Introduction to Microsoft Management Console (MMC)

1
Introduction to Microsoft Management Console (MMC)

• MMC is a common console framework for management
  applications.
• MMC provides a common environment for snap-ins,
  the tools that support management functionality.
• MMC allows you to perform a number of tasks.

2
The MMC Window
3
MMC Consoles
4
Introduction to Snap-Ins
5
Stand-Alone Snap-Ins

• Stand-alone snap-ins are usually referred to
  simply as snap-ins.
• Each snap-in provides one function or a related
  set of functions.

6
Extension Snap-Ins

• Extension snap-ins are usually referred to as
  extensions.
• An extension provides additional administrative
  functionality to another snap-in.
• Extensions are designed to work with one or more
  stand-alone snap-ins.
• Some snap-ins can act as stand-alone snap-ins or
  as extensions.

7
Console Options

• Author mode
• User mode

8
Windows 2000 User Accounts

• Domain user accounts
• Local user accounts
• Built-in user accounts

9
Domain User Accounts

• Allow users to log on to the domain and gain
  access to resources anywhere on the network
• Created in an OU in the Active Directory store
• Replicated to all domain controllers

10
Local User Accounts

• Allow users to log on to and gain access to
  resources on the computer where they log in
• Created in the computers security database
• Not replicated to domain controllers

11
Built-In User Accounts

• Administrator
• Guest

12
Naming Conventions

• The naming convention establishes how users are
  identified in the domain.
• Several considerations should be taken into
  account when determining naming conventions.

13
Password Requirements

• Always assign a password for the Administrator
  account.
• Determine whether the administrator or the users
  will control passwords.
• Use passwords that are hard to guess.
• Passwords can be up to 128 characters a minimum
  length of eight characters is recommended.
• Use both uppercase and lowercase letters,
  numerals, and valid nonalphanumeric characters.

14
Account Options

• Logon hours
• Computer from which users can log on
• Account expiration

15
Creating Domain User Accounts
16
Creating Local User Accounts
17
Overview of Modifying Properties

• A set of default properties is associated with
  each user account.
• Properties defined for a domain user account can
  be used to search for users in the Active
  Directory store.
• Several properties should be configured for each
  domain user account.
• You can use the Active Directory Users And
  Computers snap-in to modify a domain user
  account.
• You can use the Local Users And Groups snap-in to
  modify a local user account.

18
The Properties Dialog Box

• Personal properties tabs
• Account tab
• Profile tab
• Published Certificates tab
• Member Of tab
• Dial-In tab
• Object tab
• Security tab
• Terminal Services tabs

19
Administering User Accounts

• Managing user profiles
• Modifying user accounts
• Creating home folders

20
Managing User Profiles

• A user profile is a collection of folders and
  data that stores your current desktop environment
  and application settings as well as personal
  data.
• Microsoft Windows 2000 creates a local user
  profile the first time you log on at a computer.
• User profiles operate in a specific manner.

21
Assigning a Customized Roaming User Profile
22
Creating Home Folders
23
Introduction to Groups

• A group is a collection of user accounts.
• Groups simplify administration of user
  permissions.
• Users can be members of more than one group.
• When you assign permissions, you give users the
  capability to gain access to specific resources.
• You can add user accounts, contacts, computers,
  and other groups to groups.

24
Types of Groups

• Security groups
• Distribution groups

25
Group Scopes
26
Introduction to Group Membership

• The group scope determines the membership of the
  group.
• Membership rules define which members a group can
  contain.
• Domain local groups and global groups can be
  converted to universal groups.

27
Group Nesting

• You can add groups to other groups to reduce the
  number of times permissions need to be assigned.
• You should create a hierarchy of groups based on
  business needs.
• Try to minimize the levels of nesting.
• Nesting reduces the number of times you assign
  permissions however, tracking permissions
  becomes more complex.
• Document group membership to keep track of
  permission assignments.
• Effective nesting in a multiple domain
  environment will reduce network traffic between
  domains and simplify administration.
• Consider the domain operation mode when nesting
  groups.

28
Group Strategies
29
Introduction to Groups

• Determine the required group scope based on how
  you want to use the group.
• Avoid adding users to universal groups.
• Determine whether you have the necessary
  permissions to create a group in the appropriate
  domain.
• Determine the name of the group.

