Microsoft Management Console - Overview
Microsoft® Management Console (MMC) is an extensible common presentation service for management applications. MMC is included in the Windows® 2000 operating system. This paper introduces MMC, and provides an overview of the MMC user interface, and the MMC architecture. It also explains the concept of management snap-ins, and how they relate to the console.
On This Page
Introduction Windows Management Services and MMC The MMC USER Interface How MMC Works Creating Custom Consoles: Examples Active Directory-Based Deployment of MMC MMC benefits Comparing MMC to Other Tool Platforms Glossary For More Information
Microsoft® Management Console (MMC) is an ISV-extensible, common presentation service for management applications. MMC is included in the Windows® 2000 operating system, and will also run on the Windows NT® 4.0, Windows 95, and Windows 98 family of operating systems.
MMC provides a common host environment for snap-ins, provided by Microsoft and third party software vendors. Snap-ins provide the actual management behavior; MMC itself does not provide any management functionality. The MMC environment provides for seamless integration between snap-ins.
Administrators and other users can create custom management tools from snap-ins, created by various vendors. Administrators can then save the tools they have created for later use, or for sharing with other administrators and users. This model provides the administrator with efficient tool customization, and the ability to create multiple tools of varying levels of complexity for task delegation, among other benefits.
MMC is the result of the effort at Microsoft to create better tools to administer Windows-based systems. The Windows administration development team defined a common host for many of its own management tools. The MMC project's goal is to support simplified administration through integration, delegation, task orientation, and overall interface simplification—all key customer requirements.
As Microsoft addressed that goal, it increased the project's charter to include all Microsoft administration tools, and to offer this generalized framework for management to its many software vendors as well. MMC is an essential part of the Windows management services strategy, discussed later in this paper. Most Microsoft development groups will use MMC for future management applications.
What is MMC?
MMC is a Windows-based multiple document interface (MDI) application that heavily uses Internet technologies. Both Microsoft and ISVs extend the console by writing MMC snap-ins, which perform management tasks.
The MMC programmatic interfaces permit the snap-ins to integrate with the console. These interfaces deal only with user interface extensions—how each snap-in actually performs tasks is entirely up to the snap-in. The relationship of the snap-in to the console consists of sharing a common hosting environment, and cross-application integration. The console itself offers no management behavior. Snap-ins always reside in a console; they do not run by themselves.
Both Microsoft and third-party software vendors can develop management tools to run in MMC, as well as write applications to be managed by MMC administrative tools. MMC is part of the Microsoft Platform Software Development Kit (SDK) and is available for general use. For more information, see the Microsoft Platform SDK on the Microsoft Developer Network Web site.
The next section briefly discusses Windows management services and how MMC fits into the management model.
Windows Management Services and MMC
Windows management services are provided as a standard part of the operating system. Together, these services act as the management infrastructure, providing a highly scalable foundation on which sophisticated management tools can be built, and a base level of common management functions. On top of these services, Microsoft, other software vendors, and corporate developers can layer any number of management tools, using the underlying functions of the Windows management services. MMC is a core component in this model.
This section briefly discusses the roles of MMC, Active Directory™ directory service, and Group Policy in the management structure. These particular technologies are highlighted because they are the means by which custom MMC consoles are deployed in an Active Directory environment, as explained in the "Active Directory-Based Deployment of MMC" section in this document.
For more detailed information on the Windows management services, see the "Introduction to Windows Management Services" white paper on the Windows 2000 Server Web site or Microsoft TechNet.
The Windows Management services are divided into three logical layers:
The Common Services. These are the low-level operating system services that form the basis of Windows management services. This layer includes base services such as Active Directory, unified instrumentation, and event notification to name but a few.
Management Logic. This middle layer has two major areas. The first area consists of the standard management tools that are necessary for change and configuration management, security management, and problem tracking. The second area is the value-added management solutions, that is, the task-based management solutions that both Microsoft and third-party software vendors will provide. The Group Policy MMC snap-in is one of the standard management tools included in the Windows 2000 operating system.
Presentation. This represents the high-level, common services that allow people to tie the other services together and allow people and processes to interact with the services. MMC is part of this layer.
The Windows management services are illustrated in Figure 1.
Figure 1: Windows management services
The common services represent the necessary building blocks on which Microsoft and others can build value-added solutions. This layer includes the Active Directory, a secure, distributed, partitioned, and replicated directory service that provides two key common management services. Active Directory provides a standardized location service; that is, it provides a standard way to locate resources within the computer systems. Active Directory service also provides the basis for applying Group Policy to the objects managed by the Active Directory.
The Windows 2000 Server operating system includes several Active Directory MMC snap-ins: Active Directory Sites and Services, Active Directory Users and Computers, and Active Directory Domains and Trusts. Additionally, administrators can install the Active Directory Schema snap-in included in the Windows 2000 Administration Tools Setup wizard, which is available in the Windows 2000 Server CD, in the I386 folder (the file name is Adminpak.msi). The Group Policy snap-in, described next, extends both the Active Directory Sites and Services and the Active Directory Users and Computers snap-ins.
In addition to a standardized location service, the Windows 2000 operating system includes Windows Management Instrumentation (WMI), which provides a uniform model through which management data from any source can be accessed and managed in a standard way.
The management logic layer provides two distinct classes of service. It provides standard management tools that are built from the common services, and it enables development of high-end, full function, value-added management solutions. Administrators can maximize users' productivity by using Group Policy–one of the standard Windows 2000 Server management tools–to ensure that people have the necessary data, applications, operating system and settings available, optimally configured for their respective job tasks.
Administrators use the Group Policy MMC snap-in to specify options for managed desktop configurations for groups of computers and users. Group Policy provides options for registry-based policy settings, security settings, software installation, scripts, and folder redirection. The Group Policy settings that administrators create are contained in a Group Policy object (GPO) that is in turn associated with selected Active Directory containers: sites, domains, and organizational units (OUs).
Administrators can also set local Group Policy for computers that are not members of a domain. To set local Group Policy, administrators use the Group Policy snap-in focused on the local computer.
Common presentation services such as MMC are also included in the operating system. MMC provides an open, extensible, common hosting environment for management applications (snap-ins). MMC provides a unified user interface for hosting administrative tools, including snap-ins, to administer networks, computers, services, and other system components.
The following section discusses the MMC user interface (UI), and presents descriptions of UI elements and the MMC namespace.
The MMC USER Interface
At first glance, a MMC UI looks much like an MDI version of Windows Explorer. A complete MMC console might look like the one illustrated in Figure 2.
Figure 2: An MMC console
The MDI child windows offer many differing views. Each of these child views includes a command bar, a console tree (the left pane), and a details pane (the right pane)1 The command bar contains both drop-down menus and buttons. The console tree is a hierarchical structure that displays the items available in a console. This tree-formatted listing shows all visible nodes, each of which represents a manageable container, object, task, or view. The console tree need not be visible in all views—in this example, it is visible in only the top left child window.
Each child window's details pane displays the result of selecting a node in the console tree. In many cases it is a list of the contents of a folder, but in other cases it is a management related view (such as the performance graph in this example), which can be Web- or ActiveX® control-based. The MMC namespace consists of the console tree and the details pane. It is described in more detail in the "MMC Namespace" section in this document.
MMC, as pictured above, can be configured to represent powerful management tools. MMC is also designed to offer a scaled-down view that can be less daunting to less-experienced administrators. For example, a console, such as the one illustrated in Figure 3, can appear as just a taskpad view containing task-oriented information.
Figure 3: A console appearing as a taskpad view only
Another simple view is created by condensing the view to a single tool, like the services management window illustrated in Figure 4.
Figure 4: A console view condensed to a single view
Because MMC permits customization, multiple tools can be created and saved; each of the views in the preceding examples can be saved to separate files as different tools. When one of these files is sent to another person, that person can open the file, and the corresponding tool is loaded as configured. For example, a senior administrator could create the view in Figure 4 (a list of services on a computer), and send that view to an operator who will manage only the services on that computer. The operator receives—and can access—only the UI pictured. The subjects of console customization, and tool delegation and deployment are discussed in more detail in the sections in this document on "Creating Custom Consoles: Examples" and "Active Directory-Based Deployment of MMC." Customization is quite simple. An administrator can use the Snap-in Manager to dynamically load and unload snap-ins. (The Snap-in Manager provides a list of available snap-ins, allowing users to add or remove snap-ins to the console). To access the Snap-in Manager, administrators click Add/Remove Snap-in on the MMC Console menu.
In the following example (Figure 5), the Add/Remove Snap-in dialog box is used to add the Active Directory Domains and Trusts snap-in to the current console.
