I am a huge believer in managing Active Directory from both a centralized and decentralized mode. I work in an environment where we have a 9 to 1 ratio of Macintosh versus PC based systems. We needed to give specific people, specific access to parts of Active Directory so they could essentially fill the role of helpdesk (since this position no longer exists in our department). Without being able to give them an ADUC client (Mac), we needed to come up with another solution. Creating a terminal server with customized MMC’s which launch at login and according to their group is what we were after. The following is the quick and easy setup of such.
The first piece of this process was to get the terminal server up and running. Once that was done (in short time thanks to our VMWare environment) and proper permissions were setup for access to it, I moved on to create the custom MMC’s. When I say custom, I mean an MMC that gives the user an interface that shows only that section of Active Directory which they need access to in order to complete specific tasks such as disable accounts, reset passwords, or view properties of an account. I will not go into details here on how to create customized MMC’s as there is a ton of information out there on the net for such. However, I will say that I simply author an MMC in a new taskpad view and assign only those tasks needed for the individuals, then lock the entire MMC down at completion.
Once the set of MMC’s was created for multiple folks at multiple locations, I needed a way to launch only that MMC on the terminal server when they login. For each location, an assigned user should get only their MMC. Thus, a simple script to run at login, called from the local group policy was the solution. The following is the script syntax, customize for your situation:
C according to user’s group membership
REM Launch MM
ifmember “site1 student admins”
if not errorlevel 1 goto SITE2
ifmember “site2 student admins”
if not errorlevel 1 goto SITE3
ifmember “site3 student admins”
if not errorlevel 1 goto TechSvcs
ifmember “technology services staff”
if not errorlevel 1 goto quit
As you can see, you can call multiple MMC’s at one time (the tech services section), giving folks further access into Active Directory as needed. The last piece of this is to name this script something like LauchMMC.bat, and add it as a login script (User Configuration) through the local Group Policy editor.