Re: add computer account to AD security group during logon

The test reults are good. I had to edit some security setting on the AD groups.
On the Logged on user group i granted the "add/remove Self.." permission and
on the Logged on Computers Write access. Both for the domain users. Now both
groups are filled after the logon.

Thanks for so far.

Peter

"Peter van der Laarse" wrote:

Thank you Richard,
I'm going to test with these scripts en post my results.

regards Peter

"Richard Mueller [MVP]" wrote:


"Peter van der Laarse" <PetervanderLaarse@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote
in message news:5F7AC567-A704-4A30-8E4E-44ABC78C26F7@xxxxxxxxxxxxxxxx
Hello,
Due to a application that reads a AD security group to count his licence,
I'd like to achief the following goal to know how many users and computer
actually login to our domain on a daily base..
If a user logs-on to his workstation he and the computer account on wich
the
user logs on must be added to a separate AD security group. If the same
user
logs-off he and the computeraccount must be removed from those groups.
Group
names are eg. "GrLoggedOnUsers" and "GrLoggedOnWorkstations".
Is there a way to do this by using a logonscript and logoffscript with a
command like DSmod?
I also want to log this actions. Can I use Dsquery or DSget for that in
the
same script?
Maybe there are other way to do this.

mvg, Peter

This adds a lot of replication traffic. Your group memberships are modified
(and replicated) at every logon and logoff. I would suggest a logon and a
logoff script that log information to a text file. I have an example
VBScript logon script that logs username, computer name, date/time, and IP
address to a log file linked here:

http://www.rlmueller.net/Logon5.htm

You can remove the parts dealing with the IP address. The log file should be
in a shared location where everyone has write access. You could use a
similar logoff script, but have the script echo "Logoff" instead of "Logon"
to the text file. The script is designed so it can be read into a
spread*** for analysis. The "fields" are delimited by semicolons.

Any method that adds and removes users and computers from groups should
first check if the user is already a member. If a computer crashes the
logoff script won't run, so when the user attempts to logon the Add step
will fail. I don't recommend this, but VBScript programs for logon and
logoff could be similar to (assuming all clients are W2k or above):
====== Logon script ==========
Option Explicit

Dim objSysInfo, objUser, objComputer, strUserDN, strComputerDN
Dim objUserGroup, objComputerGroup

' Retrieve DN if user and local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.UserName
strComputerDN = objSysInfo.ComputerName

' Bind to user and computer objects.
Set objUser = GetObject("LDAP://"; & strUserDN)
Set objComputer = GetObject("LDAP://"; & strComputerDN)

' Bind to groups. You must specify the full Distinguished Names.
Set objUserGroup =
GetObject("LDAP://cn=GrLoggedOnUsers,ou=West,dc=MyDomain,dc=com";)
Set objComputerGroup =
GetObject("LDAP://cn=GrLoggedOnWorkstations,ou=West,dc=MyDomain,dc=com";)

' Add user and computer to groups, if not already members.
If (objUserGroup.IsMember(objUser.AdsPath) = False) Then
objUserGroup.Add(objUser.AdsPath)
End If
If (objComputerGroup.IsMember(objComputer.AdsPath) = False) Then
objComputerGroup.Add(objComputer.AdsPath)
End If
=========== Logoff script ===========
Option Explicit

Dim objSysInfo, objUser, objComputer, strUserDN, strComputerDN
Dim objUserGroup, objComputerGroup

' Retrieve DN if user and local computer.
Set objSysInfo = CreateObject("ADSystemInfo")
strUserDN = objSysInfo.UserName
strComputerDN = objSysInfo.ComputerName

' Bind to user and computer objects.
Set objUser = GetObject("LDAP://"; & strUserDN)
Set objComputer = GetObject("LDAP://"; & strComputerDN)

' Bind to groups. You must specify the full Distinguished Names.
Set objUserGroup =
GetObject("LDAP://cn=GrLoggedOnUsers,ou=West,dc=MyDomain,dc=com";)
Set objComputerGroup =
GetObject("LDAP://cn=GrLoggedOnWorkstations,ou=West,dc=MyDomain,dc=com";)

' Remove user and computer from groups, if members.
If (objUserGroup.IsMember(objUser.AdsPath) = True) Then
objUserGroup.Remove(objUser.AdsPath)
End If
If (objComputerGroup.IsMember(objComputer.AdsPath) = True) Then
objComputerGroup.Remove(objComputer.AdsPath)
End If

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--



.