Customizing the Microsoft Management Console 03-2007.doc

Page 1 of 43

Copyright © 2005 Curators of the University of Missouri

Customizing the Microsoft Management Console

There are many reasons that you may want to create a customized Microsoft
Management Console (MMC). We will be looking at some of the reasons and showing
examples of how to create specific consoles to perform tasks. By using custom consoles
we can streamline the repetitive tasks we perform every day. We can also create a
custom MMC to run on desktops as a means of increasing security.

What are the requirments?

Windows XP and higher
Windows Server 2003 Service Pack 1 Administration Tools Pack (Requires
XP/2003)

I will be using Windows XP-SP2 and the Windows 2003 Admin pack for all the
examples and instructions in this document. The items discussed in this document are
pertinent to Windows 2000/2003/XP.


In this document we will look at several ways to customize the console and reasons why
we would do this.

Goal:

Install the Windows Adminpak
Open a MMC console
Add/Remove Snap-In
Customize the Console

Customizing the Microsoft Management Console 03-2007.doc

Page 2 of 43

Copyright © 2005 Curators of the University of Missouri

Below is a list of Snap-in’s that are available by default in Windows XP and then what is
available after installing the adminpak:

Pre-Adminpak

Post-Adminpak

.NET Framework 1.1 Configuration

.NET Framework 1.1 Configuration

ActiveX Control

Active Directory Domains and Trusts

Certificates

Active Directory Schema

Component Services

Active Directory Sites and Services

Computer Management

Active Directory Users and Computers

Device Manager

ActiveX Control

Disk Defragmenter

Authorization Manager

Disk Management

Certificate Templates

Event Viewer

Certificates

Folder

Certification Authority

Group Policy Object Editor

Component Services

Indexing Service

Computer Management

IP Security Monitor

Device Manager

IP Security Policy Management

DHCP

Link to Web Address

Disk Defragmenter

Local Users and Groups

Disk Management

Performance Logs and Alerts

Distributed File System

Removable Storage Management

DNS

Resultant Set of Policies

Event Viewer

Security Configuration and Analysis

Folder

Security Templates

Group Policy Management

Services

Group Policy Object Editor

Shared Folders

Indexing Service

WMI Control

IP Security Monitor

IP Security Policy Management

Link to Web Address

Local Users and Groups

Performance Logs and Alerts

Print Management

Remote Desktops

Remote Storage

Removable Storage Management

Resultant Set of Policies

Security Configuration and Analysis

Security Templates

Services

Shared Folders

Telephony

UDDI Services

WINS

WMI Control



IIS Snap-in is installed on Windows XP from Add/Remove programs



Exchange tools are located on the Exchange CD

Customizing the Microsoft Management Console 03-2007.doc

Page 3 of 43

Copyright © 2005 Curators of the University of Missouri

By default, there are tools such as the Remote Administration snap-in that is not available
on workstations and is not listed when you click ‘Add snap-in’ on the file menu. In order
to gain access to these tools you must install the adminpak on all systems that require
access to specific services such as Active Directory Users and Computers, DNS etc.

You do NOT need to load this on systems that are using the MMC as a program launcher.
All 2000/XP systems have the MMC modules loaded for basic system management.

Windows 2003 SP1 Adminpak (Windows XP compatible) download at:

http://www.microsoft.com/downloads/details.aspx?familyid=E487F885-F0C7-436A-
A392-25793A25BAD7&displaylang=en

Windows 2000:
The adminpak is on the CD in the i386 directory. Copy this to a network share and
install where necessary.



All examples from this point use Windows XP with the 2003 SP1 adminpak.

Installing the Admin Pack

1. Download the admin pack from the link above
2. Double-click the installer

3. Security Warning Dialog
4. Click RUN
5. Select the location for the temp files

6. Click Ok
7. Create folder (Only comes up if you tell it a folder that does not exist)
8. Click Yes
9. Files are extracted
10. Browse to the location you specified to extract files

Customizing the Microsoft Management Console 03-2007.doc

Page 4 of 43

Copyright © 2005 Curators of the University of Missouri

11. Double-Click the adminpak.msi file

12. Welcome Dialog – Click next
13. Read EULA – Click “I Agree” (Only if you do!)
14. Click Next
15. Click Finish

You have now installed the Windows 2003 server admin pack. You have the tools
available on your workstation to manage all of the servers!



Remember: If there are updates (such as Windows 2003 SP2) make sure to get the

newest adminpak!

Now that we have some additional tools installed lets look at server management first.
We can create custom consoles that perform specific tasks or that allow us to consolidate
servers that perform the same role. For instance, we can create a custom console that
includes all of the IIS servers so that we can easily manage multiple systems within the
one console.

Let’s create a simple console that includes multiple servers. We will manage all the DNS
servers within the network.

1. Start / Run
2. MMC
3. Click Ok
4. Click File

Customizing the Microsoft Management Console 03-2007.doc

Page 5 of 43

Copyright © 2005 Curators of the University of Missouri

5. Add/Remove Snap-in…

6. Click Add

Customizing the Microsoft Management Console 03-2007.doc

Page 6 of 43

Copyright © 2005 Curators of the University of Missouri

7. Choose the snap-in that you need (DNS)

8. ADD the number of DNS modules for the number of servers that you want to

manage

9. When you have added the snap-ins click Close
10. Add/Remove Snap-in windows will show the snap-ins that have been chosen

Customizing the Microsoft Management Console 03-2007.doc

Page 7 of 43

Copyright © 2005 Curators of the University of Missouri

11. Click Ok

12. Click on the DNS Snap-in
13. Enter the machine information

14. Click Ok

Customizing the Microsoft Management Console 03-2007.doc

Page 8 of 43

Copyright © 2005 Curators of the University of Missouri

15. Repeat for the number of DNS servers that are managed

Save the Console

16. Click File / Save as…
17. Enter the name for the Console – All DNS Consoles.msc
18. Click Save

19. Default save location is: Docs and Settings\USERNAME\Start

Menu\Administrative Tools folder

Customizing the Microsoft Management Console 03-2007.doc

Page 9 of 43

Copyright © 2005 Curators of the University of Missouri

We have now created a simple custom console to manage the DNS servers within the
domain. There is so much more that we can do beyond this simple console. We can
customize the consoles appearance and add buttons to simplify tasks as well as limiting
what specific users can do within a console.

I would like to get fancier with this next customized console. Let’s create a console that
allows specific tasks such as Adding, Deleting and managing user accounts.

We will start by opening an empty MMC as we did above.

1. Start / Run
2. MMC
3. Click Ok
4. Click File
5. Add/Remove Snap-in…

Customizing the Microsoft Management Console 03-2007.doc

Page 10 of 43

Copyright © 2005 Curators of the University of Missouri

6. Click Add

7. Choose the snap-in that you need (Active Directory Users and Computers)
8. Click Ok (after adding the Snap-in)
9. Once the Snap-in is added it should look like this:

We have the Snap-in added let’s start customizing!

10. First lets expand the console so that we can access the user accounts
11. Click the + beside the domain
12. Click On Users container

Customizing the Microsoft Management Console 03-2007.doc

Page 11 of 43

Copyright © 2005 Curators of the University of Missouri

In order to customize our view we will need to modify the taskpad view.

13. Click Action
14. Click New Taskpad View…

15. Taskpad View Wizard opens
16. Click Next
17. New Taskpad View Wizard Display

Customizing the Microsoft Management Console 03-2007.doc

Page 12 of 43

Copyright © 2005 Curators of the University of Missouri

This screen allows us to select the look of our customized console. We can choose
Horizontal, Vertical or no list at all. We can also select if we want to hide the standard
Tab. Choose the style that you would like for the descriptions and the list size.

18. Click Horizontal
19. Click Next
20. Target Taskpad

Customizing the Microsoft Management Console 03-2007.doc

Page 13 of 43

Copyright © 2005 Curators of the University of Missouri

This view allows us to choose wether we see the entire TREE or just the item we had
selected before we started.