Figure 5: Adding Active Directory Domains and Trusts snap-in
User Interface Elements
This section introduces the main graphical user interface (GUI) elements of MMC. The majority of these are standard Windows 2000-based software GUI elements, tailored for use with MMC.
The MMC console has a main menu, an Action band, and a toolbar. The main menus are Console, Window, and Help; these menus provide commands that affect the entire console.
A new console is illustrated in Figure 6.
Figure 6: Console interface elements
A band is a rectangular area that contains menus and icons. The Action band contains the following menus:
Action. Includes the same contents as a context menu in Windows (a context menu is accessed by right-clicking an object or container).
View. Controls how information is displayed in the details pane.
Favorites. This tab is displayed when you open a new console in author mode, or when an item has already been added to the Favorites list in a console. The Favorites list can include shortcuts to tools, items in the console, or tasks. When you use MMC in author mode, you gain full access to all MMC functionality. You can add or remove snap-ins, create new windows, create taskpad views and tasks, add items to the Favorites list, and view all parts of the console tree.
The MMC console contains two standard Windows toolbars:
Console toolbar. Contains the main menu and author mode band (when used in author mode).
Snap-in toolbar. Includes the Action band, common commands bands, and one or more snap-in specific bands.
A property sheet is a window that users can use to view and edit the properties of an item. A property sheet contains one or more overlapping property pages, which are child windows that contain controls for setting a group of related properties. Each page has a tab that the user can click to bring the page to the foreground of the property sheet.
For example, the Computer Management Properties page contains the controls for setting properties such as a textual description of the computer, setting environment variables, performance options, and startup and recovery options.
A wizard is a type of property sheet that is designed to present single property pages in a sequence controlled by the application. To the user, a wizard is a set of windows that present a sequence of steps to complete a particular task. Users can navigate through the sequence by using the Back and Next buttons located at the bottom of each property page.
Some MMC snap-ins use wizards to automate and simplify tasks for users. For example, the Active Directory Users and Computers snap-in includes the Delegation of Control wizard that administrators use to delegate control of Active Directory objects. Administrators use this wizard to grant other users permission to manage users, groups, computers, organizational units, and other objects stored in the Active Directory service.
MMC snap-ins can add both standard and Wizard 97 pages; however, the preferred method is to use Wizard 97 pages. For details about Wizard 97 pages, see the Microsoft Platform SDK documentation.
MMC uses dialog boxes, which are secondary windows that are mainly used to obtain information from the user to complete a given task. Dialog boxes are usually modal, which means the dialog box must be closed before the user can access another window. However, MMC is primarily modeless, which allows users to move between open windows.
The following sections describe the MMC namespace.
The MMC namespace represents the hierarchy of objects and containers that are displayed in the console window. The window consists of two panes; the left pane contains the console tree, and the right pane contains the details pane. The left pane also includes the Favorites tab, explained below.
The console tree contains a hierarchy of containers, most of which are represented by folder icons. Some containers are displayed as unique icons that graphically represent the type of items that they contain.
The details pane displays the item selected in the console tree according to a selected view type.
Console Tree Pane
The console tree uses a standard Windows-based tree control to represent a set of containers and objects as an indented outline based on their hierarchical relationship.
In this document, the term container refers to an item in the console tree that displays child containers below it in the console tree when expanded, and displays its child containers in the details pane (subject to the selected view) when selected.
Object refers to an item in the console tree that does not have child items displayed beneath it in the console tree; an object displays information in the details pane when it is selected in the console tree.
Most of the items in the console tree are containers that hold other containers, objects, or both.
The console root is a container that holds the snap-in root nodes.
Snap-in Root Node
The snap-in root node is the uppermost node in the snap-in; it is labeled according to the product or task that it manages. Only one snap-in root node exists for each stand-alone snap-in. MMC supports stand-alone and extension snap-ins. A stand-alone snap-in provides management functionality without requiring support from another snap-in, whereas an extension snap-ins requires a parent snap-in above it in the console tree. Extension snap-ins extend the functionality provided by other snap-ins.
When you create a console in author mode, the left pane of the new console includes the Favorites tab. This tab is also displayed if an item has been added to the Favorites list in a console.
You can use the Favorites list to:
Create shortcuts. To tools or items in the console tree.
Create tasks for novice users. For example, you can create custom tasks by including shortcuts only to the tasks the user needs to perform, providing a simplified view of a console.
Organize taskpad views. For example, if a console has multiple taskpad views that are distributed in several places in the console tree, you can add these views to the Favorites list, allowing users to access all the views from a single location.
Note: MMC version 1.1 does not support user-created taskpads.
The details pane displays the view of the selected item in the console tree. It has also been referred to as the result pane. The details pane can display information in a variety of formats: a list view, a taskpad view, as ActiveX controls (OCXs), or as an HTML page.
The list view displays a collection of items, each consisting of an icon and a label, and provides several ways to display and organize the items. For example, additional information about each item can be displayed in columns to the right of the icon and label. The following view type modes are supported:
MMC supports column configuration, which allows users to customize the configuration of columns in a details list view. The changes the user makes to the column configuration are saved, or persisted, by the console. Not all of the snap-ins support column customization.
By making changes to the column configuration, you can:
Customize the display of columns and rows. For instance, you can rearrange or hide columns. Or you can click the column heading to reorder rows alphabetically or chronologically.
Filter columns based on particular attributes. This applies to some snap-ins only. If you enable this feature, a row of drop-down list boxes that contain options for filtering are displayed beneath the column headings.
Note: MMC version 1.1 does not support column configuration.
A taskpad view is a dynamic HTML (DHTML) page that presents shortcuts to commands available for a selected item in the scope pane; the taskpad view is displayed in the details pane. Each command is represented as a task that consists of an image, a label, a description, and a mechanism for instructing the snap-in to run that command. Users can run the commands by clicking a task.
You can use taskpad views to:
Include shortcuts to all the tasks a specific user may need to perform.
Group tasks by function or user by creating multiple taskpad views in a console.
Create simplified lists of tasks. For example, you can add tasks to a taskpad view and then hide the console tree. This way, users can begin using tools before knowing the location of particular items in the console tree or operating system, making it easier for novice users to perform their jobs.
Simplify complex tasks. For example, if a user frequently performs a given task involving several snap-ins and other tools, you can organize shortcuts to those tasks in a single location that run the appropriate property pages, command lines, dialog boxes, or scripts.
Custom ActiveX Controls (OCX Controls)
An ActiveX control is a COM-based object that can draw itself in its own window, respond to events (such as mouse clicks), and can be managed through an interface that includes properties and methods similar to those in Automation objects. You can insert custom ActiveX controls (objects or components) into a Web page or an application to reuse their functionality. Snap-ins can launch an ActiveX control in the details pane.
Custom Web Page
The details pane of a console can host HTML pages that are on the local computer or hosted on a Web server.
MMC is a point of integration between a Web UI and a Win32®-based UI. You can display Web pages within a saved console file by choosing Add/Remove Snap-in on the Console menu, and clicking Add to add a Link to Web Address. This permits you to mix and match Web-based administration programs and MMC snap-ins.
MMC supports exporting the data displayed in all standard list views to a text file. When the user clicks the Export List context menu item while a scope pane node with a list view is selected, the visible columns in the list view are exported to a text file in the order in which they appear in the view. You can choose to export only specific rows by selecting them.
Note: NNC version 1.1 does not support the export list functionality.
How MMC Works
The MMC console is a Windows-based MDI application that makes use of Internet technologies. The console itself has no management behavior; it is a host that contains other software—snap-ins—that extends the console to offer the actual management capabilities.
The MMC model is illustrated in Figure 7.
Figure 7: The MMC model
The UI elements of the tool interact with the MMC snap-in Manager, which interacts with the various snap-ins. The snap-in Manager is accessed by clicking Add/Remove Snap-in on the MMC Console menu. The snap-in Manager also deals with saving settings into a document (Management Saved Console or .msc file). The items at the top of the picture, the .msc file and the UI elements, are all that a user interacts with. The items at the bottom (the Snap-in Manager, the Routing and Remote Access, and Event Viewer snap-ins) are the elements that the developers interact with.
When a MMC tool is loaded, one or more snap-ins are initialized. These snap-ins are integrated to create the tool's namespace—the hierarchy of objects and containers that are displayed in the console tree, and the details view, which displays the view of a selected item in the console tree. The namespace is a master tree that represents what the tool can do. It appears similar to a tree view of the files and folders on a hard disk. The namespace can include all manageable aspects of a network—computers, users and groups, and so on. The details pane can display information as a list view, taskpad view, ActiveX control, or an HTML page.
The child windows in MMC are views into this master namespace. This is akin to having multiple instances of Windows Explorer looking at the same hard disk. Each view may be rooted at a different portion of the tree but they all point to the same master data source (as the examples in Figures 8, 9, and 10 illustrate). If data is currently displayed in multiple child windows, when that data is deleted in one view it will also disappear from the other views.
