Difference between revisions of "Active Directory/Documentation/SpecOps Addon for ADUC"

From WolfTech
Jump to navigation Jump to search
(Replacing page with '[http://activedirectory.ncsu.edu/ou-admins/tools/aduc/specops-gpupdate/ Migrated]')
 
(24 intermediate revisions by 2 users not shown)
Line 1: Line 1:
__NOTOC__
+
[http://activedirectory.ncsu.edu/ou-admins/tools/aduc/specops-gpupdate/ Migrated]
==Installation==
 
Installation is easy! Just add the SpecOps Update package to your computer. Please note that the software ONLY needs to be on YOUR computer -- the one you run MMC from; it will extend the MMC so you'll have more options when you right click on AD objects.
 
 
 
Please note that this software did not require an AD schema change. And should we ever need to, can be removed easily.
 
 
 
==Introduction==
 
Specops Gpupdate is a tool that lets the administrator perform tasks related to remote Group Policy processing directly from Active Directory Users and Computers (ADUC).
 
 
 
Figure 1: Remote Group Policy refresh from ADUC
 
 
 
There are four different commands that can be executed:
 
*Gpupdate – Makes the remote computer(s) perform a Group Policy refresh interval for both the computer and any logged on users with an optional parameter that will force all Group Policy Objects to be applied regardless if they have changed or not.
 
*Restart – Reboots the remote computer(s) and thereby applies Group Policy settings that can only be applied during boot.
 
*Shut Down – The same options as Reboot but the computer will not restart after it has been shut down. This is especially useful in combination with the Start command.
 
*Start – Sends a start command to the computer(s) using Wake-On-Lan technology. This way a computer can start up, Group Policy applies and then the computer can be shut down again, all done remotely. [unfortunately, due to our Unix DNS servers, this option will not work]
 
The computers can be selected in a number of ways.
 
*Selecting any number of computer objects directly in ADUC, see Figure 1.
 
*Selecting any number of Organizational Units (OU), all selected OUs will be recursively searched for all computer objects.
 
*Selecting any number of groups, this also works for nested groups.
 
*Selecting any number of domain objects, this will execute the commands on all computers in the selected domains.
 
*Using the ADUC Find feature and search for computers and then select computers from the result view.
 
 
 
==Using Specops Gpupdate==
 
 
 
As soon as Specops Gpupdate is installed on a computer with ADUC, select computers by right clicking on one or more domains, OUs, Security Groups or Computer objects and the context menu shown in Figure 1 will appear. Depending on the command that is selected, a dialog will appear that contains command specific options, see Figure 2 for an example of the option window.
 
 
 
[[Image:Specops2.jpg]]
 
Figure 2: Options for restart
 
 
 
 
 
When all options are selected, click on OK and the command will be executed and the result displayed. Please note that the "force" option seems to allow you to restart/shutdown systems that have been locked by the enduser. Not yet sure what it does in relation to "gpupdate". See figure 3 for an example.
 
 
 
 
 
[[Image:Specops3.jpg]]
 
Figure 3: Result from the Start Computers command
 
 
 
==Security==
 
Specops Gpupdate utilizes the Windows Security model, meaning that any user of Specops Gpupdate need appropriate permissions to perform the actions. For example when shutting down computers the user need remote shutdown permissions.
 
 
 
In general being a local administrator on the remote computer will satisfy all the security requirements needed, but following sections describe the permissions needed to perform the actions in more detail.
 
===Gpupdate===
 
*Permissions to run WMI on the remote computer and start processes.
 
*Any installed firewall must let WMI calls pass through.
 
===Restart/Shut down===
 
*Permission to shut down the remote computer remotely.
 
*Any installed firewall must let RPC calls pass through.
 
===Start computers===
 
*Read access to the DHCP servers in the enterprise. All domains have a group named DHCP Users that fulfill this requirement for DHPC Servers on Domain controller and all DHCP servers have the same local group for member servers.
 
*The DHCP server must be a Microsoft DHCP server, 3rd party DHCP servers are not supported.
 
 
 
 
 
==Support and troubleshooting==
 
Please visit our forums for support and help with troubleshooting. The forums are located here:
 
http://www.specopssoft.com/forum
 

Latest revision as of 21:32, 20 June 2011

Migrated

Retrieved from "https://tools.wolftech.ncsu.edu/support/index.php?title=Active_Directory/Documentation/SpecOps_Addon_for_ADUC&oldid=10267"