There are times when what you really want to know about a given computer is, who’s responsible for it. With good user education, your OU admins or computer admins will pre-stage a computer and at the very least populate the ManagedBy property. This effectively lets anyone who can read that property, know who is responsible for this object. In an environment with thousands of computers, or even hundreds of computer’s the likelihood of this actually happening is most likely very slim. I freely admit that when I create a computer object, I do little else.

The good news is that information is already in there, tucked away inside the ACL for the object. The trick is how do you pull it out? Chances are in smaller domains your computer objects are all owned by Domain Admins. But if you have given your users the right to join their own computers to the domain their information is stored in the ACL for the object.

Most of my scripting is done in VBScript so I wanted a simple way to get at that information. The ntSecurityDescriptor was just what I needed and I found article in the Technet Forums, that met my needs. The only thing I changed was making the stand-alone script a function that I could pull into my code. The output is the username formatted NT-style:

DOMAIN\Username

I wrote a couple of scripts today involving the managedby property. The first script walks through your ActiveDirectory and reports out the name of the computer and who the owner is. The second script walks through your ActiveDirectory updates the managedby property of the computer.

The GetOwner script, simply outputs the owner of each computer object it finds. You don't need to be a Domain Admin to run it, as these properties are readable by any Domain User. The best way to run this particular script is as follows:

cscript //nologo GetOwner.vbs > ComputerOwners.csv

The resultant output file can be opened up in the spreadsheet program of your choice, and will have two columns. The name of the computer, and the Domain\Username of the owner. You will want to change the LDAP URI at the top, to point at the OU of your choice within your domain, or for fun point it at the root. This script does not modify anything at all, and can be run as a regular non-admin user.

The SetManagedBy script was a little more complicated. After reading several forums I found that the Managedby property needs a DN. But my original code returns an NT4 style account name. Again I found the information I needed on the Scripting Guys blog. The actual code from the blog returns a GUID, but they kindly added a table at the bottom that listed the other formats that could be returned from IADsNameTranslate. I modified the code to return ADS_NAME_TYPE_1779, and changed it from a stand-alone script to a function that returned the DN of the user.

There is no output in this script, it just runs and sets as it goes. If you have a problem with that, one thing you can do is change the line that reads:

Call WriteData(strADSIProp, strUserDN, strComputerPath)

To

Wscript.Echo "Changing " & strADSIProp & " property of " & strComputerPath & " to " & struserDN

This will output a line that will tell you what the script will do. Personally I would comment out the call to WriteData and add the Wscript.Echo as a new line below that. Once you are satisfied that it works the way you anticipate, delete that echo line and uncomment the call.