Difference between revisions of "Active Directory/Documentation/SpecOps Addon for ADUC"

From WolfTech
Jump to navigation Jump to search
m
Line 1: Line 1:
 
__NOTOC__
 
__NOTOC__
 +
Specops Gpupdate is a tool that lets the administrator perform tasks related to remote Group Policy processing directly from Active Directory Users and Computers (ADUC).  The current version is Specops Gpupdate 2.0.
 +
 
==Installation==
 
==Installation==
  
Line 13: Line 15:
 
:* [http://www.microsoft.com/net/ Microsoft .NET Framework (version 3.5 or higher)]
 
:* [http://www.microsoft.com/net/ Microsoft .NET Framework (version 3.5 or higher)]
 
:* [http://www.microsoft.com/windowsserver2003/technologies/management/powershell/download.mspx Windows PowerShell (version 1.0 or higher)]
 
:* [http://www.microsoft.com/windowsserver2003/technologies/management/powershell/download.mspx Windows PowerShell (version 1.0 or higher)]
 
  
 
====Installer====
 
====Installer====
 
Download and run the installer from [http://www.specopssoft.com/products/specopsgpupdate/ the SpecOps website].  The installer will self-extract and start, and you will see a window similar to the picture on the right.  If you have not yet installed the necessary pre-requisites, the installer gives you the option to download and install them.  Older versions of SpecOps Gpupdate will be detected and removed by the installer.
 
Download and run the installer from [http://www.specopssoft.com/products/specopsgpupdate/ the SpecOps website].  The installer will self-extract and start, and you will see a window similar to the picture on the right.  If you have not yet installed the necessary pre-requisites, the installer gives you the option to download and install them.  Older versions of SpecOps Gpupdate will be detected and removed by the installer.
  
==Introduction==
+
 
 +
==Using Specops Gpupdate==
 
[[Image:gpupdate-2-menu.jpg|thumb|Gpupdate context menu]]
 
[[Image:gpupdate-2-menu.jpg|thumb|Gpupdate context menu]]
  
Specops Gpupdate is a tool that lets the administrator perform tasks related to remote Group Policy processing directly from Active Directory Users and Computers (ADUC).
+
While Gpupdate has the ability to pin commands to the Action menu or right-click menu (as shown in the picture to the right), testing has found that commands typically do not work in this manner.  Instead, after selecting the objects, a user should choose the "Specops Remote Admin..." option, which will open the Gpupdate program menu.
  
There are five built-in commands that can be executed:
+
====Selecting objects====
 +
The computers can be selected in a number of ways.
 +
* Selecting any number of computer objects directly in ADUC.
 +
* Selecting any number of Organizational Units (OU), all selected OUs will be recursively searched for all computer objects.
 +
* Selecting any number of groups, this also works for nested groups.
 +
* Selecting any number of domain objects, this will execute the commands on all computers in the selected domains.
 +
* Using the ADUC Find feature and search for computers and then select computers from the result view.
  
*'''Gpupdate''' – Makes the remote computer(s) perform a Group Policy refresh interval for both computer and user.  An additional option will force all Group Policy Objects to be applied regardless if they have changed or not.
+
[[Image:gpupdate-2-program.jpg|thumb|Gpupdate main menu options]]
  
*'''Restart''' – Reboots the selected computer(s).  Additional options allow you to force close applications and provide a warning and countdown to logged-in users.
+
====Available Commands====
 +
Once the desired computers or objects have been selected and the program has been opened, there are five built-in commands that can be executed:
  
