Greetings

I have a quick question regarding USN, I'm a scripting newbie so I would like a little clarification on USN. I have a script which runs at Logon which populates the computer description field with the logon user and the date of logon. Now most of our users 'hotdesk' so this computer description could very well likely change on a daily basis, plus the date will change every day as well. We have around 12000 users, now reading an article on the 4sysops website it states that the USN could be exhausted within the Domain due to the levels of change within objects. Would I be putting the company I work for at risk by implementing this GPO? Last thing I would want to do is kill their Domain.

The Script I'm using is as follows:

Set
WshNetwork = WScript.CreateObject("WScript.Network")
Set objWMI =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2")
' My Date
myDateString = Date()
' Get computer object in AD
Set objSysInfo =
CreateObject("ADSystemInfo")
Set objComputer =
GetObject("LDAP://" & objSysInfo.ComputerName)
' Build up description field
data and save into computer object if different from current description
' We also do not update
computers with a description that starts with an underscore (_)
newDescription =
WshNetwork.UserName & " - Logged on - " & myDateString
if not
objComputer.Description = newDescription and not
left(objComputer.Description,1) = "_" then
objComputer.Description
= newDescription
objComputer.SetInfo
end if<o:p></o:p>

If there is a better way of using this script please let me know, or if I can change this in
any way to make it less more of a risk that would be great. Thanks in advance
for your suggestions.

Regards

S

• Edited by Stewart.N 22 hours 0 minutes ago

The purpose of your script seems to be to update the computer description with the user that is logging onto that computer. That would only work if the user logging on has the ability to update that attribute for the computer object in Active Directory. This would require a permission change for the computer object. There are two reasons I do not recommend this approach:

1. The permissions on the computer object must be such that every user logging on can update the description attribute.

2. If #1 is true, then there is nothing stopping any user from updating the description manually and forging a logon time. This isn't acceptable as reliable data with a competent auditor.

Instead, if logon times are critical, I would recommend searching for a tool that can track this information for you from the security

Hi Bill

I have given the Authenticated Users Write Permission for the computer description field and my script works as I would like it too, I agree there is an element of trust that must be given the users not to meddle with the computer description if they knew how to.

My question was more related to the USN and would what I am proposing to do with this script exhaust the USN for the Domain if so is there a way around it. or an idea of time scale of how long it would take to exhaust the USN.

What I'm trying to capture using this script is more of who is logged on to which machine at a given time not really what time they logon, the reason for this is that our machines are named by serial number and people tend to hot desk more than not, we push out software to these machines via SCCM so if a user wants some new software if would be easy for us to find which machine they are logged onto .

Hope this clears it up a little

Regards