"managed by" attribute of computer object
Hi all,
I am working on a script to manage the computer's attribute "managed-by" through power shell. I have found the command Set-ADComputer "AAECNBJ003403L" -ManagedBy "dn_path_of_user" which does not seem to be a solution in
my ad environment.
In our environment, all the client machines are in one domain (machine.domain.com) and users from different domains (user1.domain.com ; user2.domain.com) logon to these machines ( all domains in same forest ). when I provide the DN path of the users which
is "cn=user,dc=user1,dc=domain,dc=com" in the command Set-ADComputer "AAECNBJ003403L" -ManagedBy "dn_path_of_user" I get the error as follows
Identity info provided in the extended attribute: 'ManagedBy' could not be resolved. Reason: 'Cannot find an object with identity: 'cn=user,dc=user1,dc=domain,dc=com under: 'DC=machine,DC=domain,DC=com'.
SO it is searching for the user object in machine.domain.com where the object does not exist. Please tell me if I can specify a user domain name in the command.
I need to dig into my customer's environment to know why it works for them when they add the user of a different domain. Yes, we were in the process of domain migration which has been delayed due to some incompatible applications.
We have also been using a script which is taking the input from a csv file and updating the managed by attribute of the machine. In the script we are specifying the domain "user.domain.com" and it works for us when we need to update the attribute
in bulk. But we also need the command for updating the attribute of the individual machine as per the end user request. Please see the script below if this can be taken into reference.
Import-CSV C:\Users\W9a0n3p9\Desktop\comp.csv |%{
#Specify the search criteria
$Computer = $_.Computername
$samname = $_.Username
$domain = "user.domain.com"
#Get a list of domains in the forest and grab the DN of the one matching the above parameter.
$forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
$domain = $forest.Domains | ? {$_.Name -eq $domain}
$domainDN = $domain.GetDirectoryEntry().distinguishedName
Write-Output "Found the remote domain, the full LDAP distinguished name is $DomainDN"
#Create an LDAP searcher object and pass in the DN of the domain we wish to query
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$domainDN")
#Pass in the ceriteria we are searching for.
#In this case we're looking for users with a particular SAM name.
$Searcher.filter = "(&(objectCategory=person)(objectClass=user)(sAMAccountName= $samname))"
$results = $Searcher.Findall()
#Loop through the results
Foreach($result in $results){
$User = $result.GetDirectoryEntry()
$userDN = $user.DistinguishedName
Write-Output "Set the Owner for Computer $computer as $userDN"
$A= Get-adcomputer $computer
$A.managedby = "$userdn"
Set-adcomputer -instance $A
Regards,
Maddy
Similar Messages
-
Logoncount Attribute on Computer objects in Active Directory
Hello,
I have one question about the logoncount Attribute on Active Directory objects. As I understood on user objects this attribute counts the number of logons per DC (because it is not replicating).
My question is:
What exactly is count here on computer objects?
I can see that on a Domain Controller computer object the logoncount is high for the DC itself and low on the other DC objects.
Thank you.
Regards
DennisHere is an old thread. You will see some of the explanation from our own Richard :)
http://www.techtalkz.com/windows-server-2003/500367-attributes-update-during-computer-logon.html
Santhosh Sivarajan | Houston, TX | www.sivarajan.com
ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA
Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012
Blogs: Blogs
Twitter: Twitter
LinkedIn: LinkedIn
Facebook: Facebook
Microsoft Virtual Academy:
Microsoft Virtual Academy
This posting is provided AS IS with no warranties, and confers no rights. -
Managing multiple "old" AD computer objects
So we have implemented a naming convention where the techs just select a location and department during the imaging process for a machine that is about to be deployed; during that process and the computers are automagically named something like "NYC-FIN-1234567"...
with 1234567 being the dell asset tag.... pretty nifty Johan(!)
However... the problem is that once that machine gets re-imaged at the same location and deployed to another team like the marketing folks (ie."MKT")... it gets the name NYC-MKT-1234567...
the problem I am seeing is now we have multiple objects in AD with the same asset tag which is causing nightmares for licensing management... NYC-FIN-1234567 & NYC-MKT-1234567 respectively.
