Create a Delegation Console
When you have to create a custom delegation task, get your structural setup completed and then create a custom console.
Let's say you want regional operators to manage both computers and users in their region. To do so, you create the appropriate Organizational Unit (OU) in Group Policy, copy computer and user accounts and perhaps groups into it, and then delegate permissions to the OU for the regional operators. Remember, it's always better to delegate to a group than to an individual. Use the delegation wizard to do so. Both groups and users are within the default delegation tasks, but for computers, you'll have to create a custom delegation task.
Once your structural setup is done, you can move on to create the custom console. Here's how.
Step 1. Start the console program in authoring mode. Use Start Menu | Run to run the command "mmc /a." This launches an empty MMC.
|
Step 1 |
Step 2. Add the appropriate snap-in to the console. Move to the File menu and select Add/Remove Snap-in. In the Snap-in dialog box, click the Add button. Select the snap-in you require, in this case, Active Directory Users and Computers, then click Close. Many snap-ins include extensions. View the extensions to see if they're required for the group to whom you intend to delegate this console. In this case, deselect all the extensions because they aren't required. Click OK and Save your console, then give it an appropriate name.
|
Step 2
|
Step 3. Next, create a Taskpad view for the console. This allows you to modify the way information is presented to console operators. Select the delegated OU, then the Action menu to choose New Taskpad View Wizard. This allows you to choose the presentation mode of the console. Continue with the Wizard to select the way you want to present information. A horizontal list with no standard tab and Info Tips is usually appropriate. Apply the settings to the selected object only.
|
Step3 |
Step 4. At the end of the Taskpad View Wizard, launch the New Task Wizard. This lets you give operators access to console commands. Run this wizard as often as needed to create the proper menu commands for both tree item tasks (to find or create user, computer and group objects) and to list details (to modify passwords, add users to groups and so on) in the Command source drop down list. You can always go back to this Wizard by selecting the OU, using Action | Edit Taskpad View and clicking on the Tasks tab.
|
Step 4
|
Step 5. To set the focus for this console, select the object to delegate—in this case, the regional OU. Right-click it and select New Window from here. This will create a new window that displays only the appropriate information for console users. Close the original window so that only this window is available, using the Window Menu. To set the view options for this window, move to the View menu and select Customize. Deselect all items you deem unnecessary for console operators. Click OK when done.
|
Step 5 |
Step 6. To customize the console, move to the File menu and select Options. Type in a console description, assign a new icon—the Shell32.dll file contains several icons that can be used to customize MMCs—and determine the console operation mode. There are four console operation modes:
- Author mode
- User mode, full access
- User mode, limited access, multiple windows
- User mode, limited access, single window
For single-purpose consoles like this one, the last setting is appropriate. Also deselect the Allow the user to customize views option. Save the console again when done.
Step 7. Test the console to ensure it operates as designed. To do so, close it and reopen it in operation mode—as opposed to authoring mode—by double-clicking on its icon.
Step 8. Deploy the finished console. The best way to distribute consoles is through Terminal Services because only one installation of the snap-in is required on the hosting server. Remember that for this console to work, the Active Directory administration tools for Windows Server 2003 must be installed on the hosting server.