How can I easily perform management operations in AD from a customized Taskpad?
As your AD infrastructure grows, and the number of objects within it constantly changes, you might find that managing the growing number of users, groups and computers is becoming more than a headache. Fortunately for us, one of Active Directory’s best features is the ability to delegate administrative control over specific objects to lower-level administrators.
You can read more about the administrative tasks delegation in an article that will be published shortly.
In this article I’ll show how to create a custom tool (called Taskpad) from the Active Directory Users and Computers snap-in, and how to use this custom tool to ease some of your daily user management tasks.
Let’s assume that your organization has an AD domain with several thousands of users. This domain consists of several distinctive divisions or departments. You have already created the right OU (Organization Unit) structure, and have already placed the right users accounts, groups and computers in their respective OUs.
We will also assume that one user named David will be responsible for managing all the user objects within the Sales OU. Other users might be responsible for other management tasks (such as adding computer objects, controlling Group Policy Objects or managing group membership, but for now let us concentrate on David).
This is how your AD domain structure looks like:
Note: This is only an example, you should use your own OU structure, based upon management and GPO functionality considerations.
To create a custom MMC Taskpad for AD Users management
- Click Start > Run, type MMC and click Enter.
- In the new MMC window, click File > Add/Remove Snap-in.
- In the Add/Remove Snap-in window click on Add.
- In the Add Standalone Snap-in window, click on Active Directory Users and Computers and then click on the Add button.
- Back in the MMC window, click to expand the AD domain, and browse t the required OU (in this case Corp > Sales). Right-click on the OU and select New Taskpad view.
- In the Welcome screen click Next.
- In the New Taskpad wizard page customize the view you want to retain. You can select a various sizes for the display, and other options related to the button captions and so on. When done, click Next.
- In the Taskpad Target window leave the default setting and click Next.
- In the Name and Description window type any name and description you want to appear in the Taskpad view. Click Next.
- In the Completing wizard page make sure that the Start New Task Wizard checkbox is selected and click Next.
- In the Command Type window leave the Menu Command selection and click Next.
- In the Shortcut Menu Command window notice how each right-click action associated with a user object is available for selection in the right-hand side window. Note that you do NOT need to select a specific user account on the left-hand side window, but in order for the right-click option to be available, you do need to select any one of the available user accounts. I usually build one or two fake user accounts just for this purpose, and when I’m done with the Taskpad creation, I delete those accounts.
In this step I’ve chosen the Properties task, but you can choose your own tasks.
Note that although all right-click tasks are available for you to choose from, creating a task in this stage will not give the user that’s supposed o use this Taskpad any additional permissions on the objects. I.e. if I choose New > Group from the available tasks and the user that’s going to use this tool does NOT have the permission to create a new group in the Sales OU, he or she will NOT see the task button, although I’ve specifically added it to the task buttons.
When done click Next.
- In the Name and Description window type or modify the needed info and click Next.
- In the Task Icon window browse to find the most appropriate icon (or add your own) and click Next.
- In the Completing the task wizard page select the Run this wizard again checkbox and click Finish.
- You will now have the option to re-run the wizard. Follow steps 10-12 and select the next task to add to the Taskpad.
This time I chose Delete.
Follow steps 13 to 14 and re-run the wizard.
Here are some of the options available:
- In order to add the Enable Account option we will first need to manually disable one of the available user accounts, then the Enable Account option will be available to choose:
- For other options, such as Find and Refresh, we will first need to configure the Command Source as Tree Item Task. Then the Find and Refresh options will become available.
- You can also follow the same steps as before, but this time choose Shell Command in the Command Type window.
- Here you can add any command or batch file you want. For example, here is a command that will cause a Ping window to appear, pinging your DC:
- You can also add a Command Prompt window:
- And a command that will cause your DC to replicate with other DCs (this can be easily accomplished by using the REPADMIN command in a batch file).
- When finished adding all the required tasks and buttons, click Finish and look at what we’ve done:
Notice how the original tree display is still visible. We will fix this right away.
- Click on the View menu, then select Customize.
- In the Customize View window clear all checkboxes. Click Ok. Notice how all menus and the tree display have vanished.
- Now, we need to customize the tool’s icon and settings before we save it. On the File menu click Options.
- In the Options menu give the Taskpad a good descriptive name and change the icon if you want. Also, in the Console Mode list, select User Mode – Limited Access, Single Window. Next, select the Do Not Save Changes checkbox, and clear the Allow the User to Customize Views checkbox. Click Ok.
- Next, save the Taskpad to anywhere you want. You can also send the Taskpad (which in fact is an .MSC file) by mail to the user responsible for the management of the OU. However remember that this user must also have the AD Users & Computers snap-in installed on his or her computer. See Extract Specific Tools from Adminpak.msi for more info.
Now let us test the Taskpad:
- Click on the saved Taskpad and run it.
- You will notice how the list of users is found on the right, and the list of available tasks is on the left. See how the available tasks and buttons change as you click on various objects. For example, when you click on a disabled user account, the Enable button will appear:
When you click on Find, a Find dialog box appears:
and when you click on User, a new user dialog box appears:
In conclusion, the Taskpad views are powerful add-ons to the administrator’s arsenal, and can be used in various scenarios. Remember that the Taskpad view is not just limited to the AD Users & Computers snap-in, but can be used in virtually and available snap-in. Also, as a security measure, do NOT rely on the Taskpad’s available buttons to prevent a user from doing harm. Use good permission strategy to protect your resources, and only use the Taskpad as a method of easing your administrative burden, not as a security measure.
You might also want to read the following related articles:
Delegate! Passing Administrative Control with Active Directory