Figure 8: View of the Services node
Figure 9: View of the Shares node under Shared Folders
Figure 10: View of the System Monitor Control node
Each MMC tool is built of a collection of instances of smaller tools called MMC snap-ins. One snap-in represents one unit of management behavior. A snap-in is the smallest unit of console extension. Technically, a snap-in is an OLE In Process (InProc) server that runs in the process context of MMC. (An In Process server is a server implemented as a dynamic link library (DLL) that runs in the same process as the client.)
The snap-in may call on other supporting controls and dynamic link libraries (DLLs) to accomplish its task.
Snap-ins extend MMC by adding and enabling management behavior. This behavior may be provided in a number of ways. For example, a snap-in might add elements to the viewable node namespace, or it might simply extend a tool by adding context menu items, toolbars, property pages, wizards, or Help to an existing snap-in.
Creating Custom Tools from Snap-ins
MMC provides functionality for creating custom management tools. This allows administrators to create, save, and then delegate management tools tailored for specific tasks.
Administrators can assemble multiple snap-ins, from multiple vendors, into a tool (also called a document). An administrator can create multiple tools, and load and unload them when needed; these tools are what the administrator actually uses to manage the network.
After assembling a tool from various snap-ins, the administrator can save the tool in an .msc file, and then reload the file later to instantly recreate the tool. The .msc file can also be e-mailed to another administrator, who can then load the file and use the resulting tool. (If the second administrator does not have all the necessary snap-ins installed on his or her computer, MMC automatically downloads the required snap-ins when the second administrator loads the .msc file).
Administrators can also distribute saved consoles and snap-ins to other administrators by using the Group Policy snap-in and its Software Installation extension. See the "Active Directory-Based Deployment of MMC" section for more information on this topic.
It is possible to run multiple tools simultaneously on one computer, but each tool requires its own instance of MMC to be running.
Note that with MMC, a single tool (a saved console file) does not necessarily have only a single purpose. It is likely that the one tool that an administrator creates and uses regularly will contain management functionality for all aspects of the network—Active Directory, replication topology, file sharing, and so on. It is called a tool because it runs in one instance of MMC, and can be saved in one .msc file.
The following procedure provides general instructions for creating a console and adding a snap-in.
To create a new console
On the Start menu, click Run, and type mmc /a to open a new console.
Using the /a parameter opens a console in author mode, which grants full access to all MMC functionality.
On the Console menu, click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add, select the snap-in you want to use, choose either Local computer or Another computer (for remote management), and then click Finish.
If a wizard appears, follow the instructions on the screen.
To add any available snap-in extensions, click Extensions, select the extensions to use from the Available extensions list, and click OK.
To save a console, click Save on the Console menu.
MMC Console Access Mode
Two general access mode options are available when creating custom MMC consoles, author mode and user mode. To set access mode options, you use the Options menu in the console, and select one of the following:
**Author mode—**Allows full access to all MMC functionality, including the ability to add or remove snap-ins, create new windows, create taskpad views and tasks, add items to the Favorites list, and view all portions of the console tree.
**User mode—**Provides access to Windows management commands, and defines the level of access to the console tree. When you select User mode, users cannot add or remove snap-ins or change the console properties. User mode provides options for defining three levels of access to the console tree:
Limited access, multiple windows.
Limited access, single window.
Packages Are Installable Collections of Snap-ins
To create a tool from snap-ins, a user must get the snap-ins in the first place. Vendors often ship snap-ins in groups called packages. For example, the Windows 2000 operating system itself includes one or more packages of snap-ins. Additionally, other vendors might ship products composed entirely of packages of snap-ins.
Grouping snap-ins into packages provides convenience for downloading and installation. Autocode download has been added to MMC version 1.2 in the Windows 2000 operating system; it downloads packages rather that snap-ins. This permits several snap-ins to share core DLLs so that these (possibly sizable) DLLs do not have to be placed in every snap-in.
Types of Snap-ins
Transparent to the administrators, internally each snap-in supports one or both of the following modes:
Stand alone snap-in—Provides management functionality even if alone in a console with no other supporting snap-ins. Snap-ins designed for this mode must not rely on any other snap-ins being present.
Extension snap-in—Provides functionality only when used in conjunction with a parent snap-in. An extension snap-in can extend only given node types. It declares itself as being a subordinate to nodes of certain types, and then for each occurrence of those node types in the console, the console adds the related snap-in extensions below it automatically.
For example, an extension snap-in might be a Log Pretty Print snap-in, providing users several ways to print out log files (such as the Windows 2000 Event Viewer log). With this snap-in installed, every log object in the namespace would be extended with the Pretty Print context menu item.
Extension snap-ins can provide a variety of functionality. Some actually extend the console namespace (for example, a snap-in that provides system information about computers would add that system information to the namespace under each computer in the namespace), while others simply extend context menus or specific wizards. For more information, see "Console Extensibility Mechanisms" in the next section of this document.
Many snap-ins support both modes of operation, offering some stand-alone functionality, and also extending the functionality of other snap-ins. For example, the Windows 2000 Event Viewer snap-in reads the event logs of computers. If the MyComputer object exists in the console, the Event Viewer snap-in automatically extends each instance of a MyComputer object and provides the event logs for that computer. Alternatively, the event log can also operate in stand-alone mode, in which case an administrator must manually provide a computer name when the snap-in is opened, and the snap-in simply provides the event logs of this one computer.
Console Extensibility Mechanisms
Microsoft has defined the following modes of extensibility for snap-ins. Every snap-in must provide at least one of the types of functionality described in Table 1.
Table 1 Modes of extensibility for snap-ins
The namespace is extended by any snap-in that can be added with the snap-in Manager. Snap-ins enumerate items in the details pane by implementing the IComponent interface.
Context menu extension
Snap-ins can extend the default menus that MMC creates for items in the scope and details panes. To do this, snap-ins must implement the IExtendContextMenu interface.
Per view, based on the selection in that view
Snap-ins can extend the toolbar provided by MMC or they can create a toolbar. Several interfaces can be used for creating toolbars, including Itoolbar, IControlToolbar, IExtendControlbar, and IConsoleVerb.
Property page extension
Snap-ins can add one or more property pages to a property sheet frame. IPropertySheetProvider, IPropertySheetCallback, and IExtendPropertySheet2 are used to provide Property page extensions. The first two are used by MMC and the third one is used by the snap-in.
Snap-ins can provide HTML help by using the ISnapinHelp2 interface and the ISnapinHelp2::GetLinkedTopics method.
In all cases, the snap-in has the option of altering the returned enumeration based on the context information passed to it at Open time. This permits snap-ins to register as an extension and offer conditional behavior. For example, the My Computer context menu can choose to offer Open Control Panel only when it determines that it is being asked to open Control Panel on a local computer (because Control Panel is not remoteable).
Other than the CREATE NEW and TASKS menu extensions, all others are general user interface extension mechanisms. The CREATE NEW and TASKS menu extensions are used as a mechanism to group operations in a way to permit integrated, task-oriented command structures. Had the console offered only a generic menu extension interface, there would be little consistency in the usage model. In MMC, each node will have a Create New menu and a Tasks menu. Through this extension registration mechanism, all of these menu items and corresponding functionality are collected into a single UI point of usage.
Using Non-MMC Tools with MMC
You can run non-MMC management programs on the computer at the same time as one or more instances of MMC, and use the operating system to switch back and forth, as expected.
You can also create shortcuts in the MMC console to the non-MMC tools. These shortcuts are saved when the tool is saved to an .msc file. Within MMC, you can create shortcuts to any executable program (.exe), script, or URL.
Creating Custom Consoles: Examples
One of the primary benefits of MMC is its support for customization of tools. Administrators can build custom MMC consoles tailored for specific management tasks, and then delegate those consoles to other administrators. Tools can be built focused on the particular management requirements of various administrator groups. This capability is equally useful in organizations that use a tiered approach to network management, where the tasks of managing computer systems are divided between several groups, as it is in those corporations in which administrators perform all computer systems management tasks.
This section presents three examples of console customization. In the first example, a custom console is built for an administrator that performs multiple tasks related to management of users. In the second example, a console is created using various snap-ins for troubleshooting a database application. In the third example, a console is created that includes taskpad views and tasks using the Event Viewer, Services, and Shared Folders tools.
In this example, the administrator is concerned with managing users, security, authentication, and distributed file systems. The administrator uses the following snap-ins:
**Active Directory Users and Computers—**The administrator uses this snap-in to create and manage user and computer accounts, create and manage groups, add computers to a domain, manage domain controllers, manage organizational units, and to publish and find published resources such as printers and shared folders.
