Creating custom MMC's for group management

Print
PDF
User Rating: / 1
PoorBest 

In large companies security group management can be a nightmare if there isn't a good system in place. There are many approaches. Some are governed by company policy related to the type of business, such as, banking institutions, government facilities, etc. While others can be driven by things like

SOX (Sarbanes-Oxley).

Mostly though it grows organically until know one knows what the hell is going on, who is in what group or who has access to what data. This can be a real issue and can cause a lot of embarrassment for IT if not handled correctly.

I'm not going to cover every aspect in this "solution" but rather just one small piece that can make a big difference later down the road. What I'm leading towards is custom MMC's. What are those you ask?

Well when you open ADUC (Active Directory Users & Computers) or you open WIN's or DNS or any management interface in Windows you are looking at an MMC (Microsoft Management Console).

You can create custom MMC's and save them for your own use or pass out to your customers (end users). So the way this can help you manage Security Groups is this; Lets say you have around 1000 groups (this is very common even in small companies) or however many. Some of them may have dozens or even hundreds of users in them and or they have access to sensitive data and you are getting requests daily to change membership.

This can add a lot of work to your day and if you do not manage the group membership correctly it could possibly get you into a lot of trouble. Also the manager of the group or data has to wait for you to get around to servicing their requests to update the group.

So you talk with the manager of the group that uses the data and give them a solution. You say something like "I have a way that you can completely control access to your data and you can have your changes made instantly without waiting for your service request to be completed." Then you show them a custom MMC. You create it so that when they open it up they only see their group, the one they can manage. Then they can make changes on their own to the group.

This is a win-win solution:

  1. They get their request serviced instantly because they can complete it.

  2. They control access to the group themselves, removing you from the equation, thereby removing your responsibility from any "wrong" or "not allowed" individuals from being in the group.

  3. You don't have to constantly be bothered with lots of mundane requests to change groups. Freeing you up for more important work.

So that's my 2 cents. I have used this method very successfully in the past. You will always have to manage some or most of the groups. But you can hand off the "problem children" with this method.

I will address other processes related to managing groups in later articles, but now on to creating a custom MMC...

Open your Run command and type "mmc" and click "OK"

An mmc (Microsoft Management Console) like the one below will open.

Click File -> "Add/Remove Snap-in..."

A dialog like the one below will open. Click the "Add" button.

From the available list choose "Active Directory Users and Computers".

NOTE: If you don't have ADUC installed on the computer you are building this on it will not show up in the list.

Cool now it's there in the list. Click "OK".

Click on "View -> Filter Options..."

Click the radio button "Create custom filter:" Then click on "Customize".

From the filter options window click on "Field" then choose "Group -> Name"

Now type in the name of the group you want to see in the list then click "Add"

Once you see your filter query in the bottom box click "OK".

Now you should see the group show up in your custom mmc. There should be no other groups there.

NOTE: In the filter you can just type the first few characters and get several groups to show up or you can add several queries for multiple groups.

Now click on "View -> Customize..."

Uncheck everything except for "Status bar".

The custom MMC should look like the example below (with your own group in there of course).

Now click on "File ->Save As..."

Name the MMC something relevant to your application and save it somewhere you can find it.

That's it! You have created a custom MMC and you can copy it to any workstation and when you user opens it up they will be able to manage the security group without bothering you. Sweet!

NOTE: You will need to open the properties of the group in ADUC and make the user you give this to "manager" of the group. As shown below.



Trackback(0)
Comments (1)add comment
feedSubscribe to this comment's feed
feedShow/Hide comments
0
...
written by Jeff M , April 16, 2009

This is great if you want to manage groups that are in the same OU.

If you want to restrict your searches to a specific OU, change the root search location or search multiple OUs you can do the following:

Rather than using "View, Filter Options" click on "Saved Queries". Right click, and select "New, Query". Once you have constructed your query right click on your query and select "New Window from Here".

report abuse
vote down
vote up

Votes: +0


Write comment
feedShow/Hide comment form

busy

Cool Resources

Donations

Donations large or small keep the utilities free or very low cost. So please think about if a tool or information at this site helps you!