Learn about Windows PowerShell
Hey, Scripting Guy! In my logon script how can I determine the name of the domain controller that authenticated the user?-- CK
Hey, CK. You know, one of the unwritten rules for being a Scripting Guy is that you should never do anything hard more than once a week. (Why is this an unwritten rule? Mainly because we were all too lazy to write it down.) In yesterday’s column we tackled the somewhat complicated issue of trying to associate an IP address with a network connection. Because yesterday’s column was hard, the unwritten laws for being a Scripting Guy pretty much compel us to take an easy question today.
So how easy could it be to determine the name of the domain controller that authenticated the logged-on user? As easy as three lines of code:
Set objDomain = GetObject("LDAP://rootDSE")
strDC = objDomain.Get("dnsHostName")
Wscript.Echo "Authenticating domain controller: " & strDC
No, you’re not dreaming; this really does take just three lines of code. (And even if you were dreaming, well, do you really want to admit that you dream about scripting?) We begin by binding to rootDSE, which represents the root of the Active Directory service on a domain controller. The rootDSE object exists to provide information about a domain and a domain controller; in fact, one piece of information rootDSE provides is the value of the dnsHostName property.
That might not be the most intuitive property name in the world, but dnsHostName is the name of the authenticating domain controller. Consequently we use the Get method to retrieve the value of the dnsHostName attribute and store that value in a variable named strDC. Echo back the value of strDC and we’ve determined the name of the domain controller that authenticated the user.
And now, having presented our three-line script, our work for today is done. If you need anything we’ll be at home watching the Jerry Springer Show
Follow on question, suppose I use
Set UserOBJ = GetObject("LDAP://CN=Joe.User,OU=Users,DC=My_Domain,DC=ORG")
How can I determine which DC was used when UserOBJ is established?
This is great for finding out on the local computer of the DC who authenticated but what I want is the list of all users in AD to show which DC last authenticated which user. In another words I want to who was authenticated by what DC. Any idea without
having to parse all event logs of all DC? Why didn't the AD team add an attribute in AD to keep track of this useful information. Are they so short sided group of people who built the AD? I hate to think of that!!!