Section 6.4. Creating the Console Scope

6.4. Creating the Console Scope

Max is now ready to create the custom console scope:

1. Start by navigating to the Console Scopes object under the Administration node in the Administrator console.

2. Right-click to bring up the context menu.

3. Select Create a New Console Scope.

This launches the Create Console Scope wizard. The information required is: a name for the scope, the computer groups to include in the scope, and the user accounts (not user groups) to associate with the scope.

• Give the scope a name, such as "Remote Office Admins Operators Console Scope," and a description such as "This Operator's console scope is being created for use by the Remote Office administrative staff. It will contain only the remote office servers."

• Add the desired computer group to the scope by clicking the Add button, which brings up the page shown in Figure 6-6. Listed here are all of the computer groups in the management group.

  Figure 6-6. Select the LKF Remote Office Servers computer group to include it in this console scope

  

  For the purposes of this scope, only the LKF Remote Office Servers computer group is selected, yielding the computer group selection shown in Figure 6-7.

• The Has All Computer Groups checkbox is selected by default for the MOM User, MOM Author, and MOM Administrator console scopes. For this scope, Max deselects this option.

• This brings up similar pages for adding user accounts to the console scope. The pages used to add the user accounts look different (see Figure 6-8). This is because they differ from the normal object picker used to add user accounts to a group. In MOM 2005, only the domain and account username text string is used to associate an account with a console scope, not the accounts Security Identifier (SID). Console scopes cannot be used to enforce security for individuals whose accounts have rights to MOM.

Figure 6-7. Including the LKF Remote Office Servers computer group in the Remote Office Admins Operators Console scope

Figure 6-8. Naming user accounts to associate with the console scope

For example, the account chrisf (Christian Fowler) has MOM User rights via group membership and is associated with console scope A. If the chrisf (Christian Fowler) account is deleted, then it is removed from the MOM Users group but not from the scope definition. Another chrisf (Chris Fox) account could require MOM User access to more than scope A. Since console scope association is performed by account name evaluation only, the new chrisf (Chris Fox) account would, by default, be assigned the scope A console scope that was assigned to chrisf (Christian Fowler) even though they are two entirely different people.

Console scopes are useful only for filtering the computer groups that an Operator console user sees by default. As long as you stick to this use of console scopes, you won't get into trouble. If you need to provide a hard security boundary around the computer groups in the Operator console, you have to create an additional management group and multi-home selected computers into the second group. The next step is to grant MOM permissions to the second management group for the desired accounts and deny them access to the first management group. This is not very cost-effective, but it works.

Leaky Faucet adds the LKFRemoteSiteAdmin1, 2, and 3 accounts to this console scope (see Figure 6-9).

Figure 6-9. All the accounts associated with the custom console scope

Moving onto the next page finishes the wizard and the configuration is complete. Now, whenever any of the LKFRemoteSiteAdmin1, 2, or 3 accounts launch the Operator console, this console scope will appear by default. It cannot be changed and only data from the homesrv02 and homesqlserver computers will be seen (see Figure 6-10).

Figure 6-10. Applied remote office console scope to logged-on LKFRemoteSiteAdmin3 user

Computer groups that belong to a scope can be used as filters . It is in this context that console scopes really shine. The next section demonstrates a specific methodology for building Operator console filters, and computer groups are a big part of that. Although the Operator console has a complex interface, following this three-step method will allow you to get the information with as little confusion as possible.