21. Click Selected tree item
22. Click Next
23. Name and Description

Customizing the Microsoft Management Console 03-2007.doc

Page 14 of 43

Copyright © 2005 Curators of the University of Missouri

24. Enter a Name and description for the taskpad

25. Click Next
26. Completing the Taskpad Wizard
27. Click Finish

Notice the checked box for the New Task Wizard. We created a view now we need to
create the specific tasks that we need to perform.

28. New Task Wizard opens
29. Click Next

Customizing the Microsoft Management Console 03-2007.doc

Page 15 of 43

Copyright © 2005 Curators of the University of Missouri

30. We can choose the command type that we want, for this example we will use

Menu Command

31. Click Next

Shortcut Menu: Choose the command that you wish to perform, you can also choose the
source for the commands that will be chosen on either the Details pane or the Tree pane.
We will be removing the Tree pane so we will choose the details pane.

Customizing the Microsoft Management Console 03-2007.doc

Page 16 of 43

Copyright © 2005 Curators of the University of Missouri

32. Choose Reset Password

33. Click next
34. Name and Descriptions

35. Default values are entered on this screen

Customizing the Microsoft Management Console 03-2007.doc

Page 17 of 43

Copyright © 2005 Curators of the University of Missouri

36. Click Next
37. Choose an Icon for the task, or add a custom Icon

38. Click Next

We have completed the New Task, we can now choose to create additional tasks by
checking the box, run this wizard again or we can click finish and close the Wizard. We
can always choose to run the wizard again later. I am going to create a few more tasks,
Add user to group and deleting a user. The steps are the same for each task, so I will
forgo the steps. Once done we will continue with customizing the way the console looks
and acts.

Our goal is to have this console available for staff to use, but we do not want them to be
able to modify any of the settings. We want the tasks that we have allowed to be the only
tasks that can be performed within this console.



NOTE: You will only see the tasks that are created when you select an item that

can have the specific task run.

Example: If you select a group you will not see the Change Password task
since you cannot change the password for a group!

Customizing the Microsoft Management Console 03-2007.doc

Page 18 of 43

Copyright © 2005 Curators of the University of Missouri

Let’s change the console and remove the tree view, menus and anything else that would
allow a user to modify the taskpad. Our Console should now look like this:

39. Click View
40. Click Customize…
41. Uncheck ALL items on this screen

Customizing the Microsoft Management Console 03-2007.doc

Page 19 of 43

Copyright © 2005 Curators of the University of Missouri

42. Click Ok
43. Click File
44. Click Options
45. Change to User Mode – limited access, single window
46. Check Do not save changes to this console
47. Uncheck Allow the user to customize views
48. Click Ok

49. Click File / Save as…

Customizing the Microsoft Management Console 03-2007.doc

Page 20 of 43

Copyright © 2005 Curators of the University of Missouri

50. Save the console User Console.msc

51. click Save

Customizing the Microsoft Management Console 03-2007.doc

Page 21 of 43

Copyright © 2005 Curators of the University of Missouri

We have completed creating this custom console, lets open it up and see exactly what it
will look like for users. You will notice that the menus are now unavailable and the only
tasks that can be performed are the ones that we have defined.

We have now created a custom console that we could use for specific people that are
required to make changes to user accounts without them having the ability to navigate
and change other items within Active Directory Users and Computers.

We can also go much more in-depth in the abilities and tasks that can be performed.
Taking time to look through the different options to see what is available can save much
time in the future when dealing with customized consoles.

We can use the MMC console to do much more than just manage user accounts. We can
create custom taskpad views and tasks for any Snap-in that is available. We can also use
the MMC as a program launcher.

Customizing the Microsoft Management Console 03-2007.doc

Page 22 of 43

Copyright © 2005 Curators of the University of Missouri

Customizing the MMC as a custom desktop / program launcher

Creating an MMC as a custom program launcher is very simple now that we know the
basics. Let’s go through this and create a launcher that will allow specific programs to be
deployed.

