locked
I need a script that can list the COmputer Account Owner RRS feed

  • Question

  • Hi

    I need to be able to use a script that can automatically list all computers in an OU and the computer owner (as shows in computer properties/security/advanced/owner).  This is because we have many 1st line support guys in many offices all over the world, and have a problem where many of them forget to move new computers from our New Computers OU (where AD automatically putsd them when they're joined instead of the computers container) to the correct OU.  so I came up with the following very simple script that will just disable all those computer accounts if left there at night (when the script runs):

    Dsquery computer “ou=new computers,dc=aveva,dc=com” | dsmod computer –disabled yes


    The only problem is that we now want to be able to email the person who added that machine to the domain to proactively move it rather than have to wait for the user to realise there's a problem and then call the helpdesk.

    So the owner attribute shows the user who added the machine to the domain, so I could write a script to email them telling them that their computer account was disabled... If I could only work out how to get that owner info by using a script.... sounds so simple... but seems so hard.

    ANy help would be really great.

    Cheers

    Rowbi

    Rowbi
    Wednesday, December 30, 2009 3:37 PM

Answers

  • You can use the operatingSystem, operatingSystemVersion, and operatingSystemServicePack attributes of the computer objects. Also, I see I filtered on user objects in my previous example, when I should have filtered on computer objects. Revised script could be as follows:

    ' Specify DN of the OU.
    strOU = "ou=Sales,ou=West,dc=MyDomain,dc=com"
    
    ' Bind to the OU object.
    Set objOU = GetObject("LDAP://" & strOU)
    
    ' Filter on computer objects.
    objOU.Filter = Array("computer")
    
    ' Enumerate computers.
    For Each objComputer In objOU
        Set objSecurityDescriptor = objComputer.Get("ntSecurityDescriptor")
        Wscript.Echo objComputer.sAMAccountName
        Wscript.Echo "  Owner: " &objSecurityDescriptor.Owner
        Wscript.Echo "  Operating System: " & objComputer.operatingSystem
        Wscript.Echo "  Operating System Version: " & objComputer.operatingSystemVersion
        Wscript.Echo "  Operating System Service Pack: " & objComputer.operatingSystemServicePack
    Next
    Richard Mueller
    MVP ADSI
    • Proposed as answer by Laerte Junior Tuesday, January 5, 2010 1:48 AM
    • Marked as answer by IamMred Friday, January 8, 2010 7:53 AM
    Sunday, January 3, 2010 7:18 PM

All replies

  • In PowerShell, try this, and see if the output is what you are looking for.

    if it is, we can tweak this :)

    $DomainName = "LDAP://ou=new computers,dc=aveva,dc=com"
    $Root = New-Object DirectoryServices.DirectoryEntry $DomainName 
    $objSearcher = New-Object DirectoryServices.DirectorySearcher 
    $objSearcher.SearchRoot = $Root 
    $objSearcher.SearchScope = "SubTree" 
    
    $colResults = $objSearcher.FindAll() 
    foreach ($objResult in $colResults) 
    { 
    $computer = $objResult.GetDirectoryEntry() 
    $computer.psbase.ObjectSecurity.Owner
    }
    Karl
    http://unlockpowershell.wordpress.com
    Wednesday, December 30, 2009 4:21 PM
  • A VBScript program to retrieve the owner of a specified object:

    Option Explicit
    Dim objADObject, objSecurityDescriptor, strDistinguishedName
    
    ' Specify Distinguished Name of object.
    strDistinguishedName = "cn=MyComputer,ou=West,dc=MyDomain,dc=com"
    
    Set objADObject = GetObject("LDAP://" & strDistinguishedName)
    Set objSecurityDescriptor = objADObject.Get("ntSecurityDescriptor")
    Wscript.Echo objSecurityDescriptor.Owner
    Richard Mueller
    MVP ADSI
    Wednesday, December 30, 2009 4:59 PM
  • Hi everybody

    Thanks Richard , VBScript works but it returns the value for only one computer, is there any way to sarch for all computers in specified OU and return the ownership value to text file

    Appreciate your help

    Sunday, January 3, 2010 9:25 AM
  • You can bind to the OU object, then filter on user objects, and enumerate all users in the OU. For example:

    ' Specify DN of the OU.
    strOU = "ou=Sales,ou=West,dc=MyDomain,dc=com"
    
    ' Bind to the OU object.
    Set objOU = GetObject("LDAP://" & strOU)
    
    ' Filter on user objects.
    objOU.Filter = Array("user")
    
    ' Enumerate users.
    For Each objUser In objOU
        Set objSecurityDescriptor = objUser.Get("ntSecurityDescriptor")
        Wscript.Echo objUser.sAMAccountName _
            & ", Owner: " &objSecurityDescriptor.Owner
    Next
    

     

    In this case I output the sAMAcountName of each user, which is the "pre-Windows 2000 logon" name. You could instead use the distinguishedName attribute of the user objects. Run the script at a command prompt and redirect the output to a text file.  For example, if the script is saved in Owner.vbs, use a command similar to:

    cscript //nologo Owner.vbs > report.txt

    I hope this helps.

