Last time, I showed you how to give your Help desk staff the authority to handle forgotten passwords without giving them sweeping administrative privileges. But what if your company wants to delegate password-reset authority or a similar task to users other than the Help desk staff? By creating a custom Microsoft Management Console (MMC) console, you can provide these delegated users with a simplified, streamlined interface for quickly handling these password resets.
An MMC Primer
MMC is Microsoft’s standard platform for administrative and system management tools. MMC lets you use snap-ins to manage every part of Windows 2000 and even other applications from the same standard interface. Mmc.exe itself is just a host—you can’t do anything with it until you load one or more snap-ins. To see which snap-ins come with Win2K, run mmc.exe, select Add/Remove Snap-in under the Console menu, and click Add. Screen 1 shows the standard snap-ins on a Win2K server. An MMC console is a simple file (*.msc) that specifies one or more snap-ins and certain options for each one. When you open the Start menu's Administrative Tools folder, you can see that a console exists for most of the snap-ins in Screen 1. The shortcuts you see under Administrative Tools are mostly simple consoles with one snap-in, such as Active Directories Users and Computers.
One of the key settings a console specifies is the snap-in’s context. For instance, the console might specify loading the Event Viewer snap-in and focusing it on the local system. Consoles can also specify view options, create shortcuts for common tasks, and limit which menu commands are available on your system. For a detailed introduction to MMC, see Mike Reilly's "A Tour Through Beta 3," December 1999.
MMC helps simplify delegated tasks for nonadministrators. You can create custom consoles that display only the proper context and enable only the needed commands. However, note that this latter ability isn’t effective for truly limiting a user’s authority—you should always use Win2K's rights and permissions to handle user access. So, just because you enable a command on a console, such as Create user account, a user using that console can only execute that command if that user has the proper permissions in the domain. Moreover, just because you disable an option on an MMC console, users might still be able to create custom consoles or execute manual commands to perform that function. Hence, MMC's real value from a security standpoint is its ability to facilitate delegating security tasks to nonadministrators—especially nontechnical departmental staff.
Create a New Console and Customize the View
To build a custom password-reset MMC console, select Run from the Start menu and type mmc.exe. When you open MMC this way, it displays a new empty console in author mode, as Screen 2 shows. Author mode lets you create or author new MMC consoles. MMC's other mode, user mode, restricts users from permanently changing the console. So, when you double-click a shortcut to open an MMC console, the console opens in User mode. Thus, when you deploy your custom password-reset MMC console to your users, they can't inadvertently modify it. The Active Directory Users and Computers snap-in provides password-reset functionality, so the next step is to add this snap-in to the console.
From the Console menu, click Add/Remove Snap-in and click Add. Double-click Active Directory Users and Computers, select Close, and click OK. Maximize the console window inside the outer MMC window. With the snap-in now loaded, you’ll see your domain’s organizational units (OUs) in the tree pane on the left and the current OU’s contents in the details pane on the right, as Screen 3 shows. Currently, every type of object displays, including computers, printers, and groups. To reset passwords, the Help desk staff or delegated users need only to see user objects, so let’s limit the details pane accordingly. In the tree pane, select the snap-in you just loaded and click View/Filter options to open the Filter Options dialog box. Click Show only the following types of objects, and click Users. When you click OK, you’ll see that the details window now filters out everything except user objects.
It's important that you require your Help desk staff or delegated users to verify the identity of a caller to make sure password resets aren’t "socially engineered." Many companies simply have the support staff call the user back at his or her office number and record the temporary password in the user’s voicemail. I view this method as having weaknesses, but if this is your company’s policy, you can further simplify the task by changing the detail pane’s columns to display user logon name, employee name, phone number, and department. This information will aid the staff in quickly finding the right account and then delivering the temporary password to the user’s voicemail. Click View/Choose columns to open the Modify Columns dialog box. Remove all current columns (e.g., Name, Type, and Description), add the desired fields, and click OK, as Screen 4 shows.
Using a Taskpad View
At this point, to reset a password, the Help desk staff or delegated users would need to maneuver to the correct user, right-click on that user's name, and select Reset Password. Although this process isn't hard, you can make it even easier. MMC's taskpad view lets you display shortcuts for common tasks directly on the console instead of making you learn the context menu. In the tree pane, select an OU in your domain that contains some users. Right-click that OU and select New Taskpad View to open the New Taskpad View Wizard. For this example, you can just accept the defaults, so click Next three times until MMC asks for the taskpad view’s name. Enter "Password Resets," click Next, and click Finish to create your taskpad view. MMC automatically starts the New Task Wizard; click Next. Notice that you can create task shortcuts for menu items, shell commands, or selecting different views. Click Menu command and click Next to display the wizard's Shortcut Menu Command page. Make sure that the command source drop-down list is set to List in details pane. This setting indicates that the MMC will base the options in the Available Commands on the details pane, which is limited to user account options at this point. Select Reset Password and click Next twice to accept the default name for the task. Next, MMC needs you to select an appropriate icon, such as the set of keys. Finally, click Next and then click Finish. Now your taskpad view is complete. Notice how the details pane has changed, as Screen 5 shows. Now when you select a user account, MMC enables the Reset Password shortcut, which, when clicked, takes you directly to the Reset Password dialog box.
Remove Unnecessary Clutter
At this point, you're almost through—you just need to clean up the MMC console and get rid of any distracting or unnecessary options. First, right-click your domain in the tree pane and select New Window from Here. This process creates a new console window in which the tree starts directly at the root of the domain. If you want to limit the authority of your Help desk staff or delegated users to provide password resets only for users in a specific branch of your OU hierarchy, simply select that proper OU and use New Window from Here to limit the staff's view to that area of your domain. Next, you need to close the console window you opened earlier. To do this, click the Window menu on the outer MMC parent window, select the first window, and then close it. Next, you probably want to get rid of unnecessary items such as menu bars and tool bars. Select Customize from the View menu, and leave all options unchecked except Console tree. Finally, you need to set the default mode for this console to prevent unwanted changes. Select Options from the Console menu, specify a name for the console such as "Help Desk – Password Resets," and set the console mode to User mode – limited access, single window. Check Do not save changes to this console and make sure Allow users to customize views is unchecked. Click OK to close the window.
Screen 6 shows your completed custom MMC console. You can now save it by selecting Save from the Console menu. The only thing left to do is to determine how you want to distribute your new console to your users. One of the simplest methods is to email a copy of the .msc file to users and instruct them to drag it to their Start menus. Remember, although you can restrict which options are available on an MMC console, these restrictions won't prevent users from accessing that function. You must control users with Win2K's underlying rights and permissions. However, MMC consoles are important to security because they facilitate delegation that is crucial to getting a handle on the many chores of keeping a network secure.