6.4. Creating the Console ScopeMax is now ready to create the custom console scope:
This launches the Create Console Scope wizard. The information required is: a name for the scope, the computer groups to include in the scope, and the user accounts (not user groups) to associate with the scope.
Figure 6-7. Including the LKF Remote Office Servers computer group in the Remote Office Admins Operators Console scopeFigure 6-8. Naming user accounts to associate with the console scopeFor example, the account chrisf (Christian Fowler) has MOM User rights via group membership and is associated with console scope A. If the chrisf (Christian Fowler) account is deleted, then it is removed from the MOM Users group but not from the scope definition. Another chrisf (Chris Fox) account could require MOM User access to more than scope A. Since console scope association is performed by account name evaluation only, the new chrisf (Chris Fox) account would, by default, be assigned the scope A console scope that was assigned to chrisf (Christian Fowler) even though they are two entirely different people. Console scopes are useful only for filtering the computer groups that an Operator console user sees by default. As long as you stick to this use of console scopes, you won't get into trouble. If you need to provide a hard security boundary around the computer groups in the Operator console, you have to create an additional management group and multi-home selected computers into the second group. The next step is to grant MOM permissions to the second management group for the desired accounts and deny them access to the first management group. This is not very cost-effective, but it works. Leaky Faucet adds the LKFRemoteSiteAdmin1, 2, and 3 accounts to this console scope (see Figure 6-9). Figure 6-9. All the accounts associated with the custom console scopeMoving onto the next page finishes the wizard and the configuration is complete. Now, whenever any of the LKFRemoteSiteAdmin1, 2, or 3 accounts launch the Operator console, this console scope will appear by default. It cannot be changed and only data from the homesrv02 and homesqlserver computers will be seen (see Figure 6-10). Figure 6-10. Applied remote office console scope to logged-on LKFRemoteSiteAdmin3 userComputer groups that belong to a scope can be used as filters . It is in this context that console scopes really shine. The next section demonstrates a specific methodology for building Operator console filters, and computer groups are a big part of that. Although the Operator console has a complex interface, following this three-step method will allow you to get the information with as little confusion as possible. |