Last active
November 21, 2023 17:41
-
-
Save jschlackman/510dee273a88d23638f7368fdd285190 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Name: Set-ComputerInfoFromAD.ps1 | |
# Author: James Schlackman | |
# Last Modified: Nov 21 2023 | |
# Gets the description attribute of the current computer object in AD and sets it as the local computer | |
# description, sets the registered user and organization according to the 'Managed By' attribute of | |
# the computer account, and optionally adds that user to the local Administrators group. | |
# Run this as a GPO computer startup script or scheduled task running as SYSTEM | |
# and it will automatically be run under the correct security context to be able to communicate with | |
# AD and modify the required registry keys. | |
Param( | |
# Specifies whether to add the assigned user to the local Administrators group | |
[Parameter()] [Bool]$GrantAdminRights = $false, | |
# Specifies whether to remove any other named users from the local Administrators group | |
[Parameter()] [Bool]$CleanupAdminRights = $false | |
) | |
# Connect to default domain | |
$rootDse = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE") | |
$Domain = $rootDse.DefaultNamingContext | |
$root = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$Domain") | |
# Get computer name from environment variable | |
$ComputerName = $env:COMPUTERNAME | |
# Find a single computer matching this name in the current domain | |
$searcher = New-Object System.DirectoryServices.DirectorySearcher($root) | |
$searcher.Filter = "(&(objectClass=computer)(name=$ComputerName))" | |
[System.DirectoryServices.SearchResult]$result = $searcher.FindOne() | |
# If we found a computer, get its description | |
if ($result) | |
{ | |
[String]$desc = $result.Properties["description"] | |
# Set the local description if the AD description is not blank | |
if ($desc) | |
{ | |
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lanmanserver\parameters" -Name "srvcomment" -Value $desc | |
} | |
# If the computer has the managedBy attribute set, set the registered Windows owner with that user's name and organization | |
[String]$managedBy = $result.Properties["managedBy"] | |
if ($managedBy) { | |
$user = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$managedBy") | |
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "RegisteredOwner" -Value $user.displayName | |
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "RegisteredOrganization" -Value $user.company | |
# Get the domain of the user | |
$userDomain = $managedBy.Substring(($managedBy.IndexOf('DC='))) | |
$userDomainConf = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Partitions,CN=Configuration,$userDomain") | |
$dsearcher = New-Object System.DirectoryServices.DirectorySearcher($userDomainConf) | |
$dsearcher.Filter = "(&(nCName=$userDomain)(nETBIOSName=*))" | |
$userNBName = ($dsearcher.FindOne()).Properties['nETBIOSName'] | |
If ($GrantAdminRights) { | |
# Add the managedBy user to local administrators group | |
$ADSI = [ADSI]("WinNT://$ComputerName") | |
$AdminGroup = $ADSI.Children.Find('Administrators', 'group') | |
$AdminGroup.Add("WinNT://$userNBName/$($user.sAMAccountName)") | |
} | |
# Get the SID of the managedBy user | |
$userSid = (New-Object System.Security.Principal.SecurityIdentifier $user.objectSid[0],0).Value | |
} | |
If ($CleanupAdminRights) { | |
# Clear other individual AD users from administrators group | |
Get-LocalGroupMember -SID S-1-5-32-544 | Where-Object {$_.PrincipalSource -eq "ActiveDirectory" -and $_.ObjectClass -eq "User" -and $_.SID -ne $userSid} | Remove-LocalGroupMember -SID S-1-5-32-544 | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Note: adding the managedBy user to the local admins group, and removing other local admins, are only guaranteed to work on Windows 10 build 1607 and higher, as earlier versions do not include the Add-LocalGroupMember and Get-LocalGroupMember cmdlets out of the box.