There will always be a need for support tools. Some will be required to perform post-migration tasks, while others will be used after the migration. For example, you might create system management tools for use by managers who have had control of parts of the system delegated to them. In this lesson, you'll learn how to build support tools for use in the post-migration phase.
After this lesson, you will be able to
Estimated lesson time: 20 minutes
Microsoft Management Console acts as a container for a set of tools known as snap-ins. Each snap-in addresses a particular management issue. All the graphical administrative tools you've used so far are implemented in this way and work within the MMC framework. Each tool can be used in isolation or combined with others to create a custom configuration for a specific set of tasks. The MMC standard is an open one so that third-party vendors can create tools to work as MMC snap-ins. One third-party example is the Domain Migration Administrator from Net IQ.
When creating custom MMC tools, you run MMC in author mode. This gives you full control of the MMC and allows you to control the range of activities that can be performed with the tools you include in the custom set. You can then save and distribute the custom MMC to support staff and limit the mode of its operation to user mode, which doesn't allow modification to the tool set. If necessary, you can also restrict the user to a particular view within the snap-in. An MMC configuration is saved as a file that can be assigned an ACL so that you can further control who can access the tool.
It's important to choose the range of tools to precisely match the needs of the support person in question. The activities to be performed and the tools to be used should have been planned as part of the migration strategy. It might also be necessary to plan the deployment of tools to be used by the staff performing the actual migration.
In this practice, you'll create a custom tool that allows the administration of the particular OU you set up previously. You'll set up a tool that allows the Mig1 user to administer the Finance OU.
You're now going to add the Active Directory Users And Computers tool as a snap-in and then save it as a custom tool for the Mig1 user, a support person to whom you want to delegate a limited degree of control over the Finance OU.
The Console Root window should now contain the Active Directory Users And Computers snap-in.
The Finance OU should now appear as the root of the tree in the left pane, and its users should appear in the right pane. Now you're going to limit the abilities of the user to this view of the snap-in.
The Console Options dialog box appears.
Figure 10.11 Setting console options for a custom MMC
The dialog box should now look like the one shown in Figure 10.12. Click OK to close the dialog box.
Figure 10.12 Controlling access to Mig1util
Also notice that you can't modify the tool because Mig1 is the tool's designated user, not the author.
NOTE
When a tool has been saved in user mode, the Console menu is removed. To revise the tool, you must work in author mode by right-clicking the file in My Computer or Windows Explorer and selecting Author from the shortcut menu that appears.
Answers
When you created the Mig1util tool, you set the console mode to User Mode—Limited Access, Single Window. Limited access means that the user of the tool can't change views to try to manage other items. However, this doesn't restrict the user's ability to author the tool. Even if the tool is stored in a file to which a user has only read access, it will still be possible to open it in author mode, change the tool configuration, and save the modified tool under a new name. The read protection will only prevent the original tool file from being overwritten. Although the user can potentially snoop around, he or she won't be able to use any of the tools, but this is still a potential security risk.
In this lesson, you learned how to use the Microsoft Management Console to build custom tools for managing Windows 2000 installations. You saw how these tools can be deployed so that users are restricted to a particular set of actions and views or so that they can be allowed more latitude. You also learned how to secure a snap-in so that it can't be used by all users.