1. Open a new MMC
2. Click Actions
3. New Taskpad view…
4. Wizard Opens, Click Next
5. Choose No List
6. Choose Text for style of task descriptions

7. Click Next
8. Taskpad target: Click Next
9. Name and Description

a. Customized App launcher
b. Used as a custom launcher for specific applications

10. Click Next
11. Complete Taskpad View
12. Ensure Start New Task Wizard is checked
13. Click Finish
14. New Task Wizard: Click next
15. Choose Shell Command

Customizing the Microsoft Management Console 03-2007.doc

Page 23 of 43

Copyright © 2005 Curators of the University of Missouri

Shell commands allow us to launch applications or scripts that require a shell.

16. Click Next
17. Select the application to launch

Customizing the Microsoft Management Console 03-2007.doc

Page 24 of 43

Copyright © 2005 Curators of the University of Missouri

18. Click Next
19. Choose a Task name and description

20. Click Next
21. Choose an Icon (I chose the application Icon)

22. Click Next
23. Click Finish

Customizing the Microsoft Management Console 03-2007.doc

Page 25 of 43

Copyright © 2005 Curators of the University of Missouri

You can now add as many custom Applications or scripts that you want for your desktop.
I will go through and add a couple more applications prior to continuing the
customization.

I have setup some additional applications to our launcher, it now looks like this:

This is not yet acceptable as a desktop that will only allow these specific applications.
We still need to take away options so that users cannot make changes to the console.

1. Click View
2. Click Customize…

Customizing the Microsoft Management Console 03-2007.doc

Page 26 of 43

Copyright © 2005 Curators of the University of Missouri

3. Uncheck ALL items on this screen

4. Click Ok
5. Click File
6. Click Options
7. Change to User Mode – limited access, single window
8. Check Do not save changes to this console
9. Uncheck Allow the user to customize views

Customizing the Microsoft Management Console 03-2007.doc

Page 27 of 43

Copyright © 2005 Curators of the University of Missouri

10. Click Ok

11. Click File / Save as…
12. Save the console User Desktop.msc

You have now created a customized desktop. Using Group policy you can deploy this to
launch when a user logs into a system. In a previous session I created a Total User
lockdown policy that uses a customized desktop in order to prevent users from
performing tasks that are not allowed.

Customizing the Microsoft Management Console 03-2007.doc

Page 28 of 43

Copyright © 2005 Curators of the University of Missouri

Here is what our finalized MMC looks like:

Using a combination of custom MMCs and Group policy we can have the ability to lock
down a user’s ability to do anything on the system other than what we have allowed.

Customizing the Microsoft Management Console 03-2007.doc

Page 29 of 43

Copyright © 2005 Curators of the University of Missouri

LINKS:

Step-by-Step Guide to the Microsoft Management Console

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/mmcsteps.mspx

How to Create Custom MMC Snap-in Tools Using Microsoft Management Console

http://support.microsoft.com/kb/230263

MMC How To…

http://technet2.microsoft.com/WindowsServer/en/library/329ce1bd-9bb4-4b63-947e-
0d1e993dc27d1033.mspx?mfr=true

MMC Best Practices

http://technet2.microsoft.com/WindowsServer/en/library/329ce1bd-9bb4-4b63-947e-
0d1e993dc27d1033.mspx?mfr=true

Troubleshooting MMC

http://technet2.microsoft.com/WindowsServer/en/library/329ce1bd-9bb4-4b63-947e-
0d1e993dc27d1033.mspx?mfr=true

Customizing the Microsoft Management Console 03-2007.doc

Page 30 of 43

Copyright © 2005 Curators of the University of Missouri

Appendix A

The Policy below was created to give you an idea of the settings that you can use to
completely lockdown a user; preventing the user from accessing specific system utilities
or configurations.

