Custom MMC/Taskpad issues

Discussion in 'Active Directory' started by Matt, Jul 31, 2006.

  1. Matt

    Matt Guest

    I have created a custom mmc (based on ADUC) for my 'super' (and I use that
    phrase lightly!) users at remote sites to provide them with the ability to
    reset passwords and unlock accounts.

    I have created the taskpad and delegated the permissions for the relevant
    OU. I have tested it and it has the functionality that is required.

    However I have two questions:

    1. If the delegated user, right clicks on a blank part of the taskpad and
    selects View -> Advanced Features, they receive a few Script errors, but then
    it opens up Active Directory USers and Computers with the full Domain
    structure. They still cannot do anything that I don't want them to do as
    they have only been delegated limited rights on their own OU. However, it
    odes alow them to browse the Domain structure and allow them to see what OUs,
    domain admins are in etc and what the usernames are. I may be being a bit
    over cautious, as they are unlikely to do this, but is there any way I can
    stop them from doing it? When I saved the MMC I did so as 'User Mode -
    Limited Access - single Window'.

    2. I don't really want the delegated users to be local admins of their PCs.
    Is there a recomended (best practise way) of installing the necessary tools
    and applying permissions. I already know how to install just ADUC, and I
    have also removed the shorctut, but if the user is determined they can browse
    to %system32%\dsa.msc and open it, therefore bypassing the taskpad. i would
    like to try and restrict/limit this happenning.

    Thanks in advance.
    Matt, Jul 31, 2006
    1. Advertisements

  2. Matt

    Jorge Silva Guest

    By default the users have read access to AD.
    For taskpads check:
    to restrict the access to dsa.msc you can use software restrictions policy,
    howver you should have a good understanding of the GPO behavior:;en-us;324036

    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Jul 31, 2006
    1. Advertisements

  3. Matt

    Matt Guest

    Hi Jorge,

    Thanks for the response. I have already read the
    and this does not answer the question. I have also downloaded the MS Best
    Practice article. It is quite a weighty document but I haven't found what I
    need. I know that by default that users have Read access to AD. However, if
    I create a custom task pad and save it as 'User - Limited access, single
    Window', I would expect it to remain as the Window that I save (in this case,
    just the OU that the delegated user is administering). However, you save the
    mmc/taskpad with this restriction but a simple right-click and View ->
    Advanced Features and suddenly the window opens ADUC with the full domain
    structure. I don't want the users to be able to do this.

    Matt, Jul 31, 2006
  4. Matt

    Jorge Silva Guest

    Hi Matt

    When you're creating the mmc, go to file->options->console-> select
    Console Mode:User Mode - limited access, single window
    Select -> "Do not save changes to this console"
    Des-Select -> "Allow the user customize views"

    then goto View->Customize, remove the option standard menus (action and
    view). Note the option advanced view is still listed when the user
    rightclicks on the OU however if you select that opyion the console stays
    blank and doesn't show the domain.

    Because the Action menu might have some important options for the user, you
    should create them using the option "New Taskpad View Wizard" and create the
    necessary menus for the user do his work.

    Let me know if it helped
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Jul 31, 2006
  5. Matt

    Matt Guest

    Hi Jorge,
    I had already created my custom mmc in the way that you suggested. ON the
    View->Customize menu, I had actually deselected everything. However, if the
    user right clicks on a blank part of the cutsom mmc and selects Advanced
    Options, he/she is presented with the following error a number of times. By
    clicking yes or no, the window eventually displays the Domain structure from
    the root, which is what I am trying to avoid.

    Internet Explorer Script Error
    An error has occurred in the script in this page
    Line: 116
    Char: 4
    Error: Unspecified error
    Code: 0
    URL: -mmc{915C64B3-16D8-4219-8F08-0B388B9A5DF7}
    Do you want to continue running scripts on this page?

    You said that if you select the Advanced option on the right-click that "the
    console stays blank and doesn't show the domain".

    This odesn't seem to be my experience?

    Matt, Aug 3, 2006
  6. Matt

    Jorge Silva Guest

    can you describe step by step how you're creating the mmc console?

    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Aug 3, 2006
  7. Matt

    Matt Guest

    This is my process for creating the Taskpad in question.

    1. Open up the MMC in author mode
    i.e. mmc /a
    2. Add the ADUC snap in
    3. Right Click (RC) on the OU that I want and select 'New Taskpad View'
    4. Select the defaults and create two Menu Commands (Refresh and Rest
    5. RC on the OU and select 'New Window from here'
    6. From the Window menu, select 1. Console Root\ADUC... and close it,
    leaving the OU window as the only window
    7. View -> Customize and deselect everything
    8. File -> Options
    Enter a name for the console
    Select 'User mode- limited access, single window'
    Select 'Do not save changes to this console'
    Deselect 'Allow the user to customize views'
    9. File -> Save As (and save the file)
    10. Close the mmc

    Then when I open it as the user with delegated rights, I get the issue
    explained in previous posts.

    Thanks for your help.
    Matt, Aug 3, 2006
  8. Matt

    Jorge Silva Guest

    Jorge Silva, Aug 3, 2006
  9. Matt

    Matt Guest

    Yeah, it's an odd one. When I looked I had Win2003 Adminpack and Win2003Sp1
    AdminPack installed (which I know is bad practise) so I uninstalled both and
    then installed just Win2003Sp1 AdminPak but I still have the same problem.
    My PC, IE and antivirus are fully patched and up to date.

    Matt, Aug 4, 2006
  10. Matt

    Jorge Silva Guest

    just gessing, try to lower the IE settings and to disable the Antivirus/FW,
    then try again

    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Aug 4, 2006
  11. Matt

    Matt Guest

    Thanks for your help and sorry for the slow response. Lowering the IE
    stettings and disabling the antivirus has no effect. The firewall is turned
    off already by Group Policy.
    Matt, Aug 14, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.