ADUC Menu Extensions in Specops Products

A user in Active Directory may be affected by a Group Policy extended with Specops settings. Many Specops products add an extension to the Active Directory Users and Computers (ADUC) console. Right-clicking on a user object will display new options/menus with Specops settings.

All Specops products that extend the Active Directory User and Computers (ADUC) menu, use a common framework built on a Microsoft technology called Display Specifiers. This technology requires that the component that handles the menus is registered in Active Directory in the Configuration Container. This registration is a one-time action for all Specops products, regardless of how many Specops products are installed. For example, if this is performed when installing Specops Gpupdate, it is not necessary to perform it again when installing Specops Password Policy.

Display Specifiers and permissions

Since Display Specifiers are located in the Configuration Container, only Domain Admins in the root domain and Enterprise Admins can update them by default.

The change is fully reversible and has nothing to do with Active Directory Schema Extensions.

Unregistering the Specops ADUC extensions

Adding Display Specifiers is not a schema update and the process is reversible. Use the below script to remove our display specifiers from Active Directory.

Requirements: The PowerShell Active Directory module is installed on the computer where the script is running. For information on how to install the PowerShell Active Directory module, click here.

#Requires -Modules ActiveDirectory

function Remove-SpecopsDisplaySpecifiers
{
[CmdletBinding(SupportsShouldProcess = $true)]
param ()

    begin {
        # Specops display specifier id:s
        $SpecopsComputerDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae4}";
        $SpecopsDomainDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae8}";
        $SpecopsGroupDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae7}";
        $SpecopsOuDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae6}";
        $SpecopsUserDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae5}";

        Push-Location
    }

    process
    {
        function RemoveDisplaySpecifier([string]$adPath, [string]$displaySpecifierId) {
            cd ad:\
            $value = Get-ItemPropertyValue -LiteralPath $adPath -Name "adminContextMenu"
    
            [array]$newValue = $value | % {
                if(([string]$_).ToLower().Contains($displaySpecifierId.ToLower())){
                    Set-ADObject -Identity $adPath -Remove @{ adminContextMenu = $_ }
                }
            }
        }


        $rootDSE = Get-ADRootDSE
        $displaySpecifiersLdapPath = "CN=DisplaySpecifiers,$($rootDSE.configurationNamingContext)"
        cd AD:\$displaySpecifiersLdapPath

        $languages = Get-ChildItem 
        $completedCount = 1
        $totalCount = $languages.Count

        $languages | % {
            $currentCultureFolder = $_.DistinguishedName
            $culture = [int]"0x$($_.Name)"

            $languageName = [System.Globalization.CultureInfo]::GetCultureInfo($culture).DisplayName
            $activity = "Removing Specops display specifier"
            Write-Progress -Activity $activity -PercentComplete (($completedCount/[float]$totalCount)*100) -CurrentOperation $languageName 

            RemoveDisplaySpecifier "CN=computer-Display,$currentCultureFolder" $SpecopsComputerDisplaySpecifier
            RemoveDisplaySpecifier "CN=domainDNS-Display,$currentCultureFolder" $SpecopsDomainDisplaySpecifier
            RemoveDisplaySpecifier "CN=group-Display,$currentCultureFolder" $SpecopsGroupDisplaySpecifier
            RemoveDisplaySpecifier "CN=organizationalUnit-Display,$currentCultureFolder" $SpecopsOuDisplaySpecifier
            RemoveDisplaySpecifier "CN=user-Display,$currentCultureFolder" $SpecopsUserDisplaySpecifier
            $completedCount++
        }
    }

    end {
        Pop-Location
    }
}