Total User Lockdown

Data collected on: 3/16/2006
8:08:41 AM

hide all

General

hide

Detailshide

Domain

testDC.more.net

Owner

TESTDC\Domain Admins

Created

3/7/2006 8:25:32 AM

Modified

3/16/2006 8:07:58 AM

User Revisions

175 (AD), 175 (sysvol)

Computer Revisions

0 (AD), 0 (sysvol)

Unique ID

{1F9C4F89-AD0F-4016-8F82-F2749D4D5C0C}

GPO Status

Computer settings disabled

Linkshide

Location

Enforced

Link Status

Path

Test

No

Enabled

testDC.more.net/Test

This list only includes links in the domain of the GPO.
Security Filteringhide

The settings in this GPO can only apply to the following groups, users, and computers:

Name

NT AUTHORITY\Authenticated Users
WMI Filteringhide

WMI Filter Name

None

Description

Not applicable

Delegationhide
These groups and users have the specified permission for this GPO

Name

Allowed Permissions

Inherited

NT AUTHORITY\Authenticated Users

Read (from Security Filtering)

No

NT AUTHORITY\ENTERPRISE

DOMAIN CONTROLLERS

Read

No

NT AUTHORITY\SYSTEM

Edit settings, delete, modify security

No

TESTDC\Domain Admins

Edit settings, delete, modify security

No

TESTDC\Enterprise Admins

Edit settings, delete, modify security

No

Computer Configuration (Disabled)

hide

No settings defined.

User Configuration (Enabled)

hide

Customizing the Microsoft Management Console 03-2007.doc

Page 31 of 43

Copyright © 2005 Curators of the University of Missouri

Windows Settingshide
Scriptshide

Logonhide

Name

Parameters

Desktop.msc

Home.bat

installdefaultprinter.Vbs

Internet Explorer Maintenancehide

Browser User Interface/Customized Title Barhide

Title Bar Text

Jim & Steve
Administrative Templateshide
Control Panelhide

Policy

Setting

Prohibit access to the Control Panel

Enabled

Control Panel/Printershide

Policy

Setting

Browse a common web site to find printers

Disabled

Browse the network to find printers

Disabled

Default Active Directory path when searching for printers

Disabled

Prevent addition of printers

Enabled

Prevent deletion of printers

Enabled

Desktophide

Policy

Setting

Do not add shares of recently opened documents to My

Network Places

Enabled

Don't save settings at exit

Enabled

Hide Internet Explorer icon on desktop

Enabled

Hide My Network Places icon on desktop

Enabled

Prevent adding, dragging, dropping and closing the

Taskbar's toolbars

Enabled

Prohibit adjusting desktop toolbars

Enabled

Remove My Computer icon on the desktop

Enabled

Remove My Documents icon on the desktop

Enabled

Remove Properties from the My Computer context menu

Enabled

Remove Properties from the My Documents context menu

Enabled

Remove Properties from the Recycle Bin context menu

Enabled

Customizing the Microsoft Management Console 03-2007.doc

Page 32 of 43

Copyright © 2005 Curators of the University of Missouri

Remove the Desktop Cleanup Wizard

Enabled

Desktop/Active Desktophide

Policy

Setting

Disable Active Desktop

Enabled

Disallows HTML and Jpg Wallpaper

Policy

Setting

Disable all items

Enabled

Prohibit changes

Enabled

Network/Network Connectionshide

Policy

Setting

Ability to rename LAN connections or remote access

connections available to all users

Disabled

Prohibit access to properties of a LAN connection

Enabled

Prohibit access to properties of components of a LAN

connection

Enabled

Prohibit access to properties of components of a remote

access connection

Enabled

Prohibit access to the Advanced Settings item on the

Advanced menu

Enabled

Prohibit adding and removing components for a LAN or

remote access connection

Enabled

Prohibit deletion of remote access connections

Enabled

Prohibit TCP/IP advanced configuration

Enabled

Network/Offline Fileshide

Policy

Setting

Prohibit user configuration of Offline Files

Enabled

Prevents users from changing any cache configuration settings.

