After you have fully implemented a least-privilege delegation model in Active Directory, I recommend that you take the next logical step, which is to provide administrative tools that make it as easy as possible for administrators to perform the tasks they have been delegated. This is particularly important for front-line administrators, who are typically less familiar with Active Directory and with the specific procedures of your organization. By creating productive MMC consoles, you can provide visibility to tasks, tools, and documentation that will empower your administrative teams. The consoles will consist of taskpads, and the taskpads will quite often be derived from saved queries rather than from organizational units or containers in the Active Directory hierarchy. Integrate procedural documentation directly into the console, along with an administrative home page that can serve as both the opening page of the console and the hub for navigation to each taskpad.
Create a Console with Saved Queries
First, open a blank MMC and add the Active Directory Users and Computers snap-in. Although you can create taskpads using your OU structure, you will be better served by creating saved queries.
Saved queries are, in my opinion, the foundation for effective administration in the Active Directory Users and Computers snap-in. You can create saved queries that display views of objects based on the scopes of management for your administrators. For example, for your Help desk you can create views of all nonadministrative users, all client computers, and all groups. For a team that supports users in a particular site or department, you can create views that show the users and computers in that scope of management based on those objects’ membership in a relevant group.
When you create a saved query for user objects, I recommend adding the pre–Windows 2000 logon name as a column because many of the tools and scripts in this resource kit can be added as taskpad tasks and pass the pre–Windows 2000 logon name as a parameter. Figure 1 shows a saved query that displays all nonadministrative users in the domain.
Create a Taskpad with Tasks for Each Delegated Ability
Next, for each saved query, create a taskpad view with tasks for the capabilities that you have delegated to the team that will use the console. For example, if you have delegated the ability to reset user passwords, provide a task for the Reset Password menu command. The following steps summarize how to create a taskpad view for a saved query displaying user objects:
- Right-click the saved query that displays the objects for which you have delegated administrative tasks, and choose New Taskpad View.
- The New Taskpad View Wizard appears. Click Next.
- In the Taskpad Style page, click Next.
- In the Taskpad Reuse page, select the Selected Tree Item option button and click Next.
- In the Name And Description page, accept the default name and click Next.
- Clear the Add New Tasks To This Taskpad After The Wizard Closes check box, and click Finish.
After you create the taskpad view, add tasks for each delegated ability. When adding tasks for commands such as the Reset Password command, you add menu command tasks. The following steps illustrate the process for adding menu command tasks:
- Right-click the saved query for which you created the taskpad, and choose Edit Taskpad View.
- Click the Tasks tab.
- Click the New button.
- The New Task Wizard appears. Click Next.
- Select the Menu Command option button, and click Next. The Menu Command page appears, as shown in Figure 2.
- Select a command from the Available Commands list. The list of menu commands in the Available Commands list is based on the type of object selected on the left side of the dialog box. This is one of the trickiest and most frustrating parts of building taskpads. For example, notice in Figure 2 that the Disable Account command is available but there is no Enable Account command. That’s because the selected object is an enabled user. If you select a disabled user on the left side, the Enable Account command appears but the Disable Account command disappears. So you must select the correct type of object before the command you want becomes available.
- Click Next.
- Enter the name for the task in the Task Name box. This name will be the label of the hyperlink to the task.
- Optionally, enter a description in the Description box. This description will appear below the task hyperlink in the taskpad.
- 10. Click Next.
- 11. Select an icon or click the Custom Icon option button, and then click Browse to choose an icon. There are more interesting and colorful icons in the file C:\Windows\System32\Shell32.dll. Windows Vista and Windows Server 2008 also have a plethora of icons in C:\Windows\System32\Imageres.dll.
- 12. After you have selected your icon, click the Next button.
- 13. Click Finish, and then click OK to close the Properties dialog box for the query you selected.
The resulting taskpad should appear similar to Figure 3. I added several more tasks. Remember that tasks are context sensitive—the tasks you’ve added to the taskpad appear only when you select an object in the details pane.
Add Productive Tools and Scripts to the Taskpads
Make sure to integrate into the taskpads links to useful tools and utilities from Microsoft from the Windows Administration Resource Kit and from third parties. Also add shell commands that can launch common applications such as the command prompt. The administrator who uses this console will log on to her system with a nonprivileged user account. She will then proceed to launch this console with the elevated credentials of her administrative account. Any processes launched from the console will inherit elevated credentials, allowing easy access to administrative tools without the need to reenter the secondary user name and password.
Add Procedures and Documentation to the Console
I recommend that you integrate documentation of your environment and of procedures related to Windows administration directly into the MMC. This can be done one of two ways. First, you can add a shell command task to a taskpad that launches a document with the appropriate application. For example, a shell command can launch winword.exe with a parameter that opens procedural documentation. Second, if the documentation is available on your intranet, you can integrate the documentation using a Link to Web Address snap-in.
Create an Administrative Home Page within the Console
Create a node in the console that can be used as a home page for the console. Because of the awkward way in which navigation between taskpads is implemented, you will find it much easier to have this home page as a kind of home base or hub from which you can navigate to individual taskpads. Each task will have a single navigation link back to this page.
You can use any taskpad as this home page, but if you happen to have an intranet site for your administrators, such as a SharePoint or IT portal, I suggest you add that into the MMC using a Link to Web Address snap-in and then create a taskpad using that snap-in. A folder snap-in can serve as a home page if you use a taskpad with the no-list format.
At one client location where we leveraged such consoles, the administrative home page of the MMC was a taskpad for a Link to Web Address snap-in, which itself pointed to the home page of our IT administration SharePoint site. SharePoint then allowed us to easily manage Web content that was then integrated directly into the console. For example, we included a schedule of Help desk shift assignments and important announcements on the SharePoint home page so that information was regularly visible to administrators as they navigated between taskpads.
Add Each Taskpad to the MMC Favorites
Navigate to each taskpad in the console that you want to make available to the administrators who will use the console. Add the node to your Favorites in the console using the Favorites menu. Be sure to add the administrative home page to your Favorites folder as well.
Create Navigation Tasks
Edit the taskpad view of the administrative home page, and add navigation tasks to each of the nodes that you added to your Favorites folder. Then edit each taskpad, and add a single navigation link back to the administrative home page. After you have completed these steps, you should be able to use the navigation tasks on each taskpad to navigate between the administrative home page and each taskpad in the console.
Figure 4 shows an example of the resulting administrative home page. Each of the other taskpads in the console can be reached using navigation tasks on the left-hand side of the taskpad.
Save the Console in User Mode
To prevent users from modifying your taskpad, you need to save the console in User mode. To change a console’s mode, choose File, Options. By default, new consoles are saved in Author mode, which enables users to add and remove snap-ins, view all portions of the console tree, and save customizations. User mode, on the other hand, restricts the functionality of the console so that it cannot be changed. There are three types of user modes, described in Table 1. User Mode—Full Access is commonly selected for a console provided to skilled administrators with diverse job tasks requiring broad use of the console’s snap-ins. User Mode—Limited Access is a locked-down mode and is therefore selected for a console provided to administrators with a more narrow set of job tasks. When a console is no longer saved in Author mode, you—the original author—can make changes to the console by right-clicking the saved console and choosing Author.
Table 1: MMC Modes
You want to continue customizing the console.
User Mode—Full Access
You want users of the console to be able to navigate between and use all snap-ins. Users will not be able to add or remove snap-ins, or change the properties of snap-ins or the console.
User Mode—Limited Access, Multiple Windows
You want users to navigate to and use only the snap-ins that you have made visible in the console tree, and you want to preconfigure multiple windows that focus on specific snap-ins. Users will not be able to open new windows.
User Mode—Limited Access, Single Window
You want users to navigate to and use only the snap-ins that you have made visible in the console tree, within a single window.
Lock Down the Console View
This last step enables you to lock down the console completely. If you click the View menu and choose the Customize command, you can choose to hide some or all of the components of the MMC window. By hiding the console tree, for example, you discourage administrators from browsing the directory by restricting them to the taskpads and navigation links you have provided.
Distribute the Console
Save the highly customized console to a location that can be accessed by all administrators. That will make it easier for you to manage revisions to the console. Remember that consoles are basically a set of instructions that are interpreted by mmc.exe—instructions that specify which snap-ins to add and which computers to manage with those snap-ins. Consoles do not contain the snap-ins themselves. Therefore, a console will not function properly if the snap-ins it contains have not been installed. So be sure you have installed appropriate snap-ins from the Administrative Tools (adminpak.msi in Windows XP and Windows Server 2003) or the remote server administration tools (RSAT in Windows Vista or Windows Server 2008).
From Windows Administration Resource Kit: Productivity Solutions for IT Professionals
By Dan Holme
Publisher: Microsoft Press
Released: February 2008