**Security Templates—**Administrators use this snap-in to view, configure, and apply the full range of system security to a local computer. Administrators can also import the security templates to a Group Policy object associated with a site, domain, or organizational unit. All computers and users in the site, domain, or organizational unit to which the Group Policy object is applied will receive the security template settings. A Security Template includes security settings for the following:
Security Policies: Includes account and local policies. Account Policies includes security for passwords, account lockouts, and Kerberos policies. Local Policies includes user rights, and logging for security events.
Restricted Groups: Local group membership administration.
Registry: Security for local registry keys.
File System: Security for the local file system.
System Services: Security and startup mode for local services.
**Distributed File System (Dfs)—**Using Distributed File System, administrators can make files that are distributed across multiple servers appear to users as if the files resided in one location. Redistributing shared folders can also improve server load balancing. Administrators use the Distributed File System snap-in to manage Dfs shared folders that are distributed across a network, for managing server load balancing, and to provide users with easy access to their files. Users can access their files from one location on the network, even though the files may be physically spread across multiple servers.
**Certificates—**The administrator uses this snap-in to support authentication of external users that do not have an account in the Active Directory. To use a certificate for authentication requires that the administrator associate (or map) a certificate to a user account created for the user in the Active Directory for authenticated access. To request the certificate, the administrator uses the Certificate Request wizard in the Certificates snap-in.
To create a custom console with the snap-ins used in this example
Start MMC by clicking Start, clicking Run, and typing mmc.
In the MMC console, select Add/Remove Snap-in on the Console menu.
In the Add/Remove Snap-in dialog box, click Add, and double-click Active Directory Users and Computers from the list of Available Stand-alone Snap-ins.
If a wizard appears, follow the instructions on the screen.
Repeat step 3 to add each of these snap-ins: Security Templates, Distributed File System, and Certificates.
Click Close, and click OK.
Click Save on the Console menu.
Note: To use the Active Directory Users and Computers snap-in requires that you have a Windows 2000 domain controller installed.
Figure 11 illustrates an example of a custom console.
Figure 11: Example of a custom console
For more information on the Active Directory Users and Computers, Security Templates, Distributed File System, and Certificates snap-ins, refer to the Windows 2000 Server online Help, or to Product Help available on the Windows 2000 Web site (http://www.microsoft.com/windows2000/default.mspx).
In this example, the administrator is concerned with troubleshooting a database application. For this purpose the administrator uses the following snap-ins:
**Event Viewer—**Administrators can use the Event Viewer logs to collect information about hardware, software, and system problems, and also to monitor Windows 2000 security events. To enable logging for security, administrators can use Group Policy.
**Device Manager—**Administrators can use this snap-in to monitor hardware on computers, configure hardware settings, manage devices, identify device drivers loaded for each device, install updated device drivers, and view summary information on devices installed on computers. Note that this snap-in manages devices only on local computers. For remote computers, Device Manager functions in read only mode.
**System Monitor—**System Monitor is an ActiveX control that supports Visual Basic® Automation, allowing developers to incorporate the capabilities of System Monitor into their applications. Administrators use this snap-in to collect and view performance data on local or remote computers, view data from logs, and create HTML pages from performance views. The data can be viewed as graphs, histograms, or report views. Administrators can also use Visual Basic Automation to incorporate System Monitor functionality into Microsoft Office applications such as Microsoft Excel, for example.
**Performance Logs and Alerts—**Administrators use this snap-in to collect performance data automatically from local or remote computers. Administrators can view the logged counter data with System Monitor, and can also export the data to a spreadsheet or database application for analysis or to generate reports. Administrators can set properties for counter and trace logs, and alerts. This includes log file options such as the file name, file location, file type (format such as text or binary, for example), comments, schedule, and so on.
**System Information—**Administrators use the System Information snap-in to collect and view system information data on local or remote computers. Administrators can view the following information:
System Summary: Displays information about the operating system, system name, processor, BIOS version, Windows directory, locale, memory.
Hardware Resources: Displays hardware-specific settings such as DMA, IRQs, I/O addresses, and memory addresses. The Conflicts/Sharing view identifies devices that are sharing resources or are in conflict. This can help identify problems with a device.
Components: Displays information about the Windows configuration. This category is used to determine the status of device drivers, networking, and multimedia software. In addition, there is a comprehensive driver history, which shows changes made to components over time.
Software Environment: Displays a snapshot of the software loaded in computer memory. This information can be used to determine whether a process is still running or to check version information.
To create a custom console with the snap-ins used in this example
Start MMC by clicking Start, clicking Run, and typing mmc.
In the MMC console, select Add/Remove Snap-in on the Console menu.
In the Add/Remove Snap-in dialog box, click Add, double-click Event Viewer from the list of Available Stand-alone Snap-ins, choose Local computer, and then click Finish. (Or to manage a remote computer, choose Another computer).
Repeat step 3 to add each of the following snap-ins:
System Information Performance Logs and Alerts If a wizard appears, follow the instructions on the screen.
Click Add, and double-click ActiveX Control.
In the Insert ActiveX Control wizard, click Next.
In the Control category box, click All Categories.
In the Control type list, click System Monitor Control, and click Next.
Click Finish, click Close, and then click OK.
To save the console
In the console, click Save on the Console menu.
An example of the custom console is shown in Figure 12.
Figure 12: An example of a custom console
For more information on the Event Viewer, Device Manager, System Information, Performance Logs and Alerts, and System Monitor snap-ins, refer to the Windows 2000 Server Help or to the Product Help on the Windows 2000 Web site (http://www.microsoft.com/windows2000/guide/server/overview/default.asp).
In this example, a senior administrator has hired a new administrator, and wants to bring the new administrator up to speed gradually by having him or her support a single server. The new administrator's tasks include adding and removing file shares, changing share permissions, looking at event logs, and starting and stopping services on the server.
To address the new administrator's tasks, the administrator can create a console that includes the Event Viewer, Shared Folders, and Services snap-ins.
**Event Viewer—**You use this snap-in to collect information about hardware, software, and system component problems or errors, and to monitor security events.
**Services—**You can use this tool to start, pause, stop, or resume system services on a local or remote computer. You can also configure startup and recovery options, and enable or disable services for a particular hardware configuration. For example, you can specify recovery actions to take place if a service fails.
**Shared Folders—**You use this snap-in to view a summary of connections, and to view and manage resource use for local and remote computers. For example, you can create, set, and view permissions for shares; see a list of users that are connected to a computer on the network; disconnect users; view and close files opened by remote users, and so on.
The administrator first adds the snap-ins, and then creates separate taskpads and tasks for the Event Viewer, Services, and Shared Folders snap-ins. Next, the administrator creates a Favorites view that includes these taskpads, hides the console tree, and then saves the file in User mode.
To add the snap-ins
Start MMC by clicking Start, clicking Run, and typing mmc.
In the MMC console, select Add/Remove Snap-in on the Console menu.
In the Add/Remove Snap-in dialog box, click Add, and double-click Event Viewer from the list of Available Stand-Alone Snap-ins. Choose Local Computer and click Finish. (Or choose Another Computer to manage remotely).
Repeat step 3 to add the Services, and then the Shared Folders snap-ins.
Click Close, and then click OK.
To create a taskpad view and tasks for the Application log
In the console tree, double-click the Event Viewer snap-in, highlight the Application node, and then click New Taskpad View on the Action menu.
Follow the instructions and accept the defaults in the New Taskpad View wizard. In the Taskpad Target dialog box, select the option to have the taskpad apply to the Current tree item only.
To create tasks after you create the Application log taskpad view, select the Start New Task wizard check box in the final dialog box of the wizard, and follow the instructions in the wizard.
In the Command Type dialog box, check Menu command, and click Next.
In the Shortcut Menu Command dialog box, choose List in details pane in the Command source box, click Properties from the Available commands list, and then click Next.
In the Name and Description dialog box, type a name for the task in the Task name box, and click Next.
Choose an icon in the Task Icon dialog box, and click Next.
To run the wizard again to add additional commands for Tree item tasks or for List in details pane tasks, click Run this wizard again in the last dialog box, click Finish, and then follow the instructions in the New Task wizard.
In the Completing the New task Wizard dialog box, click Finish.
Figure 13 shows an example of a taskpad view of an Application log. The console has been customized to display only the Favorites list. See the procedures later in this document: To create a Favorites list and To hide the console tree for more information.
Figure 13: An Application log in taskpad view
To add taskpad view and tasks for the System log
Double-click the Event Viewer node in the console tree, select System, click Action, and then click New Taskpad View.