*'''Shut Down''' – Shuts down the selected computer(s).  Has the same options as Restart.
+
*''Gpupdate'' – Makes the remote computer(s) perform a Group Policy refresh interval for both computer and user.  By default, only policy settings that have changed are applied.
 +
** Additional option forces all policy settings to be re-applied.  Does not force a restart.
 +
*''Restart'' – Reboots the selected computer(s). 
 +
** Additional options allow you to force close applications and provide a warning and countdown to logged-in users.
 +
*''Shut Down'' – Shuts down the selected computer(s).   
 +
** Additional options are the same as Restart.
 +
*''Start'' – Sends a start command to the computer(s) using Wake-On-Lan technology.  Since we do not use Microsoft DHCP servers, this option requires the use of a [http://www.specopssoft.com/wiki/index.php/SpecopsRemoteAdmin/CustomPropertyFile Custom Property File].
 +
** Custom Property File can be created manually, but a way to automatically generate one is being developed.
 +
** Can only be used to start computers on the same VLAN as the computer that is sending the command.
 +
*''Windows Update'' - forces a computer to check for available Windows Updates (essentially forcing a wuauclt /detectnow)
  
*'''Start''' – Sends a start command to the computer(s) using Wake-On-Lan technology.
+
[[Image:gpupdate-2-results.jpg|thumb|Example of results display]]
  
*'''Windows Update''' - forces a computer to check for available Windows Updates (essentially forcing a wuauclt /detectnow)
+
====Results====
<br><br><br><br>
+
Once a command is executed, the tool will bring up a results window that will update as computers respond or actions time out.  See an example to the right.  Once finished, the results will show the number of computers that succeeded or failed and provide limited error msgs for those machines that failed.
  
==Using Specops Gpupdate==
+
'''Known Error messages'''
[[Image:gpupdate-2-program.jpg|thumb|Gpupdate main menu options]] As soon as Specops Gpupdate is installed on a computer with ADUC, select computers by right clicking on one or more domains, OUs, Security Groups or Computer objects and the context menu shown in Figure 1 will appear. Depending on the command that is selected, a dialog will appear that contains command specific options, see Figure 2 for an example of the option window.
+
* Ping: time out
 +
* Ping: no such host is known
 +
* RPC Server is unavailable
 +
<br><br><br>
  
When all options are selected, click on OK and the command will be executed and the result displayed. Please note that the "force" option seems to allow you to restart/shutdown systems that have been locked by the enduser. Not yet sure what it does in relation to "gpupdate". See figure 3 for an example.
 
<br><br><br><br>
 
 
==Security==
 
==Security==
[[Image:gpupdate-2-results.jpg|thumb|Example of results display]]
+
Specops Gpupdate utilizes the Windows Security model, meaning that any user of Specops Gpupdate need appropriate permissions to perform the actions. For example when shutting down computers the user need remote shutdown permissions.  In general being a local administrator on the remote computer will satisfy all the security requirements needed, but following sections describe the permissions needed to perform the actions in more detail.
Specops Gpupdate utilizes the Windows Security model, meaning that any user of Specops Gpupdate need appropriate permissions to perform the actions. For example when shutting down computers the user need remote shutdown permissions.
+
 
 +
Additionally, almost all commands require that all affected computers have the Windows Firewall Remote Administration exception enabled.
  
In general being a local administrator on the remote computer will satisfy all the security requirements needed, but following sections describe the permissions needed to perform the actions in more detail.
+
====Gpupdate====
===Gpupdate===
 
 
*Permissions to run WMI on the remote computer and start processes.
 
*Permissions to run WMI on the remote computer and start processes.
 
*Any installed firewall must let WMI calls pass through.
 
*Any installed firewall must let WMI calls pass through.
===Restart/Shut down===
+
====Restart/Shut down====
 
*Permission to shut down the remote computer remotely.
 
*Permission to shut down the remote computer remotely.
 
*Any installed firewall must let RPC calls pass through.
 
*Any installed firewall must let RPC calls pass through.
===Start computers===
+
====Start computers====
*Read access to the DHCP servers in the enterprise. All domains have a group named DHCP Users that fulfill this requirement for DHPC Servers on Domain controller and all DHCP servers have the same local group for member servers.
+
*For our environment, a Custom Property File must be used to properly identify the computers to be started.
*The DHCP server must be a Microsoft DHCP server, 3rd party DHCP servers are not supported.
 
