I'm trying to create login script that writes computer name user is logged on in some (no matter which) aduser property. Idea was to use set-aduser cmdlet with admins creds stored in a file but there are numerous security risks coming from there. Is there a way to delegate adusers rights to powershell (i already did that for their own properties on AD). Or (maybe even better) does anyone have any better idea? This is more something of experiment and I really want to use powershell (I know there's a vbscript that does exactly the same thing i would like to do).

Thank you and best regards!

User rights to most attributes in AD can be delegated.  Rights are delegated to users and 3not to PowerShell.

There are a number of optional attributes defined for you to use as you wish.

Users cannot access the AD CmdLets as they are only instlled on the Domain Controllers. You have t use ADSI.

This is a good project that will help you learn the fundamentals of Windows in a Domain and the fundamentals of AD.  Start by researching the structure of attributes in an AD objects and how to delegate attributes.

Can you point me to a wright direction toward some good book or article. Is powershell still a way to do it, just by using ADSI rather than AD or should I take a whole new approach. 

Best regards!!!

Can you point me to a wright direction toward some good book or article. Is powershell still a way to do it, just by using ADSI rather than AD or should I take a whole new approach. 

Best regards!!!

This  has nothing to do with ADSI or PowerShell.  You use ADUC to delegate the user objects in an OU so that the user can edit the attributes that you want them to edit.  Post in Directory Services forum for a walk through link on adding that to a users rights.  Users already have rights on some items in AD,  Once they have the rights they will be able to use your script on their own account.  If you want to allow help desk to do this without making them admins (recommended) then just add them to the Account Operators group.

I had already did that before have posted the first question. What I'm trying to accomplish is to write my own powershell logon script that does the same thing - places computer name on which user's logged on into description attribute. 

Thanks again for wasting your time on me!

What is in your script and what is not working?

I (optimisticly speaking)made some time ago a very, very simple "$env:computername, $env:username | out-file something.txt. Now, I'm trying to write the same thing into user's description attribute and I need a little push.  Is improting active directory module through pssession with dc (using admin creds) only way or is there some cmdlet or method that can do the same thing (with a regular domain user wrights)?

I'm not asking you to write me a full script (not that it wouldn't be appreciated), but just to point me to the wright powershell direction. 

Thanks again!

• Edited by bugili 15 hours 30 minutes ago forgot something

A standard user cannot update their AD object. Logon scripts run with user rights, so you're not going to be able to accomplish this using th

I delegated wrights (with ADUC) to test user (so he actually doesn't have a standard user wrights like I said above) to change description attribute but can't find a powershell way to exploit it. Is there another powershell tool to change AD user attributes other than module? I googled out some [adsi] ridiculously complicated things that can't really understand. Is there a better way to store information about users login locations? I'm avoiding vbs because the latest version I was working with Visual Basic was 3.0 (possibly 4) and I was in the third grade.

I like the idea of scheduled job and I'll give it a try, but I would appreciate some more help. What does 'change file to %username% - %computername%' mean? The script is appending every user log to the txt file (and my OU has something like 500 users) so it's a quite long list...

Thanks!!!

• Edited by bugili 13 hours 47 minutes ago

The idea would be to have the logon script create a separate file for each machine that identifies which user is logged in instead of writing to a single log file.

You could still use a central log file, but I'd personally go with individual files.

I (optimisticly speaking)made some time ago a very, very simple "$env:computername, $env:username | out-file something.txt. Now, I'm trying to write the same thing into user's description attribute and I need a little push.  Is improting active directory module through pssession with dc (using admin creds) only way or is there some cmdlet or method that can do the same thing (with a regular domain user wrights)?

I'm not asking you to write me a full script (not that it wouldn't be appreciated), but just to point me to the wright powershell direction. 

Thanks again!

• Edited by bugili Wednesday, April 01, 2015 3:37 PM forgot something

I delegated wrights (with ADUC) to test user (so he actually doesn't have a standard user wrights like I said above) to change description attribute but can't find a powershell way to exploit it. Is there another powershell tool to change AD user attributes other than module? I googled out some [adsi] ridiculously complicated things that can't really understand. Is there a better way to store information about users login locations? I'm avoiding vbs because the latest version I was working with Visual Basic was 3.0 (possibly 4) and I was in the third grade.

I like the idea of scheduled job and I'll give it a try, but I would appreciate some more help. What does 'change file to %username% - %computername%' mean? The script is appending every user log to the txt file (and my OU has something like 500 users) so it's a quite long list...

Thanks!!!

• Edited by bugili Wednesday, April 01, 2015 5:20 PM

I ended up using [adsi] .put() and . setinfo() like you suggested in the first place. It turned out very concise, just as I wanted.

Best regards.