Thank you for your input, I'll try to keep the answer to your question short and concise but I have also written a description below the actual answer for anyone who is interested knowing how tools like ADUC is extended and haw a few minutes to spare.
*1. Does each and every admin need to install the software? I would hope not, but can't be sure from the docs. Yes, the ADUC extension works like the Exchange Admin tools; you need to install the Windows Installer package on every computer where you want to extend ADUC. But you only need to register the Display Specifiers once per forest, regardless of how many computers you install the admin tools on. *2. Re-word context menu 'gpupdate' to 'Refresh GPOs' [much more meaningful :) ] Thanks for the suggestion, 'Refresh GPOs' is better but the reason the menu item is Gpupdate is since it is the name of the tool, but perhaps it should be renamed if we get that suggestion a lot. *3. I'm uncomfortable at the thought of offering re-start and shutdown command via ADU&C :) I'd rather those operations were a little more 'hidden' and thus less likely to be invoked accidentally. #3 could be better managed by placing those options into a sub-menu to keep them from being accidentally clicked. Not certain if it is already there, but a confirmation dialog would help in this regard as well. We are as afraid as you of shutting down computers by the numbers :), so there is a confirmation dialog after you select the option. *4. I'd like to see the changes made in AD (as a result of the installation) documented in *detail* before I even looked at this in a lab. The doc alludes to those changes but more detail is needed IMHO. A very good suggestion, the following is what is being added to the Configuration container: Specops Gpupdate adds its own COM GUID list of menu extenders to the property "adminContextMenu" of the following AD objects: * CN=computer-Display,CN=<LocaleID>,CN=DisplaySpecfiers,CN=Configuration,DC=Mydomain,DC=MyRootdomain - Context Menu for Computer Objects * CN=user-Display,CN=<LocaleID>,CN=DisplaySpecfiers,CN=Configuration,DC=Mydomain,DC=MyRootdomain - Context Menu for User Objects (not utilized in the current version) * CN=organizationalUnit-Display,CN=<LocaleID>,CN=DisplaySpecfiers,CN=Configuration,DC=Mydomain,DC=MyRootdomain - Context Menu for OU objects * CN=group-Display,CN=<LocaleID>,CN=DisplaySpecfiers,CN=Configuration,DC=Mydomain,DC=MyRootdomain - Context Menu for Group objects * CN=domainDNS-Display,CN=<LocaleID>,CN=DisplaySpecfiers,CN=Configuration,DC=Mydomain,DC=MyRootdomain - Conext Meny for Domain objects Replace LocaleID with all the LocaleIDs that exist under CN=DisplaySpecfiers,CN=Configuration,DC=Mydomain,DC=MyRootdomain Best regards, Thorbjörn Sjövold Special Operations Software www.specopssoft.com thorbjorn.sjovold a t specopssoft.com The following is an short explanation on how to extend ADUC, the explanation requires basic knowledge in COM programming: *How Display Specifiers work Tools that create new menu items, creation wizards etc is using a technology called Display Specifiers to extend the Active Directory Users and Computers interface. This technology is fully documented and supported by Microsoft, if you *really* want to learn in detail how it works the documentation can be found on MSDN here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/extending_the_user_interface_for_directory_objects.asp?frame=true But for those of you not intending to go ahead and start extending the MS AD admin tools but still are curious about how ADUC extensions work, the following will describe the most important parts briefly. Display Specifiers overview The idea behind Display Specifiers from Microsoft is both smart and simple. You register in the configuration container in AD the extensions you want to use in your organization and then ADUC will check on the local computer if they are installed locally. If they are installed locally, ADUC will load them, if not exist locally they will simply be ignored and for example no menu items will be added. There is actually an exception to this rule and that is if so called Static Display Specifiers are used, in this case the menu item will be shown to the administrator regardless of if it is present on the local computer or not and the admin will receive an error when selecting the option if the registered command cannot be executed, one common way to use Static Display Specifiers is actually to put the tool to execute in NETLOGON. But Specops Gpupdate does not use Static Display Specifiers so it will be left outside of this description. * Registering and using Display Specifiers All Display Specifiers are registered in child objects under the following LDAP path in AD. CN=<LocaleID>,CN=DisplaySpecfiers,CN=Configuration,DC=Mydomain,DC=MyRootdomain Where LocaleID is the locale, in hex representation, that you want to support, e.g. 409 is US English since it translates into the more familiar 1033 in decimal. Under this path there are a large number of objects, each one representing an object that is displayed in an AD related admin tool, i.e. it does not have to be ADUC, for example Exchange uses Display Specifiers too. So select the object you want to extend and then select how you want to extend it, for example extending the menu as Specops Gpupdate, adding tabs to the property menu, add a create wizard, etc, etc. Use ADSIEdit, LDP or your favorite LDAP tool to open the different