Follow the instructions and accept the defaults in the New Taskpad Wizard. In the Taskpad Target dialog box, select the option to have the taskpad apply to the Current tree item only. Then check Start New Task wizard in the last dialog box, and click Finish.
Choose Menu command in the Command Type dialog box, and click Next.
In the Shortcut Menu Command dialog box, click List in details pane from the Command source box, select Properties from the Available commands list box, and then complete the wizard.
Check Run this wizard again in the last dialog box, and click Finish.
You can repeat step 4 to add commands such as Export List, Clear all Events, View->Filter, Help, and so on.
Complete the wizard, and click Finish in the last dialog box.
To create a taskpad and tasks for Services
In the console tree, click the Services snap-in. On the Action menu, click New Taskpad View. Follow the instructions in the New Taskpad View wizard.
To create tasks after you create the Services taskpad view, select the Start New Task wizard check box in the final dialog box of the wizard.
Follow the instructions in the New Task Wizard, and when you are prompted for a command to use in the Command Type dialog box, choose the Menu command option, and click Next.
In the Shortcut Menu Command dialog box, choose List in details pane in the Command source box, click Start from the Available commands list, and then click Next.
In the Name and Description dialog box, type a name for the task in the Task name text field, and click Next.
Choose an icon for the task in the Task Icon dialog box, and click Next.
In the Completing New Task Wizard dialog box, click Finish, and select the Run this wizard again check box.
Run the wizard again, and repeat steps 4 through 6 to add tasks for the following menu commands: Stop, Pause, Resume, and Restart.
Run the wizard again to add commands for Tree item tasks.
In the Shortcut Menu Command dialog box, click Tree item task in the Command source box, click Export List from the Available commands list, and then complete the wizard.
An example of a taskpad view of Services is illustrated in Figure 14. The console has been customized to include only the Favorites list. See the procedures later in this paper: To create a Favorites list and To hide the console tree for more information.
Figure 14: A taskpad view of Services
To create a taskpad and tasks for Shared Folders
In the console, double-click Shared Folders, and select the Shares folder.
On the Action menu, click New Taskpad View, and follow the instructions in the New Taskpad View wizard.
To create tasks after you create the taskpad view, select the Start New Task Wizard check box in the final dialog box of the wizard, and follow the wizard's instructions.
In the Shortcut Menu Command dialog box of this wizard, choose Tree item task in the Command source box, double-click Shared Folders, and click the Shares node in the Console Tree list, click New File Share from the Available commands list, and then click Next.
In the Name and Description dialog box, type a name for the task in the Task name box, and click Next.
Choose and icon in the Task Icon dialog box, and click Next.
In the Completing the New Task Wizard dialog box, select Run this wizard again, and click Finish.
Run the wizard again and add the commands for these Shared Folders tree item tasks: Export List, and Help.
Click Finish in the last dialog box of the wizard.
To add tasks involving the details pane
In the console tree, double-click Shared Folders, select Shares, click Action, and then click Edit Taskpad view.
In the Shares Properties page, click the Tasks tab, and click New.
Run the Start New Task Wizard again, and in the Shortcut Menu Command dialog box, choose List in details pane from the Command source box, click Stop Sharing from the Available commands list, and then click Next.
Follow the instructions to complete the wizard, and click Run this wizard again in the final dialog box.
Run the wizard again and in the Shortcut Menu Command dialog box, choose List in details view from the Command source box, and click Properties from the Available commands list.
Complete the wizard, and click Finish in the last dialog box.
An example of a taskpad view of Shares is illustrated in Figure 15. The console has been customized to include only the Favorites list. See the procedures: To create a Favorites list and To hide the console tree for more information.
Figure 15: An example of a taskpad view of Shares
To create a Favorites list
In the console tree, click the node for which you want to add a taskpad to the Favorites list. For example, click the Event Viewer node.
In the details pane, click the tab for the taskpad view you want to add. For example, click the Application Log taskpad tab.
On the Favorites menu, click Add to Favorites
In the Add to favorites dialog box, click OK to add the item to the Favorites folder (default).
To add additional items to the Favorites view, repeat steps 1 through 4.
To hide the console tree
On the console View menu, click Customize.
To hide the console tree, under MMC, clear both the Console tree check box and the Taskpad navigation tabs check box.
To set console mode to user
On the Console menu, click Options.
In Console mode, click one of the user mode options:
User mode—full access. User mode—limited access, multiple window. User mode—limited access, single window.
Select the options you want to make available to users:
Enable context menus on taskpads in this console: allows a menu to appear when users right-click the contents of a taskpad view.
Do not save changes to this console: prevents users from editing the console. Allow the user to customize views: enables users to access the Customize View dialog box.
To save the console
- In the console, click Save As on the Console menu. In this example, the administrator saves the console in the per-user Administrative Tools folder. This makes the console accessible from the Programs menu, in the Administrative Tools folder. In Windows 2000, this folder is in Systemdrive\Documents and Settings\All Users\Start Menu\Programs\Administrative Tools.
To open the saved MMC console for a local computer
- Click Start, point to Programs, point to Administrative Tools, and then click the console file.
An example of what the user would see when opening such a console is illustrated in Figure 16.
Figure 16: A saved MMC console
After you create custom consoles, you can distribute them to other administrators by using the Software Installation snap-in. This is described in the next section.
Active Directory-Based Deployment of MMC
As mentioned previously, administrators can create and save custom MMC consoles (.msc files) for specific tasks and then delegate those consoles to subordinates. Administrators can also use the Software Installation snap-in, an extension of the Group Policy snap-in, to distribute saved console file and snap-ins to other administrators.
The Windows 2000 Software Installation and Maintenance feature relies on Active Directory directory service, Group Policy, Windows Installer, and Add/Remove Programs in Control Panel.
This section provides a brief overview of Software Installation and Maintenance, software assignment and publishing, and Windows Installer and packages. The scope of this section is limited to providing only background information on these technologies and features; it is not intended as a guide for deploying applications.
Note: Before deploying software in a Windows 2000 Active Directory environment, it is strongly recommended that you learn about Active Directory, Group Policy, and Software Installation and Maintenance features.
More information on Active Directory is available on the Windows 2000 Web site at the Active Directory link (http://www.microsoft.com/technet/prodtechnol/windows2000serv/default.mspx).
For more information on Group Policy, see the Windows 2000 Group Policy Technical Paper (in Microsoft TechNet). The Windows 2000 Group Policy Walkthrough can be found on the Windows 2000 Web site (http://www.microsoft.com/windows2000/techinfo/planning/default.asp).
For more information on Software Installation and Maintenance, see the Software Installation and Maintenance Walkthrough (http://www.microsoft.com/windows2000/techinfo/planning/default.asp).
Software Installation and Maintenance
The Windows 2000 Software Installation and Maintenance feature allows administrators to centrally manage software deployment in their organizations. Administrators can target software deployment to groups of users and computers within an Active Directory site, domain, or organizational unit. To deploy software, administrators use the Group Policy snap-in to define software installation options within a Group Policy object that is associated with a site, domain, or OU.
To set Group Policy for a selected Active Directory container, you must have a Windows 2000 domain controller installed, and you must have read and write permission to access the system volume of domain controllers (Sysvol folder) and modify rights to the currently selected directory container. The system volume folder is automatically created when you install a Windows 2000 domain controller (or promote a server to domain controller).
Administrators can deploy software in one of two ways:
**Assigned—**Administrators assign software to those users that require the software to perform their jobs. For example, if everyone in a corporation needed e-mail, administrators could assign an e-mail program to every user. Applications assigned to users are available on the users' computers the next time they log on. Applications assigned to computers are available when the computer is rebooted.
Assigned applications appear to be installed on users' computers. The Software Installation extension to WinLogon advertises2 the application in the local computer's registry and places shortcuts to the application either on the desktop or the Start menu. To the user, it appears as if the application is already installed, that is, an entry for the software appears on the Start menu. Users typically install an assigned application by selecting the application from the Start menu.
In the case of saved console (.msc) files, administrators first have to create a Windows Installer package (.msi file) for the saved console file, and then they can assign the .msi package using the Software Installation snap-in. The snap-ins referenced in the saved console would also need to be assigned. Windows Installer packages, and assigning saved consoles and snap-ins are described later in this section.
**Published—**Administrators can publish software that users may find useful in performing their job. For example, administrators could choose to publish a programming language such as Microsoft Visual Basic, and users who wanted to use the programming language software could choose to install the program. Published applications are available for users to install the next time they log on to their computers.
Published software does not appear to be installed on the user's computer. Unlike assigned applications, no Windows Installer advertisement information about the software exists on the local computer (either in the registry, or in shortcuts on the desktop or on the Start menu).
Users can install the published software from Add/Remove Programs in the Control Panel. When users open Add/Remove Programs in Control Panel and select Add New Programs, a list of all of the software that is published for them is displayed.
