none
Import User Setting into Active Directory RRS feed

  • Question

  • Hi

    First i have to admit that my native language isn't English so sorry for any vocabulary and grammar mistakes in advance .

    I'm new in Windows Server and i have a problem with it which is as follows : 

    i have 900+ users in my active directory and i chose Log on Restriction in Account Tab when i was creating my users . 

    and now i have situation which i have to add a new user to all of my user's log on setting . and for 900+ users , it's really difficult . so i wanted to know is there anyway to handle this issue using a script or something like that ? 

    Thanks in advance 

    • Moved by Bill_Stewart Monday, July 29, 2019 8:03 PM This is not "scripts on demand"
    Wednesday, January 2, 2019 7:53 AM

All replies

  • Wednesday, January 2, 2019 9:31 AM
  • Do you mean the button on the "Account" tab of ADUC labeled "Log On to..."? If so, this assigns values to the userWorkstations attribute of the user object in AD. This is a comma delimited string of computer names. you can use the LogonWorkstations parameter of the Set-ADUser PowerShell cmdlet to assign computer names for users. Check the help for the Set-ADUser cmdlet, and the LogonWorkstations parameter, here:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee617215(v=technet.10)

    You will need to retrieve the existing value for each user, using the Get-ADUser cmdlet, then append your new computer name.

    Thinking about this, if you are adding a computer to your domain, and need to add this computer name for all users, then you really are not restricting users to specific computers. If all users should be able to logon to any computer, you should instead clear the userWorkstations attribute for all users. You could use the -Clear parameter of Set-ADUser to do this.

    Do I correctly understand what you need to do?


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, January 2, 2019 10:39 AM
  • In case I read your question correctly, here is how I would add a new computer to the userWorkstations attribute of all users in a specified organizational unit.

    Import-Module ActiveDirectory
    # New workstation.

    $Computer = "NewWorkstation"

    # Retrieve all users in the specified OU. $Users = Get-ADUsers -SearchBase "ou=Sales,ou=West,dc=MyDomain,dc=com" -Filter * -Properties userWorkstations | Select sAMAccountName, userWorkstations # Enumerate the users. ForEach ($User In $Users) { $ID = $User.sAMAccountName $Workstations = $User.userWorkstations # Check if there are existing workstations specified. If ($Workstations) { # Make sure existing workstations does not include the computer to be added. If ($Workstations -NotLike "*$Computer*") { # Add the new workstation to the existing. Set-ADUser -Identity $ID -LogonWorkstations "$Workstations,$Computer" } } Else { # Assign the new workstation. Set-ADUser -Identity $ID -LogonWorkstations $Computer } }

    But if instead you decide to clear the userWorkstaions attribute for all users in the domain, this PowerShell script would do the job.

    # Clear the userWorkstations attribute for all users that have a value assigned to the attribute.
    Set-ADUser -Filter "{LogonWorkstations -Like "*"}" -Clear userWorkstations

    It can be confusing, but the lDAPDisplayName of the attribute is userWorkstations, but the corresponding PowerShell property is LogonWorkstations. The -Clear parameter of Set-ADUser requires that we specify the lDAPDisplayName.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP Wednesday, January 2, 2019 3:11 PM
    • Proposed as answer by BOfH-666 Wednesday, January 2, 2019 4:44 PM
    Wednesday, January 2, 2019 3:10 PM