  
  

Revision as of 14:57, 20 March 2009

Specops Gpupdate is a tool that lets the administrator perform tasks related to remote Group Policy processing directly from Active Directory Users and Computers (ADUC). The current version is Specops Gpupdate 2.0.

Installation

Gpupdate installer

As of Version 2.0, SpecOps Gpupdate is compatible with 32 and 64 bit versions of Windows XP (SP2 and higher) and Windows Vista.

Pre-requisites

If you are using Windows XP, you must install Microsoft Management Console v3.0 before attempting to install SpecOps Gpupdate 2.0.

The installer should be able to download the remaining pre-requisites, but in case you run into issues or wish to install them beforehand, links are provided below.

Installer

Download and run the installer from the SpecOps website. The installer will self-extract and start, and you will see a window similar to the picture on the right. If you have not yet installed the necessary pre-requisites, the installer gives you the option to download and install them. Older versions of SpecOps Gpupdate will be detected and removed by the installer.


Using Specops Gpupdate

Gpupdate context menu

While Gpupdate has the ability to pin commands to the Action menu or right-click menu (as shown in the picture to the right), testing has found that commands typically do not work in this manner. Instead, after selecting the objects, a user should choose the "Specops Remote Admin..." option, which will open the Gpupdate program menu.

Selecting objects

The computers can be selected in a number of ways.

  • Selecting any number of computer objects directly in ADUC.
  • Selecting any number of Organizational Units (OU), all selected OUs will be recursively searched for all computer objects.
  • Selecting any number of groups, this also works for nested groups.
  • Selecting any number of domain objects, this will execute the commands on all computers in the selected domains.
  • Using the ADUC Find feature and search for computers and then select computers from the result view.
Gpupdate main menu options

Available Commands

Once the desired computers or objects have been selected and the program has been opened, there are five built-in commands that can be executed:

  • Gpupdate – Makes the remote computer(s) perform a Group Policy refresh interval for both computer and user. By default, only policy settings that have changed are applied.
    • Additional option forces all policy settings to be re-applied. Does not force a restart.
  • Restart – Reboots the selected computer(s).
    • Additional options allow you to force close applications and provide a warning and countdown to logged-in users.
  • Shut Down – Shuts down the selected computer(s).
    • Additional options are the same as Restart.
  • Start – Sends a start command to the computer(s) using Wake-On-Lan technology. Since we do not use Microsoft DHCP servers, this option requires the use of a Custom Property File.
    • Custom Property File can be created manually, but a way to automatically generate one is being developed.
    • Can only be used to start computers on the same VLAN as the computer that is sending the command.
  • Windows Update - forces a computer to check for available Windows Updates (essentially forcing a wuauclt /detectnow)
Example of results display

Results

Once a command is executed, the tool will bring up a results window that will update as computers respond or actions time out. See an example to the right. Once finished, the results will show the number of computers that succeeded or failed and provide limited error msgs for those machines that failed.

Known Error messages

  • Ping: time out
  • Ping: no such host is known
  • RPC Server is unavailable




Security

Specops Gpupdate utilizes the Windows Security model, meaning that any user of Specops Gpupdate need appropriate permissions to perform the actions. For example when shutting down computers the user need remote shutdown permissions. In general being a local administrator on the remote computer will satisfy all the security requirements needed, but following sections describe the permissions needed to perform the actions in more detail.

Additionally, almost all commands require that all affected computers have the Windows Firewall Remote Administration exception enabled.

Gpupdate

  • Permissions to run WMI on the remote computer and start processes.
  • Any installed firewall must let WMI calls pass through.

Restart/Shut down

  • Permission to shut down the remote computer remotely.
  • Any installed firewall must let RPC calls pass through.

Start computers

  • For our environment, a Custom Property File must be used to properly identify the computers to be started.


Support and troubleshooting

Please visit our forums for support and help with troubleshooting. The forums are located here: http://www.specopssoft.com/forum

Retrieved from "https://tools.wolftech.ncsu.edu/support/index.php?title=Active_Directory/Documentation/SpecOps_Addon_for_ADUC&oldid=9360"