Software Installation and Maintenance requires components in both Windows 2000 Server and Windows 2000 Professional. Administrators use Windows 2000 Server to manage software distribution, and users use Windows 2000 Professional to install the software.
The following list summarizes the server-side components of Software Installation and Maintenance.
**Active Directory—**Provides the scope of management mechanism to locate users and computers, and stores Software Installation and Maintenance information in Group Policy objects.
**Group Policy—**Administrators use Group Policy to deploy applications within a Group Policy object associated with Active Directory containers such as sites, domains, or OUs.
**MMC—**Hosts Active Directory, Group Policy, and Software Installation snap-ins, which are required for software deployment.
Active Directory Site and Services snap-in and Active Directory Users and Computer snap-ins. Used to define the scope of management of Group Policy objects. You create Group Policy by using the Group Policy MMC snap-in as an extension to the Active Directory Site and Services snap-in (for sites) or Active Directory Users and Computer snap-in (for domains and OUs).
Group Policy snap-in. The Group Policy snap-in provides built-in features for setting Group Policy for software installation.
Software Installation. You use the Software Installation snap-in extension of Group Policy to centrally manage software distribution in your organization.
The following list summarizes the client-side components of Software Installation and Maintenance.
**Computer Startup—**Loads the operating system, shell, and other programs. Applies Group Policy and installs computer-assigned software.
**WinLogon—**Allows users to logon to their computers. Applies Group Policy assigned to users. Assigned applications are advertised to users' computers.
**Windows Installer Service—**An operating system service that advertises, installs, repairs, and removes software.
**Add/Remove Programs in Control Panel—**Allows users to manage software on their computers. Lists all published and assigned applications, allowing users to install, modify, and remove applications on their computers.
Windows Installer Service
Windows Installer service is an operating system component that is included in Windows 2000, and will also be provided as a Service Pack for the Windows 95, Windows 98, and Windows NT® 4.0 family of operating systems3 Windows Installer manages software installation and removal according to a defined set of setup rules that are applied during the installation process.
Windows Installer is responsible for managing the installation, addition, and deletion of software components. The Windows Installer service ensures that all of the proper setup rules are implemented by the operating system. To follow those rules, applications must describe themselves in the standard format, known as the Windows Installer format. Windows Installer then performs the installation duties on behalf of the applications.
Windows Installer Packages
A Windows Installer package file (.msi file) contains a relational database that stores all the data and instructions required to install (and remove) an application across many installation scenarios (such as a new installation or an upgrade).
At installation time, Windows Installer opens the package file for the product in question and determines all of the installation operations that must be performed for that product.
Note: Before administrators can use the Windows 2000 Software Installation and Maintenance feature, they must obtain a Windows Installer package for any software they want to deploy.
You can obtain Windows Installer packages in two ways:
The software creator can supply a natively authored Windows Installer package for the application. For example, Microsoft Office 2000 provides a Windows Installer package.
Administrators can repackage an application for Windows Installer.
Package authoring tools are available from third party vendors including:
InstallShield Software Corporation (http://www.installshield.com/ ).
Wise Solutions Inc. (http://www.wisesolutions.com/ )
Veritas (http://www.veritas.com/ ).
Creating a Package for Saved Console Files and Snap-ins
To create an .msi package for a saved console (.msc) file or a snap-in, administrators can use the Veritas WinInstall LE product. The WinInstall LE authoring tool will be included in the Windows 2000 Server CD-ROM, in the \Valueadd\3rdparty\Mgmt\Winstle folder. Administrators can also use the InstallShield, Wise, or other third-party package-authoring tools.
For information on package creation, refer to the third-party package authoring tool documentation.
Information on package creation is also available in a walkthrough that discusses Repackaging Software for the Windows Installer Using Veritas WinINSTALL LE (http://www.microsoft.com/windows2000/techinfo/planning/default.asp) and is located on the Windows 2000 Web site.
Assigning Saved Consoles and Snap-ins
After you obtain a package (.msi file) for the saved console (.msc file), you can assign the package (.msi) file to other administrators using the Software Installation snap-in extension to the Group Policy snap-in. You must ensure that the snap-ins included in the saved console (.msc file) are also assigned (or published) to the administrators.
To assign or publish the snap-ins referenced by the saved console (.msc) file you can:
Create a package (.msi file) that includes both the referenced snap-ins and the saved console (.msc) file. Then use Group Policy and Software Installation to assign the package file.
Assign both the saved MMC console package (.msi) and the Windows 2000 Administrative Tools package (Adminpak.msi) to administrators.
Windows 2000 Server includes a component called Windows 2000 Administration Tools (adminpak.msi), a Windows Installer package (.msi file) that contains all the files and information required to install the Windows 2000 Server Administrative applications. See Installing Windows 2000 Administration Tools (Adminpak.msi) on Windows 2000 Server later in this paper for more information on installing the adminpak.msi and setting up a network share.
Create a package that contains only the snap-ins you want to make available to other administrators. Then you can publish this package using the Software Installation snap-in. When a user tries to open a saved console (.msc) that contains a snap-in that is not installed on their computer, this automatically triggers an installation of the snap-in from the published package.
Note: If packages containing snap-ins are separate from those containing the console files, then the snap-in packages should be assigned rather than published to ensure that the snap-ins are downloaded as needed. If there are no console files in the snap-in package, this assignment will cause no visible effect to the user.
Assigned snap-ins are listed in Add/Remove Programs in Control Panel, but they are not downloaded until they are added.
For information on using the Software Installation snap-in, refer to the Windows 2000 Server online Help, which is also located on the Windows 2000 Web site (http://www.microsoft.com/windows2000/en/server/help/)
Installing Windows 2000 Administration Tools on Windows 2000 Server
You can install the Windows 2000 Administration Tools package (Adminpak.msi) on a server from a Windows 2000 Server compact disc. To do this:
Open the I386 (or Alpha) folder on the applicable Windows 2000 Server CD.
Follow the instructions that appear in the Windows 2000 Administration Tools Setup wizard.
You can make the adminpak.msi file available on a network share—so that it can be assigned or published—by copying the file from the CD to the share. Then you can use Software Installation policy to either assign or publish the adminpak.msi file. For information on using Group Policy and Software Installation, refer to the Windows 2000 Server Help.
Assigning the Console and Snap-in Package Files
After you obtain the necessary package files for the custom console and snap-ins, you need to create a network share, or software distribution point, that contains the packages, any transforms, and the program files and components. Transforms or modifications (.mst) files are used to customize the installation of a Windows Installer package (.msi file) at the time of assignment or publication. For example, a transform could specify a subset of a suite of applications. Transforms are applied to Windows Installer packages in an order specified by the administrator.
You must ensure that users to whom you are assigning the packages (for the console and snap-ins) can read from the software distribution point.
The following procedure provides general information on how to assign a package file. For details on using the Group Policy and Software Installation snap-ins, refer to the Windows 2000 Server Help.
To assign a package file
On the Start menu, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers. (Or click Active Directory Sites and Services if you are deploying to a site).
In the console tree, right-click the domain or organizational unit to which you want to assign the packages (for the console and snap-ins).
Click Properties, and then click the Group Policy tab.
Click Edit to open the Group Policy object you want to edit.
Double-click User Configuration, double-click Software Settings, and then in the console tree, click Software Installation.
Right-click the details pane, click New, and then click Package.
In the Open dialog box, click the .msi package you want to assign, and then click Open.
The Open dialog box displays the packages located at the software distribution point you specify as the default.
(To specify the default the software distribution point, right-click the Software Installation node, click Properties, click the General tab, and then specify the default software distribution point in the Default Package Location field.)
If the .msi package is located on a different network share, click Browse to locate the software distribution point for the package.
In the Deploy Software dialog box, click Assigned, and then click OK.
Setting Access Permissions for Group Policy Objects Used to Assign Software
If you assign custom consoles and snap-ins to other administrators by using Group Policy and Software Installation, you also want to determine which users and groups have access permissions to the Group Policy object (GPO) that you used to assign the software. That is, you may want to restrict which administrators can modify the Group Policy object; because not everyone that is affected by that Group Policy object needs to manage the GPO. To prevent users from modifying a GPO, grant the users only Read and Apply Group Policy permissions.
To set access permissions, you use the Security tab on the Properties page of the selected Group Policy object. These permissions allow or deny access to the Group Policy object by specified groups.
For information on Group Policy see the Windows 2000 Group Policy Technical Paper on the Windows 2000 Web site (http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolicy.asp), and Microsoft TechNet.
Using Group Policy to Control the Behavior of MMC and Snap-ins
Windows 2000 Group Policy includes several policy settings designed to control the behavior of MMC and snap-ins. This section describes these policy settings.
