Re: add computer account to AD security group during logon


"Peter van der Laarse" <PetervanderLaarse@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:5F7AC567-A704-4A30-8E4E-44ABC78C26F7@xxxxxxxxxxxxxxxx
Hello,
Due to a application that reads a AD security group to count his licence,
I'd like to achief the following goal to know how many users and computer
actually login to our domain on a daily base..
If a user logs-on to his workstation he and the computer account on wich
the
user logs on must be added to a separate AD security group. If the same
user
logs-off he and the computeraccount must be removed from those groups.
Group
names are eg. "GrLoggedOnUsers" and "GrLoggedOnWorkstations".
Is there a way to do this by using a logonscript and logoffscript with a
command like DSmod?
I also want to log this actions. Can I use Dsquery or DSget for that in
the
same script?
Maybe there are other way to do this.

mvg, Peter

This adds a lot of replication traffic. Your group memberships are modified
(and replicated) at every logon and logoff. I would suggest a logon and a
logoff script that log information to a text file. I have an example
VBScript logon script that logs username, computer name, date/time, and IP
address to a log file linked here:

http://www.rlmueller.net/Logon5.htm

You can remove the parts dealing with the IP address. The log file should be
in a shared location where everyone has write access. You could use a
similar logoff script, but have the script echo "Logoff" instead of "Logon"
to the text file. The script is designed so it can be read into a
spread*** for analysis. The "fields" are delimited by semicolons.

Any method that adds and removes users and computers from groups should
first check if the user is already a member. If a computer crashes the
logoff script won't run, so when the user attempts to logon the Add step
will fail. I don't recommend this, but VBScript programs for logon and
logoff could be similar to (assuming all clients are W2k or above):
====== Logon script ==========
Option Explicit

Dim objSysInfo, objUser, objComputer, strUserDN, strComputerDN
Dim objUserGroup, objComputerGroup

' Retrieve DN if user and local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.UserName
strComputerDN = objSysInfo.ComputerName

' Bind to user and computer objects.
Set objUser = GetObject("LDAP://"; & strUserDN)
Set objComputer = GetObject("LDAP://"; & strComputerDN)

' Bind to groups. You must specify the full Distinguished Names.
Set objUserGroup =
GetObject("LDAP://cn=GrLoggedOnUsers,ou=West,dc=MyDomain,dc=com";)
Set objComputerGroup =
GetObject("LDAP://cn=GrLoggedOnWorkstations,ou=West,dc=MyDomain,dc=com";)

' Add user and computer to groups, if not already members.
If (objUserGroup.IsMember(objUser.AdsPath) = False) Then
objUserGroup.Add(objUser.AdsPath)
End If
If (objComputerGroup.IsMember(objComputer.AdsPath) = False) Then
objComputerGroup.Add(objComputer.AdsPath)
End If
=========== Logoff script ===========
Option Explicit

Dim objSysInfo, objUser, objComputer, strUserDN, strComputerDN
Dim objUserGroup, objComputerGroup

' Retrieve DN if user and local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.UserName
strComputerDN = objSysInfo.ComputerName

' Bind to user and computer objects.
Set objUser = GetObject("LDAP://"; & strUserDN)
Set objComputer = GetObject("LDAP://"; & strComputerDN)

' Bind to groups. You must specify the full Distinguished Names.
Set objUserGroup =
GetObject("LDAP://cn=GrLoggedOnUsers,ou=West,dc=MyDomain,dc=com";)
Set objComputerGroup =
GetObject("LDAP://cn=GrLoggedOnWorkstations,ou=West,dc=MyDomain,dc=com";)

' Remove user and computer from groups, if members.
If (objUserGroup.IsMember(objUser.AdsPath) = True) Then
objUserGroup.Remove(objUser.AdsPath)
End If
If (objComputerGroup.IsMember(objComputer.AdsPath) = True) Then
objComputerGroup.Remove(objComputer.AdsPath)
End If

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.