Lesson 4: Creating Support Tools

There will always be a need for support tools. Some will be required to perform post-migration tasks, while others will be used after the migration. For example, you might create system management tools for use by managers who have had control of parts of the system delegated to them. In this lesson, you'll learn how to build support tools for use in the post-migration phase.

After this lesson, you will be able to

  • Configure the Microsoft Management Console to create a custom environment for an administrator.

Estimated lesson time: 20 minutes

Building Custom MMC tools

Microsoft Management Console acts as a container for a set of tools known as snap-ins. Each snap-in addresses a particular management issue. All the graphical administrative tools you've used so far are implemented in this way and work within the MMC framework. Each tool can be used in isolation or combined with others to create a custom configuration for a specific set of tasks. The MMC standard is an open one so that third-party vendors can create tools to work as MMC snap-ins. One third-party example is the Domain Migration Administrator from Net IQ.

When creating custom MMC tools, you run MMC in author mode. This gives you full control of the MMC and allows you to control the range of activities that can be performed with the tools you include in the custom set. You can then save and distribute the custom MMC to support staff and limit the mode of its operation to user mode, which doesn't allow modification to the tool set. If necessary, you can also restrict the user to a particular view within the snap-in. An MMC configuration is saved as a file that can be assigned an ACL so that you can further control who can access the tool.

Selecting MMC Configurations

It's important to choose the range of tools to precisely match the needs of the support person in question. The activities to be performed and the tools to be used should have been planned as part of the migration strategy. It might also be necessary to plan the deployment of tools to be used by the staff performing the actual migration.

Practice: Creating a Custom MMC

In this practice, you'll create a custom tool that allows the administration of the particular OU you set up previously. You'll set up a tool that allows the Mig1 user to administer the Finance OU.

  1. On TRAINKIT1, log on as Administrator with the password secret.
  2. Open Run from the Start menu, type mmc, and press Enter.

    You're now going to add the Active Directory Users And Computers tool as a snap-in and then save it as a custom tool for the Mig1 user, a support person to whom you want to delegate a limited degree of control over the Finance OU.

  3. Press Ctrl+M to open the Add/Remove Snap-In dialog box.
  4. Click the Add button.
  5. From the list of snap-ins, select Active Directory Users And Computers and then click Add, followed by Close.
  6. Click OK to close the Add/Remove Snap-In dialog box.

    The Console Root window should now contain the Active Directory Users And Computers snap-in.

  7. Click the Maximize Window button in the Console Root window so it expands to fill the Console window.
  8. Expand the tree hierarchy to the Finance OU and select Finance so that the Finance users are displayed in the right pane.
  9. Right-click Finance and select New Window From Here on the shortcut menu.

    The Finance OU should now appear as the root of the tree in the left pane, and its users should appear in the right pane. Now you're going to limit the abilities of the user to this view of the snap-in.

  10. From the Console menu, select Options.

    The Console Options dialog box appears.

  11. In the top text box, type Finance Password Tool.
  12. In the Console Mode list box, select User Mode—Limited Access, Single Window.
  13. Be sure the three check boxes at the bottom of the dialog box are clear. When the settings match those in Figure 10.11, click OK.

    Figure 10.11 Setting console options for a custom MMC

  14. To save the console, ensure that it's selected by clicking the Finance OU or a user name in the right pane, and then select Save from the Console menu.
  15. Save the console in the Tools folder with the name Mig1util and close the console.
  16. If a message appears asking if you want to continue, click Yes. If you're asked to save the console again when you close MMC, repeat the save sequence once more.
  17. Set security for the new tool by opening the Tools folder in My Computer, and right-click Mig1util.
  18. Select Properties from the shortcut menu and then click the Security tab.
  19. Clear the check box option Allow Inheritable Permissions at the bottom of the dialog box and click Copy in the message box that appears.
  20. Click the Add button and select Mig1. Click Add and then click OK to close the dialog box.
  21. Select the Everyone group and click the Remove button. Remove any other entries other than Mig1.

    The dialog box should now look like the one shown in Figure 10.12. Click OK to close the dialog box.

    Figure 10.12 Controlling access to Mig1util

  22. Log off as Administrator and then log back on as Mig1 with the password secret.
  23. Open My Computer and navigate to the Tools folder.
  24. Double-click the Mig1util tool and note that you now have a custom tool that can be used by Mig1 to change the passwords of users in the Finance OU.
  25. Try disabling the Fin1 account. Were you able to do it?

Also notice that you can't modify the tool because Mig1 is the tool's designated user, not the author.


When a tool has been saved in user mode, the Console menu is removed. To revise the tool, you must work in author mode by right-clicking the file in My Computer or Windows Explorer and selecting Author from the shortcut menu that appears.


Protecting an MMC Tool

When you created the Mig1util tool, you set the console mode to User Mode—Limited Access, Single Window. Limited access means that the user of the tool can't change views to try to manage other items. However, this doesn't restrict the user's ability to author the tool. Even if the tool is stored in a file to which a user has only read access, it will still be possible to open it in author mode, change the tool configuration, and save the modified tool under a new name. The read protection will only prevent the original tool file from being overwritten. Although the user can potentially snoop around, he or she won't be able to use any of the tools, but this is still a potential security risk.

Lesson Summary

In this lesson, you learned how to use the Microsoft Management Console to build custom tools for managing Windows 2000 installations. You saw how these tools can be deployed so that users are restricted to a particular set of actions and views or so that they can be allowed more latitude. You also learned how to secure a snap-in so that it can't be used by all users.

MCSE Training Kit (Exam 70-222. Migrating from Microsoft Windows NT 4. 0 to Microsoft Windows 2000)
MCSE Training Kit (Exam 70-222): Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 (MCSE Training Kits)
ISBN: 0735612390
EAN: 2147483647
Year: 2001
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net