Controlling Access to a Snap-in
The policy to control access to a snap-in is called Restricted/Permitted snap-ins; it is available in the Group Policy console, under the User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins node.
If you restrict or explicitly permit access to a particular snap-in, the snap-in is added to a list of restricted or permitted snap-ins. The restricted list takes precedence over the permitted list. This means that if the same snap-in exists on both lists, access to the snap-in is restricted.
To use this policy, navigate to User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins in the console tree. In the details pane, double-click the snap-in that you want to permit or restrict, and then select an option.
The available options for Restricted/Permitted snap-ins policy are:
**Enabled—**Click this option to explicitly permit the user to access this snap-in.
**Disabled—**Click this option to prevent the user from accessing this snap-in.
**Not Configured—**Click to enable the user to access the specified snap-in (unless the user is restricted by the Restrict users to the explicitly permitted list of snap-ins policy).
Restricting Access to a List of Permitted Snap-ins
Administrators can create a list of permitted snap-ins for users by enabling the Restrict users to the explicitly permitted list of snap-ins policy. As a result, only permitted snap-ins are displayed in the list of available snap-ins in the MMC Add/Remove Snap-in dialog box.
The Restrict users to the explicitly permitted list of snap-ins policy is available in the Group Policy console under the User Configuration\Administrative Templates\Windows Components\Microsoft Management Console node.
The available options for the Restrict users to the explicitly permitted list of snap-ins policy are:
**Enabled—**Click to restrict the user from accessing any snap-in that is not explicitly permitted.
**Disabled—**Click to permit the user to access snap-ins that are not explicitly restricted.
**Not Configured—**Click to permit the user to access snap-ins that are not explicitly restricted (same as Disabled).
Preventing Use of MMC in Author Mode
Administrators can enable the Restrict the user from entering author mode policy to prevent users from using MMC in author mode. This policy is available in the Group Policy console under the User Configuration Administrative Templates Windows Components Microsoft Management Console node.
The available options for the Restrict the user from entering author mode policy are:
**Enabled—**Click to restrict the user from using author mode in MMC.
**Disabled—**Click to allow the user to use author mode in MMC.
**Not Configured—**Click to allow the user to use author mode in MMC (same as Disabled).
MMC provides several key benefits:
Task Orientation: The tools being defined to work with MMC are task oriented in nature—they cater to the task being performed rather than merely displaying the raw objects that can be manipulated. Also, because administrators can customize their own tools, using pieces from various vendors, they can create tools that contain only the UI they need to complete their tasks.
Integration: The UI for all the management tasks an administrator must perform are collected into a single console. As new applications are added to a computer or network, their administration is integrated into the existing administration common console.
Customization of Consoles: Administrators can create custom consoles tailored to their particular management needs. This is useful in enterprise environments that divide administrator groups according to duties. For example, you can create a custom console for software installation and maintenance, another one for scripts administrators, another one for security Group Policy, and so on.
Delegation: Administrators can easily modify existing tools to create new tools with reduced functionality and less complex views of the tool namespace, then give these tools to others. A person who receives such a tool is presented with a simpler, more manageable view of the tasks they are being asked to perform.
Overall Interface Simplification: All tools built for MMC, from Microsoft or third-party software vendors, will have a similar appearance, making it easier for users to use all tools after learning one. Because you can mix and match tools from any vendor, you can use the best tool from each management product category. MMC also enables a single piece of software to provide functionality across the interface in a consistent manner.
Extensibility: Developers can extend the base functionality of MMC snap-ins by creating extension snap-ins. This allows software vendors to reuse Microsoft tools without writing a lot of code. Various mechanisms are available for extending snap-ins, including extending the namespace, context menus, toolbars, Property pages, and creating Wizard 97-style pages.
For more information, see the Microsoft Platform SDK.
Developing MMC Snap-ins
Because MMC itself provides the Windows-based environment, MMC is well suited to the ISV who wants to spend more time building real management functionality, and less time building and rebuilding a respectable Windows-based framework for their tools. By writing to the MMC specifications, an ISV will save development time, build in compatibility with other management tools, be able to use existing management tools also written for MMC, and offer an integrated set of administrative tools.
Microsoft has made MMC APIs, part of the Microsoft Platform SDK, freely available to all ISVs, so ISVs can securely make MMC a part of their future management strategy. Microsoft is committed to supporting MMC as the way to build Windows-based administration tools, and is using the console to build all upcoming Windows 2000-based administration tools. Looking into the future, the Administrative Tools program group in the Windows 2000 Start menu will become little more that a collection of saved MMC tools.
MMC snap-ins are written as COM In Process (InProc) server DLLs that support one or more of the MMC-defined interfaces and appropriately register themselves in the MMC registry area. Developers can write a COM InProc server in almost any language that supports function calls; however, using C++ is generally considered the easiest way to implement and use COM. Support will also be provided for creating snap-ins in Visual Basic version 6.0. At the time of this writing, the MMC-specific interfaces described in the Microsoft Platform SDK documentation do not support Java.
For more information on creating MMC snap-ins, see the Microsoft Platform SDK.
Should I Develop Administrative Tools for MMC Now?
Developers should begin building all administrative tools using MMC. The single largest benefit of MMC is that it enables you to quickly build tools. Even better, because MMC is part of the Microsoft Platform SDK, you can build a snap-in once and ship it either as stand-alone, include it with other products, or as an extension of yet other products (for example, a reporting product can run stand-alone, can ship with Microsoft Exchange Server, or can extend an already-released ISV product).
Because tools are shipped as documents, you can, as part of your many customized tools, make use of Microsoft snap-ins—for example, you can ship a tool that uses Microsoft Event Viewer or other snap-ins.
MMC supports integration with the tools that Microsoft and ISVs offer. You also benefit from the work done by Microsoft to define standard methods of task delegation, task orientation, tool integration, and tool customization.
Microsoft continues to work with vendors in to coordinate snap-in creation and integration.
Comparing MMC to Other Tool Platforms
MMC offers both UI and APIs that can integrate multiple tools. MMC was designed specifically to address the issues of integration, delegation, and task orientation, be general enough to be reusable by most tools, and to offer simplicity for simple usage scenarios and advanced features for complex management scenarios.
The MMC APIs are designed to the core concept that tools are documents (able to be created, saved, and distributed) and that people should be able to create and customize many new tools. Another key goal is to enable software vendors to build snap-ins that can integrate with the snap-ins provided by others and yet enable the user to experience a single tool. An administrator using such a tool may not even realize that it is composed of snap-ins created at different times by different vendors.
The MMC UI addresses a range of scenarios from simple to advanced—Microsoft believes that administration occurs on a continuous spectrum of levels of experience, rather than a few defined roles (such as user, operator, and administrator). With MMC, senior administrators can create a large number of tools, with varying levels of complexity, and distribute these tools to less experienced users who will actually use them. Administrators can use MMC to build a tool that is perfectly tuned to the ability and role of its user, and the needs of the network.
How MMC Can Work With Enterprise Console Products
Enterprise consoles are defined as the administrative products that support the enterprise, most often with a focus on network management, with some extensions for system management. The purpose of an enterprise management console is to provide consistency and to homogenize tools. There is a need to meld this with the ability to create products that incorporate the best features of tools designed to accomplish a specific task in a specific environment. The purpose of MMC is to provide a UI environment for best of breed tools operating within a Windows-based environment to integrate with and complement enterprise consoles.
Scenario 1: Enterprise Console Launches MMC-based Tasks
Because most enterprise consoles are supported by the Windows NT operating system, it is possible to have MMC be the tool of choice to manage Windows-based clients. For example, you could imagine looking at the physical map view of one of these consoles, and seeing a computer running Windows 2000 Server flashing red in that view. When an administrator opens a Windows 2000 Server object, an MMC saved tool would be launched. This takes advantage of the strengths of the enterprise console in managing the heterogeneous network, and the strengths of MMC and associated ISV snap-ins at managing the Windows platform.
It is possible to launch a console file in context. For instance, the Computer Management console file can be launched with a /computer=computername command line switch to target a specific computer.
Scenario 2: MMC Offers Views into an Enterprise Console
Given MMC's ability to host snap-ins, it's easy to envision portions of enterprise console applications making themselves available through the MMC user interface. In fact, when one thinks of what comprises an enterprise console implementation, the bulk of the offering is base management infrastructure and services: inventory, device auto-discovery, software distribution, alert collection and suppression, help desk, and so on. The UI associated with this behavior can quite easily be offered as MMC snap-ins. Microsoft's future approach will be to have Microsoft System Management Server hosted within MMC. The same applies to other Microsoft BackOffice® products.
