Set-ADUSer Property while logon script

PowerShell Help
1

Hello!
I’d like to collect information about last logon computer name from computers in out environment by logon script.
I’ve run script for testing purposes on my DC like this:

$computer = $env:COMPUTERNAME
$username = $env:USERNAME
$daterimestamp = date
$var = $computer + ' - ' + $daterimestamp
$var
Set-ADUser -Identity $username -HomePage $var
#Get-ADUser -Identity $username -Properties HomePage

This script set property HomePage for ADUser account for two purposes:

  1. I see a computer name which a user have logged on last time sucessfully while opening ADUser account property
  2. I can retrieve this information by runing Get-ADUser cmdlet during an inventory

I would like to run the script by GPO (user configuration - scripts - logon), but:

  1. The script must be run under the administrative right to write changes to ADUSer account
  2. The computer on which the script runs must have ActiveDirectory module to run Get-AD* cmdlets

If I use:

$computer = $env:COMPUTERNAME
$username = $env:USERNAME
$daterimestamp = date
$var = $computer + ' - ' + $daterimestamp
$var
Invoke-Command -ComputerName DC -ScriptBlock {
Set-ADUser -Identity $username -HomePage $var}

the script doesn’t see my variable $username and tells me that parameter Identity is null.

Could you advise me how to resolve this issue? Or maybe there is another approach to get this result!
Thank you!

2

In terms of this part:

Invoke-Command -ComputerName DC -ScriptBlock {
Set-ADUser -Identity $username -HomePage $var}

Please see the “Remote Variables” chapter in Read The Big Book of PowerShell Gotchas | Leanpub.

In terms of security, the above still won’t work in terms of a logon script. By default, ordinary users do not have permission to remote into a server, and it would be unwise to open that up.

What you want is JEA, which is something you’d install and run on the server. JEA is Microsoft’s PowerShell-based, supported means of doing exactly this. You (a) set up a new endpoint that (b) allows users to connect to it by name but (c) runs commands under an administrative account. It contains (d) only the Set-ADUser command, ideally only a proxy version of that which only allows -Identity and -HomeDir parameters. This prevents users from doing anything other than the exact command you want.

This will take some learning on your part to set up, but it is well worth the time, as you’ll be able to solve many other problems using JEA once you master it. Start at https://docs.microsoft.com/en-us/powershell/jea/overview, and note that there are several PowerShell Summit tutorials on JEA, which we’ve recorded at http://youtube.com/powershellorg.