinguishedName
$ADComp = Get-ADComp -Identity $curhostname
$ADComp.ManagedBy = $currus_cn
$ADComp.description = $env:HostIP
Set-ADComp -Instance $ADComp.
This PowerShell script runs under the user account and determines the IP address of the current computer and the current CanonicalName (CN) username. The script then writes this data to the computer’s account object in the AD. For this scenario, the RSAT-AD-PowerShell module must be installed on the users’ computers.
You must link this GPO to a computer OR and allow the processing of the use cycle of the group policy (see this article).
When the user now logs on to the computer, a PowerShell login script is executed that updates the description of the computer in the AD.
You can check the IP addresses of computers in the Active Directory Users and Computers (ADUC) console. The Properties Manager tab contains an active shortcut to the user account that was last logged in to this computer.
You can now quickly find the computers in the domain thanks to their :
get-adcomputer -filter {description – like 192.168.15.*} -properties *|select name,description,management by
You can also search for all computers in the domain to which a particular user is logged in (Get-ADUser gets the user’s DistinguishedName):
$user=’a.adams’
$user_cn=(get-aduser $user -properties *).DistinguishedName
Get-ADComputer -Filter ManagedBy -eq ‘$user_cn’ -properties *|select name,description,managedBy|ft
Similarly, you can store all information about a workstation or user in the properties of an AD computer account and use it to locate computers in AD.
Related Tags:
set adcomputer multiple computers,get adcomputer ss64,ad computer site attribute,set-adcomputer security,set-adcomputer extensionattribute1,update computer description active directory,set-adcomputer localhost,get-adcomputer managedby,powershell get computer description,powershell update computer account,dnshostname powershell,powershell change computer description,powershell append computer description,change computer description command line,ad description script,powershell change local computer description,active directory computer object description,active directory custom fields,unique x500 object id,add field to active directory,oidgen vbs,active directory schema snap-in,active directory extended attributes list,set-aduser,get-adcomputer,get-adcomputer properties,set-adcomputer : insufficient access rights to perform the operation,set-adcomputer extended attributes,set-adcomputer principalsallowedtodelegatetoaccount,update adcomputer,set-adcomputer example