Using PowerShell to map users to registered devices

  • Article

This is another question that comes up from time to time … how do I map users to the devices that they have registered, or inversely how do I map a registered device to a user?

Here are the 2 PowerShell scripts.  Copy into the PS ISE, save as .PS1 files.

Note, if you redirected the RegisteredDevices location during install, update to reflect your location.

Usage:

getregistereduserfordevice.ps1 <devicename>

getregistereddeviceforuser.ps1 <user>

GetRegisteredUserforDevice.PS1

#user is provide by argument
if ($args.count -ne 1)
{       
    Write-Host "Usage: GetRegisteredUserForDevice.ps1 <device name>"
    exit 1
}

#get user's sid
$domain = Get-ADDomain
$deviceDisplayName = $args[0]
$userSid = (New-Object System.Security.Principal.NTAccount ($domain.NetBIOSName ,$userName)).Translate([System.Security.Principal.SecurityIdentifier]).value

#search device object when device displayName = client computer name
$objDefaultNC = New-Object System.DirectoryServices.DirectoryEntry

$ldapPath = "LDAP://CN=RegisteredDevices," + $objDefaultNC.distinguishedName
$objDeviceContainer = New-Object System.DirectoryServices.DirectoryEntry($ldapPath)
$strFilter = "(&(objectClass=msDS-Device)(displayName=$deviceDisplayName))"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDeviceContainer
$objSearcher.PageSize = 100
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Onelevel"
$colResults = $objSearcher.FindAll()

Write-Host "Found" $colResults.count "device objects in AD whose displayName is " $args[0]
foreach ($objResult in $colResults)
{
    $sidString = ""
    $objItem = $objResult.Properties
    $userSid = $objItem.'msds-registeredowner'
    $userSid = $userSid[0]
    for($i=0;$i -lt $userSid.count; $i++)
    {
        $sidString = $sidString + [char]$userSid[$i]
    }
    $objSID = New-Object System.Security.Principal.SecurityIdentifier($sidString)
    try
    {
        $objUser = $objSID.Translate( [System.Security.Principal.NTAccount])
        Write-Host "UserSid:" $sidString "UserName:" $objUser.Value
    }
    catch
    {
        Write-Host "UserSid:" $sidString "Failed to get user name, user might be deleted"
    }
   
}

GetRegisteredDeviceforUser.PS1

#user is provide by argument
if ($args.count -ne 1)
{       
    Write-Host "Usage: GetRegisteredDeviceForUser.ps1 <user name>"
    exit 1
}

#get user's sid
$domain = Get-ADDomain
$userName = $args[0]
$userSid = (New-Object System.Security.Principal.NTAccount($domain.NetBIOSName, $userName)).Translate([System.Security.Principal.SecurityIdentifier]).value

#search device object when registeredUser = user sid
$objDefaultNC = New-Object System.DirectoryServices.DirectoryEntry

$ldapPath = "LDAP://CN=RegisteredDevices," + $objDefaultNC.distinguishedName
$objDeviceContainer = New-Object System.DirectoryServices.DirectoryEntry($ldapPath)
$strFilter = "(&(objectClass=msDS-Device)(msDS-RegisteredOwner=$userSid))"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDeviceContainer
$objSearcher.PageSize = 100
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Onelevel"
$colResults = $objSearcher.FindAll()

Write-Host "Found" $colResults.count "device objects"
foreach ($objResult in $colResults)
    {$objResult.Properties}

Hopefully that is useful.

A.