I am working on a PowerShell script that will trim the names down to their respective tags and then compare the list for duplicates - then check and compare the duplicates properties like "created date" and make a determination and delete
the older object...
this checking for duplicates is proving to be a little more difficult and haven't even gotten to the evaluate section yet... I am still working on my proficiency when it comes to more complex arrays.
am i going about this the right way or does anyone else have another approach to this conundrum?
scripting games '14 anyone :pall good info!
Since our AD has less than 3000 workstation objects the 'scaling' is manageable... but could make it a little faster, but alas here is what i have with a couple of tweaks
i am skimming all computer objects in our 'workstation' OU... and dropping the first two prefixes, and then checking for machines that match... we were originally using "created date" but since we have workstations that have been imaged to say
a FIN dept and then to a MKT dept and then re-re-imaged back to FIN... the created date doesn't change so i switched to Modified date, and keep the newest one...
but also as another 'layer' of protection i test-path of the workstation (we run this middle of the day) before disabling it and moving it to a "temp" ou where we can let them sit for a couple weeks in case we had a false positive (thus the ping)
we can quickly restore that object... i also can just comment out the actual "move and disable command" so it generates me a nice list of machines that would have been deleted so i can do a 'sanity check' before deleting a bunch of vip's machiens
from AD :)
#Declare Domain and OU to be Scrubbed - and $dupou is the ou we can let them 'chillout' before deleting on the next run
$domain = "domain.com"
$OU = "OU=Workstations,DC=domain,DC=com"
$CleanupList = "c:\disabled.txt"
$dupOU = "OU=Duplicates,OU=INACTIVE,DC=domain,DC=com"
if (test-path $CleanupList) {Remove-Item $CleanupList}
$delOK = "c:\DelOk.txt"
if (test-path $delOK) {Remove-Item $delOK}
#this is the TEMPORARY throttle cap... so it will stop after it finds the amount defined by $cap (so we can phase it in)
$cap = 10000
$Global:i = 0
$sdate = (Get-Date)
Write-Output "AD Duplicate 'Scrubber' Script started on: "$sdate >> $CleanupList
Write-output "These Machines were disabled and moved to the Inactive\Duplicates OU in our domain" >> $CleanupList
Write-Output "--------------------------------------------------------------------------------------------------------------">> $CleanupList
$comps = (Get-ADComputer -filter * -Server $domain -SearchBase $OU).name
ForEach ($comp in $comps) {
if ($global:i -lt $cap) {
#trim length to just asset tags (last 7 digits)
$Length = $comp.Length
$var = $Length - 7
$tag = $comp.Substring($var,7)
Write-host -ForegroundColor yellow "Testing asset tag: $tag"
$x =(Get-ADComputer -Filter "name -like '*$tag'" -Properties DistinguishedName, Modified -Server $domain -SearchBase $OU |Sort-Object -Property Modified)
if ($x.count -gt 1) {
$y = ($x.count) -1
while ($y -ge 1 ) {
$z = $y - 1
$x.name[$z] >> $CleanupList
#added a ping feature to as another level of "protection"
if (Test-Connection $x.name[$z] -Count 2 -Quiet){
Write-Output $x.name[$z]" is Online... Skipping"
$x.name[$z] >> c:\WTF.txt
}Else {
#this line below this one is the one that moves and disables... comment out if testing with a # sign or remove when testing compelete
#Get-ADComputer $x.name[$z] | Move-ADObject -TargetPath $dupOU -PassThru | Disable-ADAccount
Write-Output $x.name[$z]" is Offline... should delete"
$global:i++
$x.name[$z] >> $delOK
write-host -ForegroundColor Cyan $x.name[$z]" Moved and Disabled - $global:i"
$y--
Write-host "------------"
Write-host -foregroundcolor cyan "$i Computer objects were Disabled and Moved to $dupOU :)"
#message in the body
$msg ="Please review the attached list to see the Duplicate machines that were moved and disabled via this script"
#Recipients
$mailTo = "shad acker <[email protected]>"
Send-MailMessage -SmtpServer smtp.domain.com -Attachments $delOK -Body $msg -to $mailTo -From "DuplicateFinder<[email protected]>" -Subject "Computer Duplicates Disabled" -Cc "who ever <[email protected]>"
not the prettiest or most efficinent but it seems to be working :) -
Editing Computer object "info" attribute in AD
Hi.