    Richard Mueller


    MVP ADSI
    Sunday, January 3, 2010 2:31 PM
  • Great , Thank you so much Richard , it works perfect
    but is there ability to list operating system name for each computer ?
    Sunday, January 3, 2010 6:55 PM
  • You can use the operatingSystem, operatingSystemVersion, and operatingSystemServicePack attributes of the computer objects. Also, I see I filtered on user objects in my previous example, when I should have filtered on computer objects. Revised script could be as follows:

    ' Specify DN of the OU.
    strOU = "ou=Sales,ou=West,dc=MyDomain,dc=com"
    
    ' Bind to the OU object.
    Set objOU = GetObject("LDAP://" & strOU)
    
    ' Filter on computer objects.
    objOU.Filter = Array("computer")
    
    ' Enumerate computers.
    For Each objComputer In objOU
        Set objSecurityDescriptor = objComputer.Get("ntSecurityDescriptor")
        Wscript.Echo objComputer.sAMAccountName
        Wscript.Echo "  Owner: " &objSecurityDescriptor.Owner
        Wscript.Echo "  Operating System: " & objComputer.operatingSystem
        Wscript.Echo "  Operating System Version: " & objComputer.operatingSystemVersion
        Wscript.Echo "  Operating System Service Pack: " & objComputer.operatingSystemServicePack
    Next
    Richard Mueller
    MVP ADSI
    • Proposed as answer by Laerte Junior Tuesday, January 5, 2010 1:48 AM
    • Marked as answer by IamMred Friday, January 8, 2010 7:53 AM
    Sunday, January 3, 2010 7:18 PM
  • Karl - very interested in getting the Powershell solution to work here. I need to include the following attirbutes in my output for user accounts - not computers.  

    name
    when*
    samaccount*
    parentcontainerdn
    passwordstatus
    accountis*

    I want to set this up to email thruogh a list of new accoutns created in the apst week. Have the email process ready to go, just need to include the Account owner in the details. The script I've used to date is:

    Get-QADUser -sizelimit 0 | where{$_.whencreated -gt (get-date).adddays(-7)}| select name, when*, samaccount*, parentcontainerdn, passwordstatus, accountis* | Export-csv c:\temp\Users7days.csv

    Would appreciate any ideas you may have with this ... or would you prefer me to submit a new request?

    Mick

    Monday, February 15, 2010 6:57 AM
  • Mick;

    I'm sorry - I did not see this question - I will look at it later (hopefully today)

    Karl
    http://unlockpowershell.wordpress.com
    Thursday, February 18, 2010 5:30 PM
  • Mick;

    Try this:

    Get-QADUser -sizelimit 0 | where{$_.whencreated -gt (get-date).adddays(-7)}| select name, when*, samaccount*, parentcontainerdn, passwordstatus, accountis*,Security.Owner.Name | Export-csv c:\temp\Users7days.csv
    Karl
    http://unlockpowershell.wordpress.com
    Wednesday, March 3, 2010 4:39 PM
  • The both script worked fine for me. But, I had a "problem". I have 2 domain (on the same tree). And the same person that adds computer on one domain, also adds another. On the first domain, the Owner is OK, but on second domain the owner is Domain Admin for all machines accounts!.

    Why?

    Scenario:
    Domain 1: bussiness.corp.net
    Domain 2: bussiness2.corp.net
    Name of groups with permission the add machine on domains: bussiness\Support and bussines2\Support
    Login of support guy: bussines\TEC01.

    This login is member of: bussines\Support and bussines2\Support

    Any ideas?

    Thanks!

    PS.: Sorry bad english.


    Daniel Henrique http://danielcordeiro.eti.br
    Thursday, January 5, 2012 6:42 PM
  • The both script worked fine for me. But, I had a "problem". I have 2 domain (on the same tree). And the same person that adds computer on one domain, also adds another. On the first domain, the Owner is OK, but on second domain the owner is Domain Admin for all machines accounts!.

    Why?

    Scenario:
    Domain 1: bussiness.corp.net
    Domain 2: bussiness2.corp.net
    Name of groups with permission the add machine on domains: bussiness\Support and bussines2\Support
    Login of support guy: bussines\TEC01.

    This login is member of: bussines\Support and bussines2\Support

    Any ideas?

    Thanks!

    PS.: Sorry bad english.


    Daniel Henrique http://danielcordeiro.eti.br


    You are posting on a year old closed topic.  Please start a new topic and include the script you are referring to.

     


    jv
    Thursday, January 5, 2012 10:12 PM