Specops Command Features

Page Contents (hide)

Automatic Windows PowerShell installation
Script execution in both foreground and background mode
Windows PowerShell snap-in management
Credential elevation
Execution feedback
Custom feedback
Undo Scripts
PowerGUI integration
VBScript Support
Targeting
Scheduling
Script signing
Specops Reporting

This page lists the major features of Specops Command.

Each feature is accompanied with a brief description and a sample screen shot.

Automatic Windows PowerShell installation

Before being able to execute PowerShell scripts on any computer, PowerShell must first be installed, but this is all automatically handled by Specops Command, and thus actually the easiest way to deploy Windows PowerShell in any organization.

Windows PowerShell comes in quite a few different package versions. There are different versions for Vista x86, Vista x64, Windows XP x86, Windows Server 2003 x86, Windows XP/Windows Server x64 and finally on Windows Server 2008 where it is installed out-of-the-box but not enabled by default.

Specops Command will automatically manage the installation of Windows PowerShell and install the proper version in the background if not already installed. The installation happens the first time a Windows PowerShell is going to execute and Specops Command discovers that Windows PowerShell is not installed, so if for example only VBScript is used then Windows PowerShell will never be installed.

Script execution in both foreground and background mode

Specops Command is a true Group Policy Extension and executes at the Group Policy refresh intervals, this means that it is possible to execute scripts not only during boot and/or logon (foreground), but also during any background Group Policy refresh interval, by default every 90 minutes plus a random offset of 0 to 30 minutes. So for example compared to managing computers using Logon and Startup scripts, there is no need to reboot servers or have all users logoff and logon to have the scripts apply. This also means that by default any script set using Specops Command can apply to all computers in an organization within two hours maximum using the default Group Policy settings.

Windows PowerShell snap-in management

PackagedSnapIns.JPG: 850x304, 62k (November 28, 2007, at 03:46 PM)

The window for displaying and upgrading the PowerShell snap-ins automatically packaged into a GPO

One of the major features of Windows PowerShell is the extensibility, and the ability to extend Windows PowerShell with new functionality that is implemented as so called Cmdlets or Providers and then packaged as Windows PowerShell snap-ins. However, to access the features of a snap-in, the snap-in needs to be present on the computer, registered and added to the PowerShell environment. This can quickly become a management nightmare if done manually on a large number of computers. Specops Command manages the entire process automatically and registers required PowerShell snap-ins on demand.

When editing a PowerShell script if a cmdlet name is highlighted in red color it indicates that it is a non standard cmdlet that is installed on the administrators computer. When saving the script assignment the PowerShell snap-in containing the cmdlet will be compressed and packaged into the GPO.

If a cmdlet is highlighted in green it indicates that it is a non standard cmdlet that is already packaged into the GPO. Using this feature multiple administrators can test execute scripts created by other administrators even if they are lacking some of the custom cmdlets used in the script.

Credential elevation

ScriptUserExecutionContext2.jpg: 899x643, 83k (March 25, 2008, at 12:10 PM)

The help text displayed is for the Execution context drop-down

When executing a logon script, normally a VBScript or batch file, the script executes in the security context of the user. Because of this limitation in a normal environment where the logged on users have no administrative privileges it is not possible to perform a number of administrative tasks such as uninstalling software, writing to certain parts of the registry etc. With Specops Command that limitation no longer applies. The Script Assignments that are being executed from the user part of the GPO have the option to run with the logged on users credentials or running with full system credentials in a totally secure way.

Execution feedback

DetailedFeedback.JPG: 1125x468, 146k (November 28, 2007, at 03:47 PM)

Detailed feedback from the script assignments, including error messages and line numbers

Specops Command can report the result of every script execution back to the administrator. If any Script Assignment fails, the administrator will instantly get detailed error information including the line number in the script where the error occurted.

The feedback level can be configured to only report errors.