I need to make it possible for users to update the AD computer object of the machine they are logged onto.
To be able to do this I need to grant users write access to the "info" attribute of computer objects in AD. My problem is that I cannot figure out what permission entry to set to allow for users to apply "info".
Does anyone know what permission entry on the "Computers" OU object to use to set delegated rights for "Domain users" to be able to edit the "info" attribute on each computer object?
I am trying to achieve much of the same as described in this article, but I need to edit the "info" attribute...
http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_24097287.html
/Tord BergsetGreetings!
Use 'Delegation Wizard' and select 'Create a custom task to delegate'. After that only choose
'Computer Objects' and assign below rights:
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.
How to query members of 'Local Administrators' group in all computers? -
Script Help - Adding Users from AD Group to Computer Object Attribute
Environment:
Computer Objects have the following name convention - USERNAME-INV#-PC. An example is TEST1-54321-D. There is a GPO in place that adds any user populated under the managedBy attribute in a computer object to the administrators group for that computer
object.
Scenario:
Create "Local PC Admin" group
When user TEST1 gets added to the "Local PC Admin" group, a powershell script that runs on an hourly scheduled task goes out and finds any computer object (that is not a server) that has TEST1 in its name. For example, TEST1-54321-D for desktop
and TEST1-98765-L for laptop.
It then adds the user to the managedBy attribute of the computer object and appends the text "added as local admin on <currentdate>" to the computerobject description.
If TEST2 is added to the group later, the script should see that TEST1 has already been added and only add TEST2 to the managedBy attribute to the appropriate computer as well as the "added as local admin on <currentdate>".
Still thinking how this can be automated when a user is removed from the "Local PC Admin" group.
Can somebody please find holes in this scenario or suggest a better method to approach this?Security nightmare? How so? Regular domain users cannot modify the "managedBy" computer object attribute.
The "Local PC Admin" group would be a ADUC security group. The Help Desk and Network Admins would be the only ones that can either add users to the group or directly modify the "managedBy" computer object attribute.
The Group Policy that runs against the desktops/laptops looks to see if the managedBy attribute of the computer object is populated. If so, it adds that user as a local admin to their workstation/laptop and removes any other user/group not specified
and given local admin rights. This would only be done for a handful of users (those in the Local PC Admin group) that need admin access ; in other words, the attribute would only be populated for a few computer objects and not the entire organization.
If it is not populated, it does nothing and leaves the default admins on it.
More info on how the GPO works here: http://fbinotto.blogspot.com/2014/01/making-user-object-set-in-managedby.html -
AMT Computer Object Creation in Out of Band Management
Just configured our Out of Band Management / AMT settings and we're getting all our AMT systems provisioned successfully. I've noticed that now, in SCCM 2012, the AMT object that gets created are Computer objects in AD. Their objectCategory is
CN=Computer,CN=Schema,CN=Configuration,DC=mydomain,DC=com
Back in the SCCM 2007 days, They were Person objects in AD. We still have some in AD.
CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com
Is this the default setting or do I have the option to change it?
Orange County District AttorneySince no one has answer this post, I recommend opening a support case with CSS as they can work with you to solve this problem.
Garth Jones | My blogs: Enhansoft and
Old Blog site | Twitter:
@GarthMJ -
Disabled domain controller computer object
on one of our DC's DC01 (RID/PDC) the computer account was disabled this was showing as disabled on all DC's in the domain. I have managed to fix it by changing the
User account control attribute on that object to 532480 in adsiedit on all DC's. I then had to reset the secure password for DC01 using netdom resetpwd as it had got out of sync. Everything now seems fine replication/authentication/DCdiag/netdiag
Why did this occur ? it looks like you cant disable a Domain controller computer account from the GUI ? am i likely to get any further issuesI have seen similar situations on the net but I have not found an explanation to this behavior (assuming here that this is a bug in the system). You can see references here:
http://www.kenmanohar.com/blog/tag/domain-controller-computer-account-disabled/
http://social.technet.microsoft.com/Forums/windowsserver/en-US/9fb5084e-b27d-48c8-92e7-8818fc769a90/disabled-domain-controller-computer-account
You might check if any of the administrators have mistakenly changed the value of UserAccountControl attribute. By using ADUC, you would not be able to disable the computer account of a DC.
Please also enable the auditing in AD so that you can get more details about what happened in the future: http://technet.microsoft.com/en-us/library/cc731607(v=ws.10).aspx
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Pull owner from computer object and add to BUILTIN\Administrators via GPO
Quick question here - is it possible to pull an owner from computer object in AD (left side of picture) and add him to BUILTIN\Administrators on this particular workstation along with 2 AD groups and 'LocalAdmin' user (right side of picture)? Im interested
only in doing it via GPO.> Quick question here - is it possible to pull an owner from computer
You mean "manager" and not "owner", right? The owner is defined in
"security - advanced - owner" and is the account that initially created
the object. Typically "Domain Admins"...
> object in AD (left side of picture) and add him to
> BUILTIN\Administrators on this particular workstation along with 2 AD
> groups and 'LocalAdmin' user (right side of picture)? Im interested only
> in doing it via GPO.
Nothing as easy as that. You can use GPP local users and groups, and you
can use Item Level Targeting with LDAP filters. Grab the managedBy
attribute of the computer account, grab the samaccountname of the
managedBy DN and you're almost done :)
Martin
Mal ein
GUTES Buch über GPOs lesen?
NO THEY ARE NOT EVIL, if you know what you are doing:
Good or bad GPOs?
And if IT bothers me - coke bottle design refreshment :)) -
Request for info regarding MAC address population in computer objects
Hi,
I am trying to determine how MAC address information is populated in computer objects. I had assumed initially that the hardware scan would be used, but observation shows this information
to be obtained prior to any hardware inventory.
I have laptops that are primarily connected via VPN, and before long their objects lose the internal network interface's MAC address. When I try to rebuild them, they fail to PXE boot. I have
found that importing a CSV of host / MAC / SMBIOD GUID will update the object (rather than having to delete and recreate it) which works temporarily. The MAC will eventually disappear, and the device fail to PXE boot.
I have thousands of these devices to manage, and it is already difficult enough having a CAS and two primaries (the windows Deployment Service on a DP only cares about devices in the DPs primary
site, and so devices that move site are a real pain already, try finding that anywhere in the OSD reference documents!)
I'm assuming now that this information is pulled from the actual client-server connection, and therefore is dynamic(ish), like IP information. If this is the case, more detail around that process,
where to find evidence of that process occurring would be very useful.The MAC is updated by hardware inventory and heartbeat discovery.
Torsten Meringer | http://www.mssccmfaq.de -
Problem with Persistent Object as Reference Attribute of Persistent Object
Hello All,
I have a problem with a persistent class that contains a reference attribute to another persistent class. I can write the reference object attribute to the DB but when I read the reference attribute back from the DB the object is null. Allow me to explain...
I have two tables; one is a data table with one key field of type OS_GUID, the second is a mapping table with several business key fields and two further fields; an instance GUID and a class identifier GUID. The data table is used to contain all the data for an object. The mapping table is used to hold a relationship between the GUID assigned in the data table and the business key. The mapping table has been structured in this way by following the help here:
http://help.sap.com/saphelp_erp2005vp/helpdata/en/df/e785a9e87111d4b2eb0050dadfb92b/frameset.htm
and the field mapping in persistent class for the mapping table has been mapped following the help here:
http://help.sap.com/saphelp_erp2005vp/helpdata/en/06/f23c33638d11d4966d00a0c94260a5/frameset.htm
The code I use to create entries in the data and mapping table is:
<-snip->
DATA:
gv_blank_data_guid TYPE REF TO zcl_ps_data,
gv_data_guid TYPE os_guid,
go_data_ps TYPE REF TO zcl_ps_data,
go_data_agent TYPE REF TO zca_ps_data,
go_data_map_ps TYPE REF TO zcl_ps_data_map,
go_data_map_agent TYPE REF TO zca_ps_data_map,
go_exc TYPE REF TO cx_root.
go_data_agent = zca_ps_data=>agent.
go_data_map_agent = zca_ps_data_map=>agent.
TRY.
