Aug 1, 2017

Administrative Console

Topic of this post is "Administrative Console" and to get to there I'm going to make a detour or administrative privileges. Please fasten your seatbelts...

Let's start from the basics. You are, yes, a Domain Admin. The King. You have three (3) separate accounts for the tasks you need to do:
  • Your Domain Admin (DA) account - used only to logon to Domain Controllers. And yes, it's not the "Administrator" -account of the domain and you should never have to use either of those.
  • Your administrative account (AA) for your daily administrative tasks. Not a DA.
  • Your Joe Average (JA) -account. This is the account you logon to your laptop. By any means it's not administrative account and you are even not a local administrator on your own laptop.
Deep inside you, you know that this is good. "But it's hard" they say. Yes, you have to remember three different accounts and their passwords and use the correct account where it's needed. Not so hard, I say.

First you remove all domain and local administrative privileges from you JA -account. Logoff and logon. Hey, your laptop still works, wow! You can surf the web, read emails and things like that. How cool is that! (Yes I know about PAW's but we're not going there, for now...)

After loging with JA -account you need to do some work. Change the password of a user, open SCCM console, you name it. For this you open ADUC, PowerShell or whatever and try to accomplish that task. Ka-Boom!!! Access is denied! Oh, crap!

'Run As' to rescue! Now you realize that you have to open each and every administrative program with elevated rights. Oh, man, do I really have to type in my AA -account and it's password each and every time I do something? No, you don't and that's the point of this blog post.

You create an Administrative Console for you daily admin tasks.

Start off by launching cmd > mmc.exe and you get an empty Management Console.

Empty Management Console








Go to File > Add/Remove Snap-In... and add all the MMC snap-ins you need: ADUC, DNS, DHCP, DFS, Certificate Authority, GPMC, you name it. If the snap-in prompts for a computer it wants to connect, you can just select local computer for now and change it later. (You are running as JA -account so you cannot connect to DNS, for example, at least you should't be able. Thats why you'll fix this later with proper privileges)

"Yes, thanks but I know all this MMC console stuff already. But how am I going to launch CMD, PowerShell, Visual Studio Code or any of the programs that are not MMC consoles?" they ask.

You do that by adding a Taskpad to you admin console. First I suggest that you create a folder at the root ot your console, just add "Folder" from the snap-ins and move it to the top.


Add Folder to the console









Rename the folder by right clicking on it, give it a nice name like "Admin Tasks"

Now right click on Admin Tasks - folder and select New Taskpad View...

Add New Taskpad View










Select the view type of the taskpad, I like to use large icons but you can try and see which is best for your eyes.

The Taskpad is where the magic happens. To the Taskpad you can add shortcuts to any program you wish to launch from the Admin Console and it will start the program with the same privileges you opened the console with. You open the console with your AA -account, all programs launched from the Taskpad will use those privileges. How nice and easy is that? 

Let's add one program to the Taskpad, so you'll get the hang of it. Once you've created the Taskpad, once more right click the Admin Tasks -folder, select Edit Taskpad... > Tasks > New... > Shell command and give the path to the program you wish to launch.

New Taskpad command















I'm using cmd.exe here as an example. Give it a name like "Command Prompt" and select a custom icon, the .exe itself, and you're done here!

To get the Pro -look you can add a custom icon and a nice name for the MMC console you've just created, go to File > Options and then Save As... Check the Console mode options, for example if you are delivering this console to Helpdesk you might want to prevent users from modifying it.

Save your console with a nice icon










"Aaargh, I open the console but it still gives me 'Access Denied' everywhere! Why, oh why?!?"

Because you have to open the console with you AA -account, "Run As...". To make sure it always opens with elevated privileges you create a shortcut from the .msc file, then right click on shortcut > Properties > Advanced > "Run as administrator".

Run as administrator, always!


As you are not an administrator on your own computer, you will get the UAC prompt when launching the console. When I start my day, I open my laptop and this console, give it my admin credentials once and then just do my daily admin tasks.

So there you go, now you have an administrative console that launches each and every mmc console and all your selected programs with elevated privileges. How cool is that?

If you find this blog useful, please ping and send me your comments in Twitter, @arisaastamoinen

Cheers,

-Ari


















Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)