Set-ComputerInfoFromAD.ps1

# Name: Set-ComputerInfoFromAD.ps1
# Author: James Schlackman
# Last Modified: Nov 21 2023

# Gets the description attribute of the current computer object in AD and sets it as the local computer
# description, sets the registered user and organization according to the 'Managed By' attribute of
# the computer account, and optionally adds that user to the local Administrators group.

# Run this as a GPO computer startup script or scheduled task running as SYSTEM 
# and it will automatically be run under the correct security context to be able to communicate with
# AD and modify the required registry keys.

Param(
    # Specifies whether to add the assigned user to the local Administrators group
    [Parameter()] [Bool]$GrantAdminRights = $false,
    # Specifies whether to remove any other named users from the local Administrators group
    [Parameter()] [Bool]$CleanupAdminRights = $false
)

# Connect to default domain
$rootDse = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
$Domain = $rootDse.DefaultNamingContext
$root = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$Domain")

# Get computer name from environment variable
$ComputerName = $env:COMPUTERNAME

# Find a single computer matching this name in the current domain
$searcher = New-Object System.DirectoryServices.DirectorySearcher($root)
$searcher.Filter = "(&(objectClass=computer)(name=$ComputerName))"
[System.DirectoryServices.SearchResult]$result = $searcher.FindOne()

# If we found a computer, get its description
if ($result)
{
    [String]$desc = $result.Properties["description"]
    
    # Set the local description if the AD description is not blank
    if ($desc)
    {
        Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\lanmanserver\parameters" -Name "srvcomment" -Value $desc
    }

    # If the computer has the managedBy attribute set, set the registered Windows owner with that user's name and organization
    [String]$managedBy = $result.Properties["managedBy"]
    if ($managedBy) {
        $user = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$managedBy")
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "RegisteredOwner" -Value $user.displayName
        Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name "RegisteredOrganization" -Value $user.company

        # Get the domain of the user
        $userDomain = $managedBy.Substring(($managedBy.IndexOf('DC=')))
        $userDomainConf = New-Object System.DirectoryServices.DirectoryEntry("LDAP://CN=Partitions,CN=Configuration,$userDomain")
        $dsearcher = New-Object System.DirectoryServices.DirectorySearcher($userDomainConf)
        $dsearcher.Filter = "(&(nCName=$userDomain)(nETBIOSName=*))"
        $userNBName = ($dsearcher.FindOne()).Properties['nETBIOSName']

        If ($GrantAdminRights) {
            # Add the managedBy user to local administrators group
            $ADSI = [ADSI]("WinNT://$ComputerName")
            $AdminGroup = $ADSI.Children.Find('Administrators', 'group')
            $AdminGroup.Add("WinNT://$userNBName/$($user.sAMAccountName)")
        }

        # Get the SID of the managedBy user
        $userSid = (New-Object System.Security.Principal.SecurityIdentifier $user.objectSid[0],0).Value
    }

    If ($CleanupAdminRights) {
        # Clear other individual AD users from administrators group
        Get-LocalGroupMember -SID S-1-5-32-544 | Where-Object {$_.PrincipalSource -eq "ActiveDirectory" -and $_.ObjectClass -eq "User" -and $_.SID -ne $userSid} | Remove-LocalGroupMember -SID S-1-5-32-544
    }
}

Note: adding the managedBy user to the local admins group, and removing other local admins, are only guaranteed to work on Windows 10 build 1607 and higher, as earlier versions do not include the Add-LocalGroupMember and Get-LocalGroupMember cmdlets out of the box.