Check if there's already data with the business key on the DB
go_data_map_ps = go_data_map_agent->get_persistent(
i_data_ref = iv_data_ref
i_action = iv_action ).
... if there is then exit.
EXIT.
CATCH cx_root INTO go_exc.
ENDTRY.
TRY.
Create the data...
go_data_ps = go_data_agent->create_persistent(
i_root_guid = gv_blank_data_guid
i_req_date = iv_req_date ).
TRY.
... finally, write the new data to the data business key map table
go_data_map_ps = go_data_map_agent->create_persistent(
i_data_ref = iv_data_ref
i_action = iv_action
i_data_guid = go_data_ps ). "note1
CATCH cx_root INTO go_exc.
ENDTRY.
CATCH cx_os_object_not_found.
ENDTRY.
COMMIT WORK.
<-snip->
The fact that it is possible to pass the object GO_DATA_PS in the call to GO_DATA_MAP_AGENT (the line that I've put the comment "note1" on) indicates to me that the reference to the data persistent object can be written to the DB by the mapping persistent object. After executing the above code the mapping table object and class identifier fields are populated. Also, if multiple entries are written to the tables then the class identifier field in the mapping table is always the same and the object ID is different as expected.
However, the problem I have is if I read an object from the DB using the business key with the following code:
<-snip->
DATA:
gv_req_date type datum,
gv_data_guid TYPE os_guid,
go_data_ps TYPE REF TO zcl_ps_data,
go_data_agent TYPE REF TO zca_ps_data,
go_data_map_ps TYPE REF TO zcl_ps_data_map,
go_data_map_agent TYPE REF TO zca_ps_data_map,
go_exc TYPE REF TO cx_root.
go_data_agent = zca_ps_data=>agent.
go_data_map_agent = zca_ps_data_map=>agent.
TRY.
Read data mapping with the business key
go_data_map_ps = go_data_map_agent->get_persistent(
i_data_ref = iv_data_ref
i_action = iv_action ).
... then read the data.
TRY.
CALL METHOD go_data_map_ps->get_data_guid
RECEIVING
result = go_data_ps.
CATCH cx_os_object_not_found.
ENDTRY.
CATCH cx_root INTO go_exc.
ENDTRY.
<-snip->
At no point during this code are the attributes of the object of the persistent class for the data table populated with the contents of the fields of the data table referenced as the attribute of the mapping table. To clarify, when viewing the object in the debugger all the attributes of the mapping object that are simple table fields are populated with the values of the fields of in the mapping table, however, the attributes of the object that represents the persistent class for the data table are not populated with the fields of the data table. I had hoped that by reading the mapping table object the data object would automatically be populated. Is there another step I need to perform to populate the data object?
I'm sorry if the above is hard to follow. Without being able to provide screenshots it's difficult to explain.
If someone has managed to store references to persistent objects in a table and then read the references back could you list the steps you went through to create the persistent classes and include the code that reads the objects please? The code I have almost works, I must be just missing some subtle point...
Thanks in advance,
Steve.Hi Andrea,
The iObject being replicated at item level for Service Complaints is the SAP standard behaviour.
Generally we raise complaint refering to some sales or service issues. In your scenario you are trying to create a complaint based on an iObject, then you have to mention the corresponding product details. I dont see any business requirement not to copy the iObject product at the item level.
If you want it then I think only you have to write a Z program for it.
Hope this helps!
Regards,
Chethan -
Health rollup to computer object from Microsoft.Windows.ApplicationComponent
Hi All.
Trying to author a Management Pack in Authoring Console 2007 R2. And can't get rollup to work as I want.
Here's the long story.