Policy

Setting

Turn off reminder balloons

Enabled

Shared Foldershide

Policy

Setting

Allow DFS roots to be published

Disabled

Allow shared folders to be published

Disabled

Start Menu and Taskbarhide

Customizing the Microsoft Management Console 03-2007.doc

Page 33 of 43

Copyright © 2005 Curators of the University of Missouri

Policy

Setting

Add Logoff to the Start Menu

Enabled

Clear history of recently opened documents on exit

Enabled

Do not display any custom toolbars in the taskbar

Enabled

Do not keep history of recently opened documents

Enabled

Do not use the search-based method when resolving shell

shortcuts

Enabled

Gray unavailable Windows Installer programs Start Menu

shortcuts

Enabled

Lock the Taskbar

Enabled

Prevent changes to Taskbar and Start Menu Settings

Enabled

Prevent grouping of taskbar items

Enabled

Remove access to the context menus for the taskbar

Enabled

Remove All Programs list from the Start menu

Enabled

Remove and prevent access to the Shut Down command

Enabled

Remove Balloon Tips on Start Menu items

Enabled

Remove common program groups from Start Menu

Enabled

Remove Documents menu from Start Menu

Enabled

Remove Drag-and-drop context menus on the Start Menu

Enabled

Remove Favorites menu from Start Menu

Enabled

Remove frequent programs list from the Start Menu

Enabled

Remove Help menu from Start Menu

Enabled

Remove links and access to Windows Update

Enabled

Remove My Documents icon from Start Menu

Enabled

Remove My Music icon from Start Menu

Enabled

Remove My Network Places icon from Start Menu

Enabled

Remove My Pictures icon from Start Menu

Enabled

Remove Network Connections from Start Menu

Enabled

Remove pinned programs list from the Start Menu

Enabled

Remove programs on Settings menu

Enabled

Remove Run menu from Start Menu

Enabled

Remove Search menu from Start Menu

Enabled

Customizing the Microsoft Management Console 03-2007.doc

Page 34 of 43

Copyright © 2005 Curators of the University of Missouri

Remove Set Program Access and Defaults from Start menu Enabled

Remove user name from Start Menu

Enabled

Remove user's folders from the Start Menu

Enabled

Turn off notification area cleanup

Enabled

Turn off personalized menus

Enabled

Systemhide

Policy

Setting

Don't display the Getting Started welcome screen at logon

Enabled

Don't run specified Windows applications

Enabled

List of disallowed applications

sol.exe

Policy

Setting

Prevent access to registry editing tools

Enabled

Disable regedit from running silently?

Yes

Policy

Setting

Prevent access to the command prompt

Enabled

Disable the command prompt script processing also?

Yes

Policy

Setting

Turn off Autoplay

Enabled

Turn off Autoplay on:

All drives

Policy

Setting

Turn off Windows Update device driver search prompt

Enabled

System/Ctrl+Alt+Del Optionshide

Policy

Setting

Remove Task Manager

Enabled

System/Group Policyhide

Policy

Setting

Group Policy refresh interval for users

Enabled

This setting allows you to customize how often Group Policy is applied

to users. The range is 0 to 64800 minutes (45 days).

Customizing the Microsoft Management Console 03-2007.doc

Page 35 of 43

Copyright © 2005 Curators of the University of Missouri

Minutes:

15

This is a random time added to the refresh interval to prevent

all clients from requesting Group Policy at the same time.

The range is 0 to 1440 minutes (24 hours)

Minutes:

30

Policy

Setting

Group Policy slow link detection

Enabled

Connection speed (Kbps):

50

Enter 0 to disable slow link detection.

