ADUC Menu Extensions in Specops Products

A user in Active Directory may be affected by a Group Policy extended with Specops settings. Many Specops products add an extension to the Active Directory Users and Computers (ADUC) console. Right-clicking on a user object will display new options/menus with Specops settings.

All Specops products that extend the Active Directory User and Computers (ADUC) menu, use a common framework built on a Microsoft technology called Display Specifiers. This technology requires that the component that handles the menus is registered in Active Directory in the Configuration Container. This registration is a one-time action for all Specops products, regardless of how many Specops products are installed. For example, if this is performed when installing Specops Gpupdate, it is not necessary to perform it again when installing Specops Password Policy.

Display Specifiers and permissions

Since Display Specifiers are located in the Configuration Container, only Domain Admins in the root domain and Enterprise Admins can update them by default.

The change is fully reversible and has nothing to do with Active Directory Schema Extensions.

Unregistering the Specops ADUC extensions

Adding Display Specifiers is not a schema update and the process is reversible. Use the below script to remove our display specifiers from Active Directory.

Requirements: The PowerShell Active Directory module is installed on the computer where the script is running. For information on how to install the PowerShell Active Directory module, click here.

#Requires -Modules ActiveDirectory

function Remove-SpecopsDisplaySpecifiers
{
[CmdletBinding(SupportsShouldProcess = $true)]
param ()

    begin {
        # Specops display specifier id:s
        $SpecopsComputerDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae4}";
        $SpecopsDomainDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae8}";
        $SpecopsGroupDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae7}";
        $SpecopsOuDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae6}";
        $SpecopsUserDisplaySpecifier = "{f27de543-395d-4151-8e7d-834f06200ae5}";

        Push-Location
    }

    process
    {
        function RemoveDisplaySpecifier([string]$adPath, [string]$displaySpecifierId) {
            cd ad:\
            $value = Get-ItemPropertyValue -LiteralPath $adPath -Name "adminContextMenu"
    
            [array]$newValue = $value | % {
                if(([string]$_).ToLower().Contains($displaySpecifierId.ToLower())){
                    Set-ADObject -Identity $adPath -Remove @{ adminContextMenu = $_ }
                }
            }
        }


        $rootDSE = Get-ADRootDSE
        $displaySpecifiersLdapPath = "CN=DisplaySpecifiers,$($rootDSE.configurationNamingContext)"
        cd AD:\$displaySpecifiersLdapPath

        $languages = Get-ChildItem 
        $completedCount = 1
        $totalCount = $languages.Count

        $languages | % {
            $currentCultureFolder = $_.DistinguishedName
            $culture = [int]"0x$($_.Name)"

            $languageName = [System.Globalization.CultureInfo]::GetCultureInfo($culture).DisplayName
            $activity = "Removing Specops display specifier"
            Write-Progress -Activity $activity -PercentComplete (($completedCount/[float]$totalCount)*100) -CurrentOperation $languageName 

            RemoveDisplaySpecifier "CN=computer-Display,$currentCultureFolder" $SpecopsComputerDisplaySpecifier
            RemoveDisplaySpecifier "CN=domainDNS-Display,$currentCultureFolder" $SpecopsDomainDisplaySpecifier
            RemoveDisplaySpecifier "CN=group-Display,$currentCultureFolder" $SpecopsGroupDisplaySpecifier
            RemoveDisplaySpecifier "CN=organizationalUnit-Display,$currentCultureFolder" $SpecopsOuDisplaySpecifier
            RemoveDisplaySpecifier "CN=user-Display,$currentCultureFolder" $SpecopsUserDisplaySpecifier
            $completedCount++
        }
    }

    end {
        Pop-Location
    }
}

(Last updated on September 11, 2018)

Tags: , ,

Written by

Johan Soderstrom

Product Specialist, Specops Software

More Articles
Back to Blog

Related Articles

  • Deploy / OS Training Series (part 1): Environmental Preparations

    Specops Deploy has been designed from the ground up to utilize and integrate with your existing Windows environment. This offers customers unique advantages such as fast implementation, and native scalability. Most importantly, your Specops Deploy environment will be as stable, and reliable as your Windows environment. The Training Series will provide you with all the…

    Read More
  • Keep your corporate golden image golden

    Trying to keep a golden image up-to-date is a challenge many IT administrators struggle with. But it’s a necessity since updating the image with patches and settings means you shorten the time your users need to wait. There’s a tried and tested way to do this that is going to make your life much easier….

    Read More
  • Removing DHCP options 66 and 67 for WDS PXE booting

    When our Specops Deploy customers run into errors during PXE boot, the likely culprit is often DHCP scope options 66 and 67. Aside from Microsoft not supporting the use of the aforementioned options to redirect PXE clients, it can be limiting as it will not work when there are UEFI and BIOS based machines on…

    Read More