I've created:
A discovery MP witch holds:
- an abstract class inherited from Microsoft.Windows.Computer, named: "AppX.Cmp.Role"
- a (seed?) class inherited from the above, named: "AppX.Cmp.Role.Server"
- a class inherited from "AppX.Cmp.Role.Server" named "App.Cmp.Role.Server.Replicator"
- a class inherited from "Microsoft.Windows.ApplicationComponent" named: "AppX.Cmp.Role.Server.Replicator.Loginstance"
- a class of type "Microsoft.SystemCenter.InstanceGroup" named: "AppX.Group"
- a relationship (system.hosting) where source class is "AppX.Cmp.Role.Server.Replicator" and target class is "AppX.Cmp.Role.Server.Replicator.Loginstance"
- a registrydiscovery to discover "AppX.Cmp.Role.Server" targeted at "Windows.Operating.System"
- a scriptdiscovery to discover "AppX.Cmp.Role.Server.Replicator" targeted at "AppX.Cmp.Role.Server"
- a scriptdiscovery to discover "AppX.Cmp.Role.Server.Replicator.Loginstance" targeted at "AppX.Cmp.Role.Server.Replicator"
- a groupdiscovery ("Microsoft.SystemCenter.GroupPopulator") target: "AppX.Group" (Microsoft.Windows.Computer)
- a dependencymonitor targeted at "AppX.Cmp.Role.Server.Replicator" and monitor dependency set to "AppX.Cmp.Role.Server.Replicator.Loginstance", HealthRollup set to "worst state".
A monitoring MP (depending on the discovery MP) witch holds:
- a processmonitor targeted to "AppX.Cmp.Role.Server.Replicator" and "replicator.exe"
- a logfilemonitor targeted to "AppX.Cmp.Role.Server.Replicator.Loginstance"
- a stateview targeted to "AppX.Group"
When I kill the "replicator.exe" process the object goes to unhealthy all the way up to "Windows.Computer". But when the logfilemonitor triggers and turns into "unhealthy state" the object in the above view turns RED but not the
"Windows.Computer" object (looking at the default view "Windows Computers").
Is it possible to get the "Windows.Computer" object to reflect the "AppX.Cmp.Role.Server.Replicator.Loginstance" state?
How?Sorry about that - its been a long weekend.
I was quoting from the following;
"Use the Microsoft.Windows.LocalApplication as
a base class when your class type represents a local application that shares the resources of the hosting Windows computer with other applications. Unlike theMicrosoft.Windows.ComputerRole class,
the Microsoft.Windows.LocalApplication class
type does not automatically roll its health up to the hosting computer."
http://msdn.microsoft.com/en-us/library/ee533867.aspx
Would you be able to upload the results if you run the Visio MP diagram generator and possibly the health explorer views and this will help me see how it hangs togther? -
Powershell Get-ADUser returns Computer objects as well ???! How to prevent.
I ran the following script and got a bunch of computer objects in my csv. How to i Prevent this? I already tried using
Where-Object{$_.type
-eq
"user"} OR
-filter{type
-eq
"user"}
script:
Get-ADUser-Filter*-PropertiessamAccountName,accountExpires,Created,LastLogonTimeStamp,Department,physicalDeliveryOfficeName,employeeID,AccountExpirationDate,Manager|
Where-Object
{$_.accountexpirationdate
-lt$timex}
|
select
Name,samAccountName,@{Name="Timestamp";
Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}},@{n='Date
Created';e={$_.created}},Department,@{n='Location';e={$_.physicalDeliveryOfficeName}},employeeID,AccountExpirationDate,@{Label='Manager
sAMAccountName';Expression={(Get-ADUser$_.Manager).sAMAccountName}},@{Label='Manager
Name';Expression={(Get-ADUser$_.Manager).name}}
|
export-csv
-path$mypath-notypeinformationSomeone told me the Computer accounts are generic accounts...makes any sense?
No.
EDIT: What's the output of this command for one of these computer accounts:
Get-ADUser ThatComputerAccount | Select *
Don't retire TechNet! -
(Don't give up yet - 13,225+ strong and growing) -
Trying to update hidden attibute in AD computer objects.
I am trying to update my AD computers using PowerShell to read the items from a CSV file. I have successfully updated the Description and other standard items, but I cannot get the non-common
hidden attributes to updated. I am very green on PowerShell. I'm not even sure I'm using the correct commands.