How MMC Can Work With Java, Microsoft Internet Explorer, and ActiveX
The MMC implementation is such that snap-ins can perform the more traditional management tasks using well-targeted COM interfaces, and for rendering can use many implementation technologies including traditional list views, HTML, Java, ActiveX, and special purpose ActiveX controls (such as a Network Topology Map view).
How MMC Can Work With Control Panel Applications
In previous versions of the Windows NT operating system, some Control Panel settings (such as Color and Schemes) were intended for the typical user, and others (such as Devices and Services) were targeted at the administrator. In the Windows 2000 operating system, the Windows team has simplified Control Panel by migrating many of the administrative Control Panel tools to become MMC snap-ins. In the process, these management tools will also support remote administration.
How MMC Can Work With Shell Extensions
The MMC API offers much of the behavior provided by the shell extensions. However, MMC adds the ability to build tools (through the document persistence model). Therefore, the bulk of those APIs required changes. The biggest changes are needed because MMC extensions are per-tool, not per-machine or per-user, so MMC extension data is stored in each .msc file. If you are currently developing to the shell extension interfaces, a migration to MMC is straightforward.
This section defines terminology used in this document.
The Windows 2000 directory service that stores information about all objects on the computer network and makes this information easy for administrators and users to find and apply. Within Active Directory, users can access resources anywhere on the network with a single logon. Similarly, administrators have a single point of administration for all objects on the network, which can be viewed in a hierarchical structure.
In the Windows 2000 operating system, you can use the Software Installation snap-in extension of the Group Policy snap-in to assign applications to users so that the applications appear to be installed and available on the user's desktop whenever a user logs on.
You assign applications to a particular Group Policy Object (GPO), which is in turn associated with a selected directory container (site, domain, or organizational unit). When you assign applications, the application is advertised to every user managed by the GPO. Advertising the application installs only enough information about the application to make application shortcuts appear on the Start menu and the necessary file associations appear in the registry. When a user managed by the GPO logs on to a computer running Windows 2000, the application appears on his or her Start menu. When the user selects the application from the Start menu for the first time, the application is installed. Advertised applications can also be installed by clicking on a document managed by the application (by either file extension or by COM-based activation).
When you create a console using this mode, you are granted full access to all MMC functionality, including the ability to add or remove snap-ins, create new windows, create taskpad views and tasks, add items to the Favorites list, and view all portions of the console tree. See also User mode.
The console tree represents the hierarchy of objects and containers that are available in a console. The left pane of an MMC console window contains the console tree and the Favorites tab. See also Favorites tab.
Contained in the right pane of an MMC console window, the details pane displays the view of the selected item in the console tree. The information can be displayed as a list view, a taskpad, an ActiveX control, or an HTML page.
A grouping of servers and other network objects under a single name. Domains provide the following benefits:
You can group objects into domains to help reflect your company's organization in your computer network.
Each domain stores only the information about the objects located in that domain. By partitioning the directory information this way, the Active Directory scales up to as many objects as you need to store information about on your network.
Each domain is an administrative boundary—this means that security policies and settings (such as administrative rights, security policies, and security descriptors) do not cross from one domain to another. Note, however, that the domains within a forest are not security boundaries that guarantee isolation from each other. Only the forest constitues a security boundary. See also Security descriptor.
A snap-in that provides functionality only when used with a parent snap-in. Extension snap-ins can add nodes to the namespace, or just extend existing nodes with new menus, toolbars, property pages, wizards, or Help.
This tab is displayed when you open a new console in author mode, or when an item has already been added to the Favorites list in a console. The Favorites list can include shortcuts to tools, items in the console, or tasks.
Management Saved Console File (.msc file)
A Management Saved Console file (.msc file) that constitutes a tool. After an administrator has assembled a tool using various snap-ins, the administrator can save the tool to an .msc file. The .msc file persists the tool so that it can be opened and used again later. An .msc file can be passed on to another administrator. See also Tool.
Multiple Document Interface (MDI)
An interface that supports multiple simultaneous views, or windows. Single Document Interface or SDI (Microsoft Internet Explorer, for example), does not support multiple views.
Microsoft Management Console (MMC)
The general, ISV-extensible common management console in the Windows 2000 operating system. The MMC console itself is a Windows-based multiple document interface (MDI) application. MMC itself provides no management behavior, but instead provides a common hosting environment for the snap-ins, which provide the actual management functionality.
Mode of extensibility
Behavior that a snap-in provides, extending the console with more functionality. Microsoft has defined several modes of extensibility, and every snap-in must provide at least one of those modes.
The hierarchy of objects and containers that are displayed in a console window. The namespace includes both the console tree and the details pane.
Any manageable object, task, or view. Examples of nodes include computers, users, and Web pages.
Organizational Unit (OU)
A type of directory object contained within domains. OUs are logical containers into which you can place users, groups, computers, and even other organizational units.
Package (.msi file)
Windows Installer packages (.msi files) contain a databases that stores all the information necessary to describe to the Windows Installer how to set up an application in a variety of situation: various platforms, different sets of previously installed products, earlier versions of a product, and numerous default installation locations. The Software Installation snap-in extension to the Group Policy snap-in uses .msi packages.
In the Windows 2000 operating system, you can use the Software Installation snap-in extension of the Group Policy snap-in to publish applications to users. Published applications are those that the administrator makes available for on-demand use.
Published applications have no presence on the users' computers. That is, no shortcuts or Start menu references to the application are present on the desktop. A published application is advertised to the Active Directory. The advertised attributes are used to locate the application and all the information required for installing it. After the application is advertised in the Active Directory, it can be activated by document association, just as an assigned application can be. Users can also set up the program using Add/Remove Programs in Control Panel.
All containers and objects on the network have a set of security information, or security descriptor, attached to them. A security descriptor consists of:
Discretionary access control lists (DACLs) that specify which users or groups can access an object, and the types of access (permissions) granted to those groups or users.
System access control lists (SACLs) that contain auditing information, which specifies the following:
The group or user accounts to audit when accessing the object.
The access events to be audited for each group or user. An example of an access event is modifying a file.
A Success or Failure attribute for each access event, based on the permissions granted to each group and user in the object's DACL.
Software that makes up the smallest unit of console extension. Snap-ins are tools that extend the MMC console and provide administrative functionality. A snap-in functions independently from other snap-ins. See also MMC.
A stand-alone snap-in can be added to a console by itself; an extension snap-in can only be added to extend the function of another snap-in. See also MMC.
An assembly of multiple snap-ins into a single console. A tool contains and provides all the management behavior represented by all the snap-ins contained in the tool. A tool can be saved (in an .msc file) and reloaded. A tool is also called a document.
When you create a console using this mode, you can eliminate some authoring features that users may not need. For example, you can provide users full access to the console tree, but prevent them from adding or removing consoles, or modifying console properties. Three types of user mode are available: full access; limited access, multiple windows; and limited access, single window.
For More Information
For the latest information on Windows 2000 Server, check out Microsoft TechNet or the Windows 2000 Web site (http://www.microsoft.com/windows2000/default.asp).
Management and Overview Papers
The following is a list of papers that introduce the Windows 2000 management services, and change and configuration management features. These papers are intended for managers and technical decision makers who need to understand the business requirements for, and the benefits of, management features, as well as the Microsoft management architecture, tools, and solutions. You can find these papers in Microsoft TechNet.
**Introduction to Windows Management Services—**An overview of the management roles and disciplines, as well as the architecture for management solutions that will be available, either as part of the operating system or as an add-on.
**Introduction to Change and Configuration Management—**An overview of change and configuration management and an introduction to how Microsoft products, such as Windows 2000 IntelliMirror™ management technologies, Remote OS Installation, and Systems Management Server address this management discipline.
**IntelliMirror—**An overview of the features of the IntelliMirror technology and scenarios for how organizations can benefit from IntelliMirror.
**Remote OS Installation—**An overview of the features of Remote OS Installation and scenarios illustrating how organizations can benefit from implementing it.
**System Management Server—**An overview of the features of Systems Management Server, and discussion of its benefits.
The following lists additional technical papers that are or will be available for administrators and Information Technology (IT) managers who are interested in understanding the details of Windows management services features and technologies. They are available in Microsoft TechNet.
Software Installation and Maintenance
Remote OS Installation Service
User Data and User Settings Management
Windows Management Instrumentation (WMI)
|1||The Microsoft Platform SDK documentation uses the terms scope pane to refer to the console tree, and result pane to refer to the details pane.|
|2||The Software Installation snap-in generates an application advertisement script (.aas file) and stores this script in the appropriate locations in the Active Directory and the Group Policy Object.|
|3||The Windows Installer service pack for these platforms will be made available. After the Windows Installer service is installed in the Operating System, it can process installation requests from any Windows Installer-enabled applications.|