The MMC is a framework for management applications that offers a unified interface for administration. It is not designed to replace management applications; rather, it is designed to be their central interface. As such, the MMC doesn't have any inherent management functions. It uses add-in components, called snap-ins, to provide the necessary administrative functionality.
To take advantage of what the MMC framework has to offer, you add any of the available stand-alone snap-ins to a console. A console is simply a container for snap-ins that uses the MMC framework. Dozens of preconfigured snap-ins are available from Microsoft, and they provide the functionality necessary for administration. Third-party tools from independent software vendors now use MMC snap-ins as well.
Note
The terms console and tool are often used interchangeably. For example, in the text, I often refer to such and such as a tool when technically it is a preconfigured console containing a snap-in. For example, Active Directory Users and Computers is a tool for managing users, groups, and computers. Not all tools are consoles, however. The System tool in Control Panel is a tool for managing system properties, but it is not a console.
Although you can load multiple snap-ins into a single console, most of the preconfigured consoles have only a single snap-in. For example, most of the tools on the Administrative Tools menu consist of a preconfigured console with a single snap-in—even the Computer Management tool shown in Figure 11-1, which consists of a preconfigured console with the Computer Management snap-in added to it.
Figure 11-1. The Computer Management tool consists of a preconfigured console with the Computer Management snap-in added to it
The many features of the Computer Management snap-in are good examples of how snapins can have nodes and extension components. A node defines a level within the console or within a snap-in. Computer Management has a root node, which is labeled Computer Management, and three top-level nodes, which are labeled System Tools, Storage, and Services and Applications. An extension component is a type of snap-in that is used to extend the functionality of an existing snap-in. Computer Management has many extensions. In fact, each entry under the top-level nodes is an extension—and many of these extensions can themselves have extensions.
These particular extensions are also implemented as stand-alone snap-ins, and when you use them in your own console, they add the same functionality as they do in the preconfigured administration tools. You'll find that many extensions are implemented as both extensions and stand-alone snap-ins. Many doesn't mean all: Some extensions are meant only to add functionality to an existing snap-in and they are not also implemented as stand-alone snap-ins.
Keep in mind extensions are optional and can be included or excluded from a snap-in by changing options within the console when you are authoring it. For example, if you didn't want someone to be able to use Disk Management from within Computer Management, you could edit the extension options for Computer Management on that user's computer to remove the entry for Disk Management. The user would then be unable to manage disks from within Computer Management. The user would still, however, be able to manage disks using other tools.
MMC has two operating modes: author mode and user mode. In author mode, you can create and modify a console's design by adding or removing snap-ins and setting console options. In user mode, the console design is frozen, and you cannot change it. By default, the prepackaged console tools for administration open in user mode, and this is why you are unable to make changes to these console tools.
As Figure 11-2 shows, when you open a console that is in author mode, you have an extended File menu that allows you to create new consoles, open existing consoles, save the current console, add/remove snap-ins, and set console options. In contrast, when you are working with one of the preconfigured console tools or any other tool in user mode, you have a limited File menu, as shown in Figure 11-3. Here, you can access a limited set of console options or exit the console—that's it.
In author mode, you also have a Favorites menu, which is used to add and organize favorites. The Favorites menu does not appear in the user mode.
When you are finished designing a console tool, you should change to user mode. Console tools should be run in user mode, and author mode should be used only for configuring console tools. Three user-mode levels are defined:
User mode—full access Users can access all window management commands in the MMC but can't add or remove snap-ins or change console properties.
User mode—limited access, multiple window Users can access only the areas of the console tree that were visible when the console was saved. Users can create new windows but cannot close existing windows.
User mode—limited access, single window Users can access only the areas of the console tree that were visible when the console was saved and are prevented from opening new windows.
A console's mode is stored when you save the console and is applied when you open the console. In author mode, you can change the console mode by using the Options dialog box, which is displayed by selecting Options from the File menu. You cannot change the mode when a console is running in user mode. That doesn't mean you can't change back to author mode, however, and then make further changes as necessary.
To open any existing console tool in author mode, right-click the tool's icon, and choose Author. This works for the preconfigured administration tools as well. Simply right-click the related menu item on the Administrative Tools menu, and then choose Author. You will then have full design control over the console, but remember that if you make changes, you probably don't want to overwrite the existing .msc file for the console. So, instead of choosing Save from the File menu after you make changes, choose Save As, and save the console with a different name, location, or both.
Tip
Another way to enter author mode is to use the /A parameter when starting the console tool from the command line or the Run dialog box.
Inside Out: Group Policy settings can control authoring and snap-in availability
Remember that at any time, a user with appropriate permissions can enter author mode by right-clicking the console and selecting Author or by running the console tool from the command line with the /A switch. In author mode, users could change the configuration of the tool. One way to prevent this is to restrict authoring in Group Policy.
You can restrict all authoring by users at the local machine, OU, or domain level by enabling Restrict The User From Entering Author Mode in User ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Management Console within Group Policy.
You can set specific restricted and permitted snap-ins and extensions as well. One way to do this is first to prohibit the use of all snap-ins by enabling Restrict Users To The Explicitly Permitted List Of Snap-Ins in User ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Management Console within Group Policy. Then specifically enable the snap-ins and extensions that are permitted. All other snap-ins and extensions would then be prohibited.
Alternatively, you can disable Restrict Users To The Explicitly Permitted List Of Snap-Ins and then explicitly prohibit snap-ins by disabling them. All other snap-ins and extensions would then be permitted.
Be sure to read Chapter 38, before you try to implement Group Policy or make changes to Group Policy Objects. If you get into trouble, such as could happen if you prohibit all snap-ins but neglect to enable snap-ins needed for management, you can reset Group Policy to its default configuration by using the Dcgpofix command-line utility as discussed in the section entitled "Fixing Default Group Policy".
As Figure 11-4 shows, the MMC window consists of two panes: console tree and details. The left pane is the console tree. It provides a hierarchical list of nodes available in the console. At the top of the tree is the console root, which could be specifically labeled Console Root, or, as with the preconfigured tools, it is simply the snap-in name. Generally, snap-ins appear as nodes below the console root. Snap-ins can also have nodes, as is the case with Computer Management. In any case, if there are nodes below the console root, you can expand them by clicking the plus sign to the left of the node label or by double-clicking the node.
The right pane is the details pane, and its contents change depending on the item you've selected in the console tree. When you are working with one of the lowest-level nodes in the console tree, you'll sometimes have two views to choose from: standard or extended view. The difference between the two is that the extended view typically provides quick access links to related, frequently performed tasks and a detailed description of the selected item. These are not displayed in the standard view.
One way to start a console tool is to select it on the Administrative Tools menu or doubleclick its icon on the desktop or in Windows Explorer. You can also start console tools from the Run dialog box and the command prompt. The executable for the MMC is Mmc.exe, and you can run it by typing mmc in the Run dialog box and clicking OK or by entering mmc at the command prompt. Either way, you'll end up with a blank (empty) console that you can use to design your custom administration tool.
To use an existing console, you can specify the console file to open when the MMC runs. This is, in fact, how the preconfigured tools and any other tools that you create are launched. For example, if you right-click Computer Management on the Administrative Tools menu, and then select Properties, you'll see that the target (the command that is run) for the menu item is as follows:
%SystemRoot%System32Compmgmt.msc /s
The first part of the target (%SystemRoot%System32Compmgmt.msc) is the file path to the associated Microsoft Saved Console (.msc) file. The second part of the target (/S) is a command parameter to use when running the MMC. It follows that you can run the MMC by specifying the file path to the .msc file to use and any necessary command parameters as well using the following syntax:
mmc FilePath Parameter(s)where FilePath is the file path to the .msc file to use and Parameter(s) can include any of the following parameters:
/A Enables author mode, which lets you make changes to preconfigured consoles as well as other consoles previously set in user mode.
/S Prevents the console from displaying the splash screen that normally appears when the MMC starts in earlier versions of the Windows operating system. This parameter isn't needed when running on Windows Server 2003.
/32 Starts the 32-bit version of the MMC, which is needed only if you explicitly want to run the 32-bit version of the MMC on a 64-bit Windows system.
/64 Starts the 64-bit version of the MMC, which is available only on 64-bit Windows versions.
Inside Out: Using 32-bit and 64-bit versions of the MMC
The /32 and /64 parameters are meaningful only on 64-bit Windows versions. The 64-bit versions of the Windows operating system can run both 32-bit and 64-bit versions of the MMC. For 32-bit versions of the MMC, you use 32-bit snap-ins. For 64-bit versions of the MMC, you use 64-bit snap-ins. You can't mix and match MMC and snap-in versions, though. The 32-bit version of the MMC can be used only to work with 32-bit snap-ins. Similarly, the 64-bit version of the MMC can be used only to work with 64-bit snap-ins. In most cases, if you aren't sure which version to use, don't use the /32 or /64 parameter. This lets the Windows operating system decide which version to use based on the snap-ins contained in the .msc file you are opening.
Most console tools are found in the %SystemRoot%System32 directory. This puts them in the default search path for executables. Because there is a file type association for .msc files, specified files of this type are opened using Mmc.exe; you can open any of the preconfigured tools stored in %SystemRoot%System32 by specifying the file name followed by the .msc extension. For example, you can start Event Viewer by typing the following:
eventvwr.msc
This works because of the file association that specifies .msc files are executed using Mmc.exe. (You can examine file associations using the ASSOC and FTYPE commands at the command prompt.)
Some console tools aren't in the %SystemRoot%System32 directory, or the search path for that matter. For these tools, you must type the complete file path.
Generally, the preconfigured MMC consoles available on a server depend on the services that are installed. As you install additional services, additional tools for administration are installed, and these tools can be both console tools and standard tools. You don't have to rely on service installation for tool availability, however. You can, in fact, install the complete administrative tool set on any computer, including servers, regardless of the services being used. The only requirement is that the computers are running Windows XP Professional Service Pack 1 or later or Windows Server 2003.
Follow these steps to install the complete administrative tool set:
Log on to the computer using an account with Administrator privileges.
Insert the Windows Server 2003 distribution CD-ROM into the CD-ROM drive.
When the Autorun screen appears, click Perform Additional Tasks, and then click Browse This CD. This starts Windows Explorer.
Double-click I386, and then double-click Adminpak.msi. The complete set of Windows Server 2003 management tools is installed on the computer.
These tools are then available from the Administrative Tools menu and can also be started quickly in the Run dialog box or at the command prompt by typing only their file name (in most cases). At times, you might find it quicker to open consoles from the command line. For example, on a server optimized for handling background services and not programs being run by users, you might find that navigating the menu is too slow. To help you in these instances, Table 11-1 provides a list of the key console tools and their .msc file names.
Table 11-1. Key Console Tools and Their .msc File Names
Tool Name | .msc File Name |
|---|---|
Active Directory Domain and Trusts | domain.msc |
Active Directory Sites and Services | dssite.msc |
Active Directory Users and Computers | dsa.msc |
Authorization Manager | azman.msc |
Certificate Templates | certtmpl.msc |
Certification Authority | certsvr.msc |
Certificate Manager | certmgr.msc |
Component Services | compexp.msc |
Computer Management | compmgmt.msc |
Device Manager | devmgmt.msc |
DHCP Manager | dhcpmgmt.msc |
Disk Defragmenter | dfrg.msc |
Disk Management | diskmgmt.msc |
Distributed File System | dfsgui.msc |
DNS Manager | dnsmgmt.msc |
Domain Controller Security Policy | dcpol.msc |
Domain Security Policy | dompol.msc |
Event Viewer | eventvwr.msc |
Group Policy Editor | gpedit.msc |
Indexing Service | ciadv.msc |
Internet Authentication | Service ias.msc |
Internet Information | Services iis.msc |
Local Security Policy | secpol.msc |
Local Users and Groups | lusrmgr.msc |
Performance | perfmon.msc |
Remote Desktops | tsmmc.msc |
Removable Storage Management | ntmsmgr.msc |
Resultant Set of Policy | rsop.msc |
Routing and Remote Access | rrasmgmt.msc |
Services | services.msc |
Shared Folders | filesvr.msc |
Telephony | tapimgmt.msc |
Terminal | Services tscc.msc |
Windows Management | Instrumentation wmimgmt.msc |
Some snap-ins can be set to work with local or remote systems. If this is the case, you'll see the name of the computer with focus in parentheses after the snap-in name in the console tree. When the snap-in is working with the local computer, you'll see (Local) after the snap-in name. When the snap-in is working with a remote computer, you'll see the remote computer name in parentheses after the snap-in name, such as (CORPSERVER01).
Generally, regardless of which type of snap-in you are using, you can specify the computer to work with it in one of two ways. Within the MMC, you can right-click the snap-in node in the console tree and then select Connect To Another Computer. This displays the Select Computer dialog box, as shown in the following screen:
If you want the snap-in to work with the computer the console is running on, select Local Computer. Otherwise, select Another Computer, and then type the computer name or Internet Protocol (IP) address of the computer you want to use. If you don't know the computer name or IP address, click Browse to search for the computer you want to work with.
Just about any snap-in that can be set to work with local and remote systems can be started from the command line with the focus set on a specific computer. This is a hidden feature that many people don't know about or don't understand. Simply set the focus when you start a console from the command line using the following parameter:
/computer=RemoteComputerwhere RemoteComputer is the name or IP address of the remote computer you want the snapin to work with, such as
eventvwr.msc /computer=corpserver01
The following snap-ins use the /Computer parameter:
Certificates Authority, certsvr.msc
Computer Management, compmgmt.msc
Device Manager, devmgmt.msc
Disk Management, diskmgmt.msc
Event Viewer, eventvwr.msc
Indexing Service, ciadv.msc
Local Users and Groups, lusrmgr.msc
Removable Storage Management, ntmsmgr.msc
Services, services.msc
Windows Management Instrumentation, wmimgmt.msc
Several different hidden options are available with the Active Directory–related snap-ins. For Active Directory Users and Computers, Active Directory Sites and Services, and Active Directory Domains and Trusts, you can use the /Server parameter to open the snap-in and connect to a specified domain controller. For example, if you wanted to start Active Directory Users and Computers and connect to the CORPSVR02 domain controller, you could do this by typing the following:
dsa.msc /server=CorpSvr02
For Active Directory Users and Computers and Active Directory Sites and Services, you can use the /Domain parameter to open the snap-in and connect to a domain controller in the specified domain. For example, if you wanted to start Active Directory Users and Computers and connect to the cpandl.com domain, you could do this by typing the following:
dsa.msc /domain=cpandl.com