System/Internet Communication Managementhide

Policy

Setting

Restrict Internet communication

Enabled

System/Internet Communication Management/Internet Communication settingshide

Policy

Setting

Turn off downloading of print drivers over HTTP

Enabled

Turn off Internet download for Web publishing and online

ordering wizards

Enabled

Turn off Internet File Association service

Enabled

Turn off printing over HTTP

Enabled

Turn off the "Order Prints" picture task

Enabled

Turn off the "Publish to Web" task for files and folders

Enabled

Turn off the Windows Messenger Customer Experience

Improvement Program

Enabled

Turn off Windows Movie Maker automatic codec downloads Enabled

Turn off Windows Movie Maker online Web links

Enabled

Turn off Windows Movie Maker saving to online video

hosting provider

Enabled

System/Logonhide

Policy

Setting

Customizing the Microsoft Management Console 03-2007.doc

Page 36 of 43

Copyright © 2005 Curators of the University of Missouri

Do not process the legacy run list

Enabled

Do not process the run once list

Enabled

System/Power Managementhide

Policy

Setting

Prompt for password on resume from hibernate / suspend

Enabled

Windows Components/Application Compatibilityhide

Policy

Setting

Prevent access to 16-bit applications

Enabled

Windows Components/Internet Explorerhide

Policy

Setting

Disable changing Advanced page settings

Enabled

Disable changing proxy settings

Enabled

Do not allow users to enable or disable add-ons

Enabled

Identity Manager: Prevent users from using Identities

Enabled

Search: Disable Find Files via F3 within the browser

Disabled

Turn off Crash Detection

Enabled

Windows Components/Internet Explorer/Internet Control Panelhide

Policy

Setting

Disable the Advanced page

Enabled

Disable the Connections page

Enabled

Disable the Content page

Enabled

Disable the Privacy page

Enabled

Disable the Programs page

Enabled

Disable the Security page

Enabled

Windows Components/Microsoft Management Consolehide

Policy

Setting

Restrict the user from entering author mode

Enabled

Windows Components/Microsoft Management Console/Restricted/Permitted snap-inshide

Policy

Setting

.Net Framework Configuration

Enabled

Active Directory Domains and Trusts

Disabled

Active Directory Sites and Services

Disabled

Active Directory Users and Computers

Disabled

ADSI Edit

Disabled

Certification Authority

Enabled

Customizing the Microsoft Management Console 03-2007.doc

Page 37 of 43

Copyright © 2005 Curators of the University of Missouri

FrontPage Server Extensions

Enabled

Internet Authentication Service (IAS)

Enabled

Windows Components/Microsoft Management Console/Restricted/Permitted snap-ins/Group Policyhide

Policy

Setting

Group Policy Management

Disabled

Group Policy Object Editor

Disabled

Group Policy tab for Active Directory Tools

Disabled

Windows Components/Task Schedulerhide

Policy

Setting

Hide Property Pages

Enabled

Windows Components/Terminal Services/Clienthide

Policy

Setting

Do not allow passwords to be saved

Enabled

Windows Components/Windows Explorerhide

Policy

Setting

Allow only per user or approved shell extensions

Enabled

Do not request alternate credentials

Enabled

Hide these specified drives in My Computer

Enabled

Pick one of the following combinations

Restrict A, B, C and D drives only

Policy

Setting

No "Computers Near Me" in My Network Places

Enabled

No "Entire Network" in My Network Places

Enabled

Prevent access to drives from My Computer

Enabled

Pick one of the following combinations

Restrict A, B, C and D drives only

Policy

Setting

Remove "Map Network Drive" and "Disconnect Network

Drive"