Custom feedback

Included in Specops Command is a PowerShell snap-in containing a Cmdlet called Send-Feedback. This cmdlet can be used to send any type of information back to the administrator from within the PowerShell scripts that execute on the client computers. Below is a sample script utilizing the Send-Feedback cmdlet.

$rand = New-Object System.Random
$value = $rand.next(0, 2) \\
if ($value -eq 0)
{
Send-Feedback “Yes Way!”
}
else
{
Send-Feedback “No Way!”
}

The Send-Feedback cmdlet can also be used as part of the pipeline. That is, the output of some previous command can be sent to Send-Feedback through the pipeline.

For example an administrator could write a Windows PowerShell script that checks if a certain Windows patch is installed and then send this information back using the Send-Feedback cmdlet in the script. The collected information can be viewed in the detailed feedback window of the MMC snap-in as well as from Specops Reporting.

Undo Scripts

ScriptUserUndo2.JPG: 899x643, 85k (March 25, 2008, at 12:11 PM)

Each script assignment can contain a normal script and an undo script

The ability to perform arbitrary actions through scripts on any number of computers with Windows PowerShell and Group Policy is extremely powerful, but the power to undo the changes is equally powerful. With Specops Command you can create “Undo Scripts” that will execute as soon as a Script Assignment is out of management scope.

For example a Script Assignment can be created with a script that configures certain security settings on computers and then the GPO can be filtered by a security group called for example “high security computers”. This will result in all computers in that security group being secured. You can then define an Undo Script that reverses the settings. Thanks to this the security constraints will automatically be removed if the computer is no longer a member of the group.

PowerGUI integration

PowerGui2.JPG: 946x682, 116k (March 25, 2008, at 12:11 PM)

Link for editing the script in PowerGUI

Specops Command is integrated with PowerGUI. If PowerGUI is installed on the administrators computer the option for editing the scripts in PowerGUI will automatically be enabled. If PowerGUI is not installed information about how to obtain it will be displayed.

PowerGUI is a full featured PowerShell editor including advanced features such as debugging.

VBScript Support

ScriptVisualBasic.jpg: 844x565, 84k (November 28, 2007, at 03:47 PM)

A VBScript in the editor

In addition to PowerShell scripts, Specops Command also supports VBScript. Any script you create can be either PowerShell or VBScript. Detailed error feedback will be returned for both PowerShell and VB Scripts.

The built in script syntax editor will update accordingly when you change script language.

Targeting

TargetShort.JPG: 776x445, 74k (November 28, 2007, at 03:48 PM)

A script assignment can be decorated with a complex target to make it apply to specific computers or users

Group Policy has a Scope of Management that is used to select what computers and users that should receive the settings in the Group Policy. These settings are limited to Domains, Organizational Units and Sites and can be further refined by using Security Groups. Specops Commands adds a lot of new options enabling an extremely granular selection where Script Assignments should be executed, for example Operating System versions, Registry keys etc.

Scheduling

Schedule.JPG: 730x564, 64k (November 28, 2007, at 03:48 PM)

Example of a script assignment schedule

Specops Command has full scheduling functionality. Recurrence options for script assignments can be defined, for example daily and weekly. Specific time windows can also be selected to make sure that the scripts are only executed during specific hours in the day.

For example if a script is created that does general cleanup and optimization of desktops, like running a disk defrag job, this could be scheduled to only be performed on weekends.

Script signing

ScriptSigned.JPG: 938x644, 123k (November 28, 2007, at 03:48 PM)

Example of a signed script

PowerShell scripts can be signed from Specops Command by using a certificate with a private key.

The clients can then be configured to only run signed scripts. You can also open already signed PowerShell scripts and import them into Specops Command and retain the information about the signer.

Specops Reporting

Sample report of all failed script executions

Specops Command ships with the full fledged reporting solution Specops Reporting which contains several premade reports using feedback information from the script assignments. It is also very easy to create new reports on the fly and even combining the information from Specops Command with that of Specops Inventory.

Specops Wiki
	Specopscommand / Features	Edit Page \| Page History \| Wiki Help PDF \| Print \| Search: