Announcement

Collapse
No announcement yet.

MMC - 1st line console, .MSC (AD / Win Server 2003)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • MMC - 1st line console, .MSC (AD / Win Server 2003)

    Please can someone assist.

    I have created a new .MSC for my 1st line team to use for:

    - reset password
    - disable account
    - enable account
    - add user to a group

    and have followed the guidelines on both this site and on the Microsoft site.

    However, I need some help with two things, namely:

    1 - how can I remove the right click menu from being used - currently it's all locked down, but you can still right click on a user to bring up the full range of options, i.e. right click, Properties.

    2 - how can I add an option to 'unlock' an account as this does not appear to be an option I can add.

    Many thanks in advance,

    James.

  • #2
    Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

    1) Right-click cannot be disabled in Win2003 MMC, or if it can, I haven't found a way yet. It was possible in W2K, but not in Win2003.

    2) You don't have abuilt-in Unlock feature, but you can add a custom script that can do that.
    Cheers,

    Daniel Petri
    Microsoft Most Valuable Professional - Active Directory Directory Services
    MCSA/E, MCTS, MCITP, MCT

    Comment


    • #3
      Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

      Originally posted by danielp
      1) Right-click cannot be disabled in Win2003 MMC, or if it can, I haven't found a way yet. It was possible in W2K, but not in Win2003.

      2) You don't have abuilt-in Unlock feature, but you can add a custom script that can do that.
      Re: 1) - is it possible to use GPO (?) to stop any actions from the right-click menu from having effect? in essence, the right-click menu still pops up, but could we use some sort of permissioning/rights to stop the 1st liner from doing something to the user account that we don't want.

      Re: 2) - please could you direct me to any relevant examples

      Much appreciated!

      James.

      Comment


      • #4
        Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

        1) You shouldn't rely on the UI to prevent the user from doing things he's not supposed to do. You make sure he cannot do anything by only giving him the right permissions (i.e. delegations) to the specified OU and objects.

        2) Here you go:

        Code:
        Set wshArguments = WScript.Arguments
        Set objUser = GetObject(wshArguments(0))
        
        objuser.put "lockouttime","0"
        
        objuser.setinfo
        
        msgbox "The user has been unlocked - " & objuser.sAMAccountName
        a) Save file as unlock_user.vbs.

        b) Place unlock_user.vbs in NETLOGON share on one of the DCs.

        c) Open ADSIEDIT.MSC (Win2003 Spport Tools) and and navigate to the following path:

        Code:
        CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=domainname,DC=com
        (or whatever your domain name is)

        d) In the Sting Editor window of the adminContextMenu attribute, add the following line:

        Code:
        4,Unlock User,\\servername\netlogon\unlock_user.vbs
        (if #4 is taken, use 5 or 6 or whatever)

        e) Close ADSIEDIT.

        f) Re-open DSA.MSC.

        g) Right-click a locked-out user and see that it now has a new context menu option.

        Note: You need to be Enterprise Admin to perform this trick.

        h) Say thank you.
        Cheers,

        Daniel Petri
        Microsoft Most Valuable Professional - Active Directory Directory Services
        MCSA/E, MCTS, MCITP, MCT

        Comment


        • #5
          Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

          thank you.

          James.

          Comment


          • #6
            Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

            Hi, this looks like a useful extension, but can I ask a few questions?

            1) In step d) above you add the following to the adminContextMenu attribute "4,Unlock User,\\servername\netlogon\unlock_user.vbs" - can I specify the %logonserver% environment variable to run the script from whichever Domain Controller authenticated the user?

            2) In your article on this tip (http://www.petri.com/add_unlock_user_option_to_dsa.htm), the text you add to the adminContextMenu attribute is "4,&Unlock User,\\zeus\netlogon\unlock_user.vbs" - is the '&' character important?

            3) Will this tip work for Active Directory Users & Computers installed on a Windows XP Workstation?

            Many thanks, Doc.

            05/07/2006 ETA: Corrected URL
            Last edited by Doc Dish; 5th July 2006, 08:55.

            Comment


            • #7
              Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

              I've partially answered my own questions!

              Originally posted by Doc Dish
              1) In step d) above you add the following to the adminContextMenu attribute "4,Unlock User,\\servername\netlogon\unlock_user.vbs" - can I specify the %logonserver% environment variable to run the script from whichever Domain Controller authenticated the user?
              I tried changing the command line to "4,Unlock User,%LOGONSERVER%\netlogon\unlock_user.vbs" but the script did not run.

              Originally posted by Doc Dish
              2) In your article on this tip (http://www.petri.com/add_unlock_user_option_to_dsa.htm), the text you add to the adminContextMenu attribute is "4,&Unlock User,\\zeus\netlogon\unlock_user.vbs" - is the '&' character important?
              The '&' character only appears to be displayed in the Status Bar text

              Originally posted by Doc Dish
              3) Will this tip work for Active Directory Users & Computers installed on a Windows XP Workstation?
              Yes it does.

              If anyone has any ideas about how to use the script on the authenticating DC, I'd be glad to hear them.

              Comment


              • #8
                Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

                Originally posted by Doc Dish
                I tried changing the command line to "4,Unlock User,%LOGONSERVER%\netlogon\unlock_user.vbs" but the script did not run.
                Try adding:

                Code:
                4,&Unlock User,\\<domain FQDN>\netlogon\unlock_user.vbs
                btw, the "&" enables the use of shortcuts. i.e. when in the context menu you can hit "U" and the option will be selected. The letter following the "&" sign is used as shortcut. You can place the "&" anywhere in the string representing the action's description.
                Guy Teverovsky
                "Smith & Wesson - the original point and click interface"

                Comment


                • #9
                  Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

                  Originally posted by guyt
                  Try adding:

                  Code:
                  4,&Unlock User,\\<domain FQDN>\netlogon\unlock_user.vbs
                  Thanks, that seems to work, but now I get an "Unknown Publisher" error when I run/edit the VBS file (see attachment). I've tried cutting and pasting the code into a new file, but no joy.

                  Originally posted by guyt
                  btw, the "&" enables the use of shortcuts. i.e. when in the context menu you can hit "U" and the option will be selected. The letter following the "&" sign is used as shortcut. You can place the "&" anywhere in the string representing the action's description.
                  Ah! I see.

                  Many thanks for your help
                  Doc.
                  Attached Files

                  Comment


                  • #10
                    Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

                    Try adding the UNC path to trusted zones in IE.
                    Guy Teverovsky
                    "Smith & Wesson - the original point and click interface"

                    Comment


                    • #11
                      Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

                      Originally posted by guyt
                      Try adding the UNC path to trusted zones in IE.
                      Spot on, thank-you!

                      I put the domain name into the Local Intranet zone, which stopped the prompt, however the 'Include all network paths (UNCs)' was already ticked for that zone. I changed the command line to
                      Code:
                      4,&Unlock User,\\<Domain Pre-Windows 2000 name>\netlogon\unlock_user.vbs
                      and did not have to edit the Local Intranet zone.

                      I am tempted to 'complicate' the script by having it check to see if the target user is already locked before trying to unlock them. However I'm a) busy with my shiny new Active Directory and b) rubbish at VBscript. If I come up with anything I'll post it for the general merriment of this board!

                      Many thanks (again) for all your help
                      Doc.

                      Comment


                      • #12
                        Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

                        is there any way to create a fly out menu here? i've added a couple entries to the context menu, and our context menu is getting a bit long. I would like to consolidate them under one fly-out menu if possible.



                        Happiness is like peeing your pants. Everyone can see it, but only you can feel its warmth.
                        -Koen

                        Comment


                        • #13
                          Re: MMC - 1st line console, .MSC (AD / Win Server 2003)

                          Happiness here is everyone posting their question in a new thread and not hijacking someone elses. Thank you.
                          1 1 was a racehorse.
                          2 2 was 1 2.
                          1 1 1 1 race 1 day,
                          2 2 1 1 2

                          Comment

                          Working...
                          X