Enabled

Remove CD Burning features

Enabled

Remove Hardware tab

Enabled

Remove Search button from Windows Explorer

Enabled

Remove Security tab

Enabled

Remove Shared Documents from My Computer

Enabled

Remove Windows Explorer's default context menu

Enabled

Customizing the Microsoft Management Console 03-2007.doc

Page 38 of 43

Copyright © 2005 Curators of the University of Missouri

Removes the Folder Options menu item from the Tools

menu

Enabled

Request credentials for network installations

Enabled

Turn off caching of thumbnail pictures

Enabled

Turn off Windows+X hotkeys

Enabled

Windows Components/Windows Explorer/Common Open File Dialoghide

Policy

Setting

Hide the common dialog back button

Enabled

Hide the common dialog places bar

Enabled

Hide the dropdown list of recent files

Enabled

Windows Components/Windows Installerhide

Policy

Setting

Always install with elevated privileges

Disabled

Windows Components/Windows Media Playerhide

Policy

Setting

Prevent CD and DVD Media Information Retrieval

Enabled

Prevent Music File Media Information Retrieval

Enabled

Prevent Radio Station Preset Retrieval

Enabled

Windows Components/Windows Media Player/Networkinghide

Policy

Setting

Hide Network Tab

Enabled

Windows Components/Windows Media Player/Playbackhide

Policy

Setting

Prevent Codec Download

Enabled

Windows Components/Windows Media Player/User Interfacehide

Policy

Setting

Do Not Show Anchor

Enabled

Hide Privacy Tab

Enabled

Hide Security Tab

Enabled

Windows Components/Windows Messengerhide

Policy

Setting

Do not allow Windows Messenger to be run

Enabled

Do not automatically start Windows Messenger initially

Enabled

Windows Components/Windows Movie Makerhide

Policy

Setting

Do not allow Windows Movie Maker to run

Enabled

Windows Components/Windows Updatehide

Customizing the Microsoft Management Console 03-2007.doc

Page 39 of 43

Copyright © 2005 Curators of the University of Missouri

Policy

Setting

Do not adjust default option to 'Install Updates and Shut

Down' in Shut Down Windows dialog box

Enabled

Do not display 'Install Updates and Shut Down' option in

Shut Down Windows dialog box

Enabled

Remove access to use all Windows Update features

Enabled

Customizing the Microsoft Management Console 03-2007.doc

Page 40 of 43

Copyright © 2005 Curators of the University of Missouri

Total Computer Lockdown

Data collected on: 3/8/2006
1:57:32 PM

General

Details

Domain

testDC.more.net

Owner

TESTDC\Domain Admins

Created

3/8/2006 10:59:30 AM

Modified

3/8/2006 11:33:48 AM

User Revisions

0 (AD), 0 (sysvol)

Computer Revisions

27 (AD), 27 (sysvol)

Unique ID

{083CEB2E-38B8-4FFA-A313-B49926B49911}

GPO Status

User settings disabled

Links

Location

Enforced

Link Status

Path

Test CP

No

Enabled

testDC.more.net/Test

CP

This list only includes links in the domain of the GPO.
Security Filtering

The settings in this GPO can only apply to the following groups, users, and computers:

Name

NT AUTHORITY\Authenticated Users
WMI Filtering

WMI Filter Name

None

Description

Not applicable

Delegation
These groups and users have the specified permission for this GPO

Name

Allowed Permissions

Inherited

NT AUTHORITY\Authenticated Users

Read (from Security Filtering)

No

NT AUTHORITY\ENTERPRISE

DOMAIN CONTROLLERS

Read

No

NT AUTHORITY\SYSTEM

Edit settings, delete, modify security

No

TESTDC\Domain Admins

Edit settings, delete, modify security

No

TESTDC\Enterprise Admins

Edit settings, delete, modify security

No

Computer Configuration (Enabled)

Windows Settings

Security Settings
Public Key Policies/Autoenrollment Settings

Policy

Setting

Customizing the Microsoft Management Console 03-2007.doc

Page 41 of 43

Copyright © 2005 Curators of the University of Missouri

Enroll certificates automatically

Enabled

Renew expired certificates, update pending certificates,
and remove revoked certificates

Disabled

Update certificates that use certificate templates

Disabled

Public Key Policies/Encrypting File System
Properties

Policy

Setting

Allow users to encrypt files using Encrypting File System
(EFS)

Enabled

Public Key Policies/Trusted Root Certification Authorities

Properties

Policy

Setting

Allow users to select new root certification authorities
(CAs) to trust

Enabled

Client computers can trust the following certificate stores

Third-Party Root Certification Authorities and Enterprise
Root Certification Authorities

To perform certificate-based authentication of users and
computers, CAs must meet the following criteria

Registered in Active Directory only

Administrative Templates

Network/Microsoft Peer-to-Peer Networking Services

Policy

Setting

Turn off Microsoft Peer-to-Peer Networking Services

Enabled

System/Group Policy

Policy

Setting

Group Policy refresh interval for computers

Enabled

This setting allows you to customize how often Group Policy is applied

to computers. The range is 0 to 64800 minutes (45 days).

Minutes:

15

This is a random time added to the refresh interval to prevent

all clients from requesting Group Policy at the same time.

The range is 0 to 1440 minutes (24 hours)

Customizing the Microsoft Management Console 03-2007.doc

Page 42 of 43

Copyright © 2005 Curators of the University of Missouri

Minutes:

30

Windows Components/Application Compatibility

Policy

Setting

Prevent access to 16-bit applications

Enabled

Windows Components/Internet Explorer

Policy

Setting

Disable Automatic Install of Internet Explorer components

Enabled