30
Administering Groups
31
Overview of Group Implementation

• A local group can contain user accounts on a
  computer and can be assigned to resources on that
  computer.
• There are two types of local groups domain and
  non-domain.
• Try to follow specific guidelines when using
  local groups.
• Non-domain local groups can contain local user
  accounts from the computer on which you create
  the local groups.

32
Creating Local Groups
33
Built-In Global Groups

• Windows 2000 creates built-in global groups to
  group common types of user accounts.
• The groups are created in the Active Directory
  store.
• The Users OU contains the built-in global groups.
• Windows 2000 includes a number of commonly used
  built-in global groups.

34
Built-In Domain Local Groups

• Built-in domain local groups provide users with
  user rights and permissions to perform tasks on
  domain controllers and in the Active Directory
  store.
• Built-in domain local groups give predefined
  rights to user accounts when you add user
  accounts or global groups as members.
• Windows 2000 includes a number of commonly used
  built-in domain local groups.

35
Built-In Local Groups

• Built-in local groups give rights to perform
  system tasks on a single computer.
• Built-in local groups are located in the Groups
  folder of the Computer Management snap-in.
• Windows 2000 includes a number of commonly used
  built-in local groups.

36
Built-In System Groups

• Built-in system groups exist on all computers
  running Windows 2000.
• You do not see system groups when you administer
  groups, but they are available for use when you
  assign rights to resources.
• Windows 2000 includes a number of commonly used
  built-in system groups.

37
Overview of Group Policies

• Group policies are a set of configuration
  settings that an administrator applies to one or
  more objects in the Active Directory store.
• A group policy consists of settings that govern
  how an object and its child objects behave.
• Group policies provide users with a fully
  populated desktop environment.
• Conflicts can exist between group policies and
  local needs.

38
Benefits of Group Policies

• Lowering your networks total cost of ownership
  (TCO)
• Securing a users environment
• Enhancing a users environment

39
Types of Group Policies

• Software Settings
• Scripts
• Security Settings
• Administrative Templates
• Remote Installation Services (RIS)
• Folder Redirection

40
Group Policy Structure

• Group policy objects (GPOs)
• Group policy containers (GPCs)
• Group policy templates (GPTs)

41
Group Policy Objects (GPOs)

• A GPO contains group policy settings for sites,
  domains, and OUs.
• One or more GPOs can be applied to a site, a
  domain, or an OU.
• Group policy data that is small in size and
  changes infrequently is stored in GPCs.
• Group policy data that is large and can change
  frequently is stored in the GPT.
• A local GPO exists on every Windows 2000
  computer, and by default, only security settings
  are configured.

42
Group Policy Containers (GPCs)

• A GPC is an Active Directory object that stores
  GPO properties and includes subcontainers for
  computer and user group policy information.
• The GPC stores the Windows 2000 class store
  information for application deployment.

43
Group Policy Templates (GPTs)

• When a GPO is created, the corresponding GPT
  folder structure is created.
• Certain subfolders are often contained in the GPT
  structure.

44
Creating a GPO
45
Using the Group Policy Snap-In
46
GPO Permissions
47
Support for Windows 95, Windows 98, and
Windows NT 4.0

• The Group Policy snap-in does not provide client
  support for Microsoft Windows 95, Windows 98, or
  Windows NT computers.
• Windows NT is supported through .adm files and
  Poledit.exe.
• Windows 95 and Windows 98 clients are supported
  through the Windows 9x System Policy Editor.

48
Managing Software Settings

• Use the Group Policy snap-in to centrally manage
  software distribution.
• To assign or publish an application, create a
  shared folder and copy the application files and
  package files (.msi files) to the share folders.

49
Managing Scripts

• Windows 2000 group policy allows considerable
  flexibility in assigning scripts.
• Multiple scripts can be assigned to a user or a
  computer.
• You can use the Show Files button to open a
  window that displays the contents of the scripts
  folder.

50
Managing Security Settings

• Computer security policy covers areas of policy,
  administrative rights, and user permissions.
• Two types of security policies are defined in
  Windows 2000.
• The security infrastructure can be separated into
  a number of configurable categories.
• Security configurations are stored as .inf files
  in a text format.

51
Managing Administrative Templates
52
Managing Folder Redirection

• The Folder Redirection extension allows you to
  redirect special folders in a user profile.
• By redirecting the My Documents folder, you can
  provide a number of advantages.
• By default, the Folder Redirection extension is
  not included with the Group Policy snap-in.