The contents of the CSV file looks like as below:
Name = preexisting Computer object name
Description = Information I want to place in the description field (Non-hidden \ standard)
comment = Information I want to place in the comments field (Hidden field)
name,description,comment
Computer1,Computer Model - 123456789 - Office 1111,Comment1
Computer2,Computer Model - 234567891 - Office 1112,Comment2
Computer2,Computer Model - 345678912 - Office 1113,Comment3
Below is the script:
# Update Computer Description and Comments
Import-module ActiveDirectory
Import-CSV "C:\temp\Computers.csv" | % {
$Computer = $_.name
$Description = $_.description
$Comment = $_.comment
Set-ADComputer $Computer -description $Description
Set-ADComputer $Computer -comment $CommentTo set comments on non-standard items you need to do something like this:
Set-ADComputer Computername -replace @{Comment="Test1"}
[email protected]
Thank you Richard. The information worked well. I modified it slightly to retrieve the information from the CSV file as seen below:
Set-ADComputer $Computer -replace @{Comment=$Comment} -
How to configure discover to import workstation computer object only?
Is there a way to discover workstation computer objects only (exclude server objects)?
JasonIf Servers are discovered that doesn't mean that they are managed.
No, discovery is just that, simple knowledge that the resource exists and has no other specific implications.
Another option here in 2012 is to use group discovery. You can place all of your workstations in a AD single security group and then include this group in your security group discovery. This does sacrifice some of the functionality offered by system discovery,
but it will work.
I also concur with John, having servers and workstations in the same OU within AD is pretty poor design.
Jason | http://blog.configmgrftw.com
Read my sentence again Jason :)
I'm saying that even if they are discovered it doesn't mean that they are managed.
there is implication. the desktop management team is outsourced and not suppose to know server name and IPs.
Jason -
Delete Computer object VS Disjoin
Quick question on AD administration to help resolve an internal debate:
We're running AD on Windows Server 2008 R2. One admin states that "deleting doesn't remove all AD objects", and that you need to run a disjoin on the machine first to properly remove the Computer Object. Can anyone confirm this?
Which is the correct way to remove objects in AD?
It's my understanding that no matter what, you'll end up running a delete command, which marks the object as deleted; this gets replicated to all other DC's, and whenever the tombstone lifetime expires, then a cleanup process will finally and forever remove
the tombstone objects. If you don't run a "disjoin" command first, will there be any other lingering objects that need special care and consideration??
Any info is appreciated. Thanks much.Hi - This is _how_ it works:
A domain unjoin comes down to the NetUnJoinDomain() API call documented at:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa370644(v=vs.85).aspx
There is two scenarios that can happen, either the account get's disabled (by default) if you unjoin using the UI, or it's not disabled leaving out the misnamed flag 'NETSETUP_ACCT_DELETE' that actually means disable and not delete.
The computer account is only disabled regardless of the flag if the user that performs the unjoin has the rights to disable the computer account in AD, e.g write to the userAccountControl attribute.
The computer account (object) in AD is never deleted from AD during a unjoin.
How ever the importance of clean up here is that the computer accounts password is cleared from the LSA during a unjoin, so it can't be used to authenticate against AD in case that the computer account is NOT being disabled for one of the reasons mentioned
above.
Deleting the computer object from AD is like deleting any other object in AD, it stays for the TSL until it's ultimately removed from the database.
Enfo Zipper
Christoffer Andersson – Principal Advisor
http://blogs.chrisse.se - Directory Services Blog
Maybe you are looking for
-
I am using an older windows computer with Windows XP and iTunes 11.0.5.5. Since upgrading my iPhone and iPad my system will not allow me to connect the devices to my iTunes -- it notes I need to upgrade to iTunes 11.5. However using automatic updat
-
i have an iphone 3g with 3.1.2 os. i had jsut dropped it today and and it will say no service frequently and other times it will have full bars. I have always hard service in the area I have lived in. I had tried restoring the network settings , rest
-
Use a flexible Filename in REPORT CSV OUTPUT
-> ReportAttributes -> csv-output -> filename I tried to use &item. and :Item but it seems the FILENAME of the csv-output is fixed. But I would like to give a name depending from context. Any ideas ?
-
Strange character (�) in my messages
I recently started sending messages to friends about some upcoming events which required RSVP so I created a LINK through Dreamweaver and then viewed it in the browser...then from the FILE menu - chose "mail contents of this page" The idea was to mai
-
Hello. I've got a problem with my BB 9300 curve 3G. Sometimes when I watch a video on youtube, the video just skips scenes and after skipping 10-15 seconds it buffers and after that it starts again. I tried clearing history and cookies but it didn't