objects and see what you can extend, the Microsoft settings are also documented in MSDN. To actually register something you need to have a COM GUID, and this is where the magic happens, add the GUID to the property with a preceding order number and comma, just make sure you do not use the same number as anyone else already are using. After this the registration part is done and now we only have to create something that will run when started from ADUC. A COM based DLL need to be created that supports certain Interfaces (see the MSDN link for the details here), and obviously it should be using the COM GUID registered in AD. Now on every computer where this COM app is registered ADUC will load it and it will execute when selected, being passed the LDAP paths to the objects selected by the administrator. And that is exactly what Specops Gpupdate does. * Using MMC to extend the Active Directory Users and Computers instead of Display Specifiers. It is possible the extend objects in ADUC using standard MMC mechanisms for extending nodes, achieving similar results as when using Display Specifiers, but there is a big problem with this method, it does not work with the Find feature of ADUC, i.e. you can browse to a specific object in ADUC and it will work, but if you search for the exact same object, the menu items, property pages, etc, will not show up. Since searching is a fairly common thing to do when there are large number of computers and users in an AD, this is obviously a good reason to use Display Specifiers instead of just MMC mechanisms. The reason that Find does not work when not using Display Specifiers is that the result list is more related to the Shell than MMC. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Scott Klassen Sent: Friday, April 21, 2006 5:29 PM To: [email protected] Subject: RE: [ActiveDir] Perform gpupdate, start or shut downs through ADUC #3 could be better managed by placing those options into a sub-menu to keep them from being accidentally clicked. Not certain if it is already there, but a confirmation dialog would help in this regard as well. Scott Klassen -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, April 21, 2006 9:58 AM To: [email protected] Subject: RE: [ActiveDir] Perform gpupdate, start or shut downs through ADUC Immediate questions / comments come to mind: 1. Does each and every admin need to install the software? I would hope not, but can't be sure from the docs. 2. Re-word context menu 'gpupdate' to 'Refresh GPOs' [much more meaningful :) ] 3. I'm uncomfortable at the thought of offering re-start and shutdown command via ADU&C :) I'd rather those operations were a little more 'hidden' and thus less likely to be invoked accidentally. 4. I'd like to see the changes made in AD (as a result of the installation) documented in *detail* before I even looked at this in a lab. The doc alludes to those changes but more detail is needed IMHO. Personally, I can think of several other additions that could / should be made to context menus, that I'd like to see before 'restart' and 'shutdown'. Examples: - Unlock user - Unlock all users in OU - Show user data (last logon, last bad logon etc) Did customers ask for a bulk gp updating tool? My (candid) 2 penneth, neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Lundh Sent: 21 April 2006 15:39 To: [email protected] Subject: [ActiveDir] Perform gpupdate, start or shut downs through ADUC Dear listmembers, Today we have released a free tool that gives you the power to perform gpupdate, start ups or shut downs of computers through Active Directory Users and Computers. We would love if you tried the tool called Specops Gpupdate and came with feedback to us on how to further improve it. We have developed this tool to make your job as an admin as easy as possible. Here is the link to the product page where you can download the tool: http://www.specopssoft.com/products/specopsgpupdate/default.asp Best Regards, Robert Lundh Special Operations Software List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ PLEASE READ: The information contained in this email is confidential and intended for the named recipient(s) only. If you are not an intended recipient of this email please notify the sender immediately and delete your copy from your system. You must not copy, distribute or take any further action in reliance on it. Email is not a secure method of communication and Nomura International plc ('NIplc') will not, to the extent permitted by law, accept responsibility or liability for (a) the accuracy or completeness of, or (b) the presence of any virus, worm or similar malicious or disabling code in, this message or any attachment(s) to it. If verification of this email is sought then please request a hard copy. Unless otherwise stated this email: (1) is not, and should not be treated or relied upon as, investment research; (2) contains views or opinions that are solely those of the author and do not necessarily represent those of NIplc; (3) is intended for informational purposes only and is not a recommendation, solicitation or offer to buy or sell securities or related financial instruments. NIplc does not provide investment services to private customers. Authorised and regulated by the Financial Services Authority. Registered in England no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand, London, EC1A 4NP. A member of the Nomura group of companies. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
