Please Read: Significant Update Planned, Migrating Forum Software This Month

See more
See less

Computer Description Permission

  • Filter
  • Time
  • Show
Clear All
new posts

  • Computer Description Permission

    Hi. I have a network with about 70 computers and I would like to populate the local computer description of each computer with the name of the last user logged on. I wrote a script that will do this for me via AD; one problem remains, the domain users do not have permission to write/change the computer description. I know it is possible to allow them via Active Directory (Advanced Security...), but one wrong move could cause alot of headaches. So I am looking for some direction on exactly which setting I need to change to allow domains users to alter the computer description. Thanks for your help in advance.

  • #2
    Re: Computer Description Permission

    1) Right-click the OU/container where computer accounts reside and choose "Delegate Permissions" (do NOT do it for the whole AD as this will allow editing description of any computer object including Domain Controllers)
    2) Click "Next" and in the next dialog add "Domain Users" group
    3) In the next dialog select "Create a custom task to delegate"
    4) Select "only the following objects in the folder" and check "computer objects" in the listbox
    5) Click Next. In the next dialog make sure only "Property specific" is checked under "Show these permissions"
    6) Check "Write description"
    7) Click Next and Finish

    You are done.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"


    • #3
      Re: Computer Description Permission

      I'm very curious about this script and would ask you to post it if you want. I guess it could help some people here too !

      thanks !



      • #4
        Re: Computer Description Permission


        Thanks for your speedy reply. I tried your steps (that's about what I would have assumed would do it), but when I log onto computers as normal domain users w/o admin priveleges, they still have access denied when attempting to change their Computer Description. Do you have any idea why this might be? Thanks again for your help.

        And for anyone what was looking, this is the script I created to change the computer description to "User's Name - Dell Service Tag." There's a myriad of other things that you could place. But that's what is most useful for us. It works when logged on as an admin, but I can't get it working for Domain Users.

        Set objSysInfo = CreateObject("ADSystemInfo")
        Set objUser = GetObject("LDAP://" & objSysInfo.UserName)
        strName = objUser.CN
        strComputer = "." 
        Set objWMIService = GetObject("winmgmts:" _ 
            & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2" ) 
        Set colSMBIOS = objWMIService.ExecQuery _
        ("Select * from Win32_SystemEnclosure")
        For Each objSMBIOS in colSMBIOS
        strService = objSMBIOS.SerialNumber
        Set colOperatingSystems = objWMIService.ExecQuery _ 
            ("Select * from Win32_OperatingSystem" ) 
        For Each objOperatingSystem in colOperatingSystems 
           objOperatingSystem.Description = strName & " - " & strService
        Set WshNetwork = Nothing


        • #5
          Re: Computer Description Permission

          What Guy suggested was that you "Delegate Permissions" on the OU/container where computer accounts reside to allow users editing the description of the computer objects in the Active Directory.

          What your script does is changing the 'Description of the Windows operating system' on the local computer.

          If you want to give users the permission to change the computer description that is on the local computer, you will probably need to change the permissions on this registrykey first:
          HKLM\SYSTEM\CurrentControlSet\S ervices\lanmanserver\parameters .
          Then you can use a logonscript that add or edit the entry srvcomment in that key.
          ( You can change the permissions on that registrykey by using a GPO )

          While this script is showing how you can edit the computer's account description in the Active Directory after you "Delegate Permissions".
          ' Script source:
          Dim adsinfo, ThisComp, oUser
          Set adsinfo = CreateObject("adsysteminfo")
          Set ThisComp = GetObject("LDAP://" & adsinfo.ComputerName)
          Set oUser = GetObject("LDAP://" & adsinfo.UserName)
          ' // check,
          ' wscript.echo oUser.department & " - " & ouser.description & " " & & " " & Ouser.telephonenumber
          ' // put and set the new description,
          Thiscomp.put "description", oUser.department & " - " & ouser.description _
                & " " & & " " & Ouser.telephonenumber


          = EDIT =

          DELEGATION (
          If you run the script as a startup script, you must assign the following permission to the OU containing computers that will run this script:

          Apply To: Computer objects

          Note the "Self" identity is used, meaning a computer can update its own description and comment but nothing else.

          But since the script (see link) is running at computer startup, there is not yet a name of a current user, that is why that script reads the value of "DefaultUserName" from the registry (The name of the last logged-on useraccount is saved on the computer in the following key in the registry: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, if that value was not yet deleted by a policy).
          Last edited by Rems; 21st October 2009, 10:44.

          This posting is provided "AS IS" with no warranties, and confers no rights.


          ** Remember to give credit where credit's due **
          and leave Reputation Points for meaningful posts


          • #6
            Re: Computer Description Permission

            Just to add to what Rems has already pointed out:

            Computer description in AD (what you see in ADUC) and the description when you right-click "My Computer"->Properties->"Computer Name" are two separate things and are not sharing any information between them. Updating description in AD does not change "Computer Description" on local computer and vice versa.
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"


            • #7
              The script doesn't need to be that complicated now. Here's an easier one for reference.

              Set objSysInfo = CreateObject("ADSystemInfo")
              Set objUser = GetObject("LDAP://" & objSysInfo.UserName)
              Set objComputer = GetObject("LDAP://" & objSysInfo.ComputerName)

              objComputer.Description = objUser.CN