Active Directory

Add User Account Information to Active Directory Users and Computers

How can I add additional user account information option to the Active Directory Users and Computers context menu?

As seen in the Add Unlock User Option to Active Directory Users and Computers article, many of the daily tasks of a network administrator is to monitor user accounts, logo activities, password changes and account options, such as disabling and enabling user accounts, and also looking for logon information for the user account.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

One method of viewing additional information about user accounts is by using the Acctinfo.dll add-in for Active Directory Users and Computers (as explained in the View Additional User Information in AD Users and Computers article).

Another method is by adding some right-click (context menu) options to the user account objects. By right-clicking a user object you will be able to view some more information about any user account you want, information that includes the last logon time, the user’s logon script, the last time the user has changed his or her password and so on.

Writing the script

First we need to write a small VBS script (I thank Antid0t for the insight). It will be used as a context menu option on any user account object.

I guess the script could be done in a better way, and if any of you have a good suggestion please send it over .

​On Error Resume Next

Set wshArguments = WScript.Arguments
Set objUser = GetObject(wshArguments(0))

str1 = "Last Login: " & objUser.LastLogin
str2 = "Last Logoff: " & objUser.LastLogoff
str3 = "Last Failed Login: " & objUser.LastFailedLogin
str4 = "Logon Count: " & objUser.logonCount
str5 = "Bad Login Count: " & objUser.BadLoginCount
str6 = "Password Last Changed: " & objUser.PasswordLastChanged
str7 = "User Account Control: " & objUser.userAccountControl
str8 = "Login Script: " & objUser.scriptPath
str9 = "Account Created: " & objUser.whenCreated
str10 = "Account Last Modified: " & objUser.whenChanged

MsgBox str1 & vbCrLf & str2 & vbCrLf & str3 & vbCrLf & str4 & vbCrLf & str5 & vbCrLf & str6 & vbCrLf & str7 & vbCrLf & str8 & vbCrLf & str9 & vbCrLf & str10,,objUser.Name

Save the script as USER_LOGON_INFO.VBS.

Place the script in a share on one of your DCs, preferably in the NETLOGON share, thus replicating it to all of your DCs. Note that this change is a forest wide change, so each and every DC in the forest should have access to this script.

Adding the option to the context menu

You now need to add the context menu options to user account objects in AD. To do so you need the following:

  1. ADSIEdit.MSC – found in the Windows 2000/2003 Support Tools (located on the installation CD)
  2. Enterprise Admin permissions

User account context menu:

  1. After installing the Support Tools, open ADSIEdit.MSC and navigate to the following path:
​CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=dpetri,DC=net

Lamer note: Change the path to fit your own domain name…

  1. Right-click on the user-Display object and select Properties.
  2. The first attribute in the list of attributes for the object should be adminContextMenu. Double-click it or click on the Edit button.

  1. In the Sting Editor window of the adminContextMenu attribute, add the following line:
​4, &Show Logon Info,\\zeus\netlogon\user_logon_info.vbs

Lamer note: Change the UNC path to fit your own path…

Another not so lamer note: If you already have a “4” option (because you’ve read the following article – Add Unlock User Option to Active Directory Users and Computers) then you can use “5” instead.

  1. When done, click Add to add the line, then click Ok.
  2. Close ADSIEdit.MSC.

Testing

In order to test the context menu addition you’ll need to close DSA.MSC if it was open, and re open it.

Right-click the user account you want to query and select the new context menu – Show Logon Info.

Notice how a prompt is displayed showing the additional information for that user account.

Related Topics:

Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: