In AD is it possible to associate a user account with a computer account in some way? The idea is that I want to write a program to query AD for the computer(s) that a user owns.
In AD is it possible to associate a user account with a computer account in some way? The idea is that I want to write a program to query AD for the computer(s) that a user owns.
In AD Users & Computers, you'll find a 'Managed By' field for each computer object. You can add the user's AD account to this field, and use it to identify the owner of the workstation.
As I understand it, there's no extra permissions granted by adding a user into the 'Managed By' field. It's just there to keep a record.
Another way that I've employed is to standardize the 'Description' field so that it holds a consistent set of information. For example, in a computer's description field you could have:
Desktop, Brisbane, Dell Optiplex 720, Fred Bloggs, 01-02-2007
From that, parsing through and pulling out a location, computer type, model, user's name, or date of purchase is pretty simple. You can also have your logon script copy the same information into the OS's machine description field, too.
One other option - AD allows you to extend and enhance it's schema, like other databases. You can use this to add custom fields. This is a bit more involved, and you're running the risk of violating the 'don't mess with the defaults unless you have no choice' rule of network administration.
My preferred method is simply to use inventory software that automatically associates usernames with computer names. If we maintained this information in AD, that would be one more thing to update manually with every personnel or equipment change; why would I want to do something manually if my network will do it for me?
OCS Inventory NG is a great free/open-source alternative; if the user interface isn't adequate for a particular search and you happen to know SQL, you can query the MySQL database directly as well. If you set it up so that every workstation checks in with the server at login, you will always know who is logged into which computer(s).
Not really a good way from what I remember, because users can logon to multiple machines, or multiple users can logon to the same machine.
Assuming it's a one to one (one machine to one user) in a smaller or well-controlled environment you might be able to hack something like this together...
Depending on how much time you have before your deadline, you might have their login script update you with who's logging in and on what machine via vbscript or batch. You can append that info to a flat file on a server share and then do your own parsing later...
sample script (not tested) echo "%USERNAME% on machine %SYSTEMNAME%" >> S:\admins\servermap.txt
Then parse that out later with some vbscript that looks through the file and returns the machine name after a username...
Or if you're clever you could do the same thing on the logon script but instead write the machine name to the users' AD Description field or some other field you aren't using someting like admod... That would need admin access though...
admod -b dc=test,dc=net "description::%USERNAME %COMPUTER"
That depends on what you mean by "owns". If you mean the station they log into every day, you can sort of get it by parsing your Domain Controller Security event-logs and associating login/logout events with workstations. Or the Security event-logs of the workstations themselves if you want to go that far.
Login events on the DCs show the IP the login came from, so you'll have to parse for Machine account logins to match IP to machine name. Querying the workstation logs is better since that only shows who logged in on that machine, though it does mean you'll have to have the Security log turned on; it's off by default on XP, but on by default on Vista and 7.
No, you cannot do it because what is called joined to Windows AD machine/computer is really only Windows setup but physical machines are not being identified by Windows AD. You can boot it:
So, DC will not detect physical hardware computer. It is not clear what to consider a physical security unit even theoretically.
I tried to ask similar question in SF but it was closed:
I hope the destiny of your question will be different
I upvoted your question, keep going!