PowerShell to Add a Workstation to a User’s Log On To Property
It’s easy enough to use ADUC or ADAC to change the list of computers that a user account is authorized to logon to, but sometimes (like, whenever possible!) you need to use PowerShell. Let’s start by seeing what workstations the user is allowed to logon to now…
PS C:\> Get-ADUser jay.test -Properties LogonWorkstations | Format-List Name, LogonWorkstations
Name : Jay Test
LogonWorkstations : testpc
This tells us that the user, Jay Test, is only allowed to authenticate from the computer named “testpc”. The LogonWorkstations field is a little funny in that it appears to be an array when you look at it in a GUI tool like Active Directory Users and Computers, but it’s actually just a text string with the names of individual computers separated by a comma.
Changing the value from one computer name to another is simple enough:
PS C:\> Set-ADUser jay.test -LogonWorkstations "newpc"
The LogonWorkstations property for jay.test now contains only the computer named “newpc”, and this account can no longer logon to “testpc”. (Note: the LogonWorstations property is not case sensitive. “NEWPC” is the same as “newpc”.)
However, if you want to add a workstation instead of replacing one, you might do it this way…
- Save the current value of the LogonWorkstations property to a string variable.
PS C:\> $Workstations = (Get-ADUser jay.test ` -Properties LogonWorkstations).LogonWorkstations
- Add the new workstation to the string and don’t forget the comma.
PS C:\> $Workstations += ",newpc"
- Save the value back to the LogonWorkstations property.
PS C:\> Set-ADUser jay.test -LogonWorkstations $Workstations
Now, when you get the new value from AD, you’ll see the new computer:
PS C:\> Get-ADUser jay.test -Properties LogonWorkstations | ` Format-List Name, LogonWorkstations Name : Jay Test LogonWorkstations : newpc,oldpc
If you check in ADUC, you’ll see it like this:
It’s a bit more complicated if you want to remove a computer from the list, but here’s one way to do it:
- Save the list of computers in an array. This cmdlet will split the comma-delimited value of LogonWorkstations into an array.
PS C:\> $Workstations = (Get-ADUser jay.test -Properties ` LogonWorkstations).LogonWorkstations.split(',') PS C:\> $Workstations comp1 comp2 comp3 comp4 - Remove the computer from the resulting array.
PS C:\> $Workstations = $Workstations | Where-Object {$_ -ne "comp3"} PS C:\> $Workstations comp1 comp2 comp4 - Convert the new list, without computer “comp3”, to a string of comma-separated values.
PS C:\> $Workstations = $Workstations -join "," PS C:\> $Workstations comp1,comp2,comp4
- Save the new workstations list back to the user object.
PS C:\> Set-ADUser jay.test -LogonWorkstations $Workstations
Now, when you retrieve the list of allowable workstations for the user, you’ll see the list without the computer you removed:
PS C:\> Get-ADUser jay.test -Properties LogonWorkstations | ` Format-List Name, LogonWorkstations Name : Jay Test LogonWorkstations : comp1,comp2,comp4
Finally, if you want to remove all workstation restrictions on a user account, this is probably the easiest of all of these tasks to do:
PS C:\> Set-ADUser jay.test -LogonWorkstations $Null
Hi, sorry my English bad)
Q: How i can do this for all user in my Domain
Users have list workstations and i must add new server in list
Each user have own machine name in list this is problem
need my privacy
Hi Anton! Good question.
I didn’t test this, but I’m pretty sure it will work. You should test it with a small subset of users or in a test environment first.
In this code, “newpc” is the name of the computer you want to add to the list.
$Users = (Get-ADUser -filter * -Properties LogonWorkstations)
foreach ($User in $Users) {
$Workstations = $_.LogonWorkstations
$Workstations += “,newpc”
Set-ADUser $User.SamAccountName -LogonWorkstations $Workstations
}
Dear Jay C,
Please how do I do this for a selected number of users? I need the format for the csv to use and the powershell.
I just want to add a computer
Alternate
$Users = (Get-ADUser -Filter * -Properties LogonWorkstations -SearchBase “OU=XX,DC=contoso,DC=com”)
ForEach($User in $Users)
{
$user.LogonWorkstations += “,test1,test2,test3”
Set-ADUser -instance $user
}
🙂
I have a single user account pltw-adm and .csv file with a list of computers(no column header). How would I modify this to add the list of computers to the single user?
Hi Joshua.
You can use Get-Content to put the list of computers into a text variable like this:
Get-Content C:\Temp\ComputerList.txt | %{$Workstations += “$_,”}
That would leave a trailing comma at the end. I haven’t tried it, so I don’t know how AD would handle that.
Hi JAY C,
I want to map different systems with different users like below: Please suggest how to fulfill using powershell script.How to import csv/txt file for users against specific computer names.
User Hostname
A U
B Y
C X
D Z
E V
Hi Jay. This is very useful. Thanks a lot for sharing.
I am looking to deploy something like this that reads objects(workstations) where the managed by field is set to user “xyz123” and then update their ability to logon to that computer.
Ideally we would like to run this against an entire OU on a regular basis.
Any help would be appreciated.
Hi JAY C,
I want to map different systems with different users like below: Please suggest how to fulfill using powershell script.
User Hostname
A U
B Y
C X
D Z
E V
Hi Mahi. You can put the list in a csv file and import that to a hashtable using import-csv. Then you can process each line with a foreach statement.
If a user needs to connect to a server to work on it using RDP protocol… User will be able to connect? or What happend?
Could anyone support me, please?
Hi Luis. You’ll need to add both the local and remote computers to the user’s LogonWorkstations property.
Don’t forget to make sure the user is in the Remote Desktop Users group on the remote computer too.
Dear all,
How can I write powershell script to import 1000 users restricted to login to only their computer. I do have csv files as follow
SamAccountName,Computername
abc,PC1
xyz,PC2
sorry I am explaining more detail about my requirement.
abc should login to PC1 only. and xyz should login to PC2. abc should deny to login all PCs except PC1
please help…..
Great post. I have a follow-up. I’ve just started working more with PowerShell. What I’d like to do is import a very long list of machines that people are allowed to log into. If I make a file with all the machine names I want to allow, would the machine names be separated by a comma in the file or can I put each machine name on a separate line in the file?
Thanks
I would put all the machine names in a single text string with each computer name separated by a comma. If that’s in a text file, you’d want to put them all in a single block of text with no returns/line feeds.
$computers = Get-Content C:\computerlist.txt
or
$computers = “computer1,computer2,computer3”
Hello,
Great post! I’m trying to something similar, where I want to find the Comp1 in LogonWorkstations attribute in AD user.
Situation: My old workstation was replaced, but don’t have the security approval to remove it, so I want to find all the user accounts within a specific OU that contain my old approved workstation name in LogonWorkstations….hope that makes sense. 🙂
We have many users in a OU that require hostnames to be “whitelisted” for logon, but now I’m trying to collect a list of users that have my old laptop hostname.
TIA
Joe
Sorry about the delayed replies.
Hi Joe. I would use something like this:
Get-ADUser -SearchBase “OU=users,OU=your department,DC=yourdomain,DC=com” -Filter {LogonWorkstations -like “*computername*”} -Properties logonworkstations
Of course, substitute the OU that you need to search and the computername for the actual laptop name.
That will give you a list of AD users in the specified OU who have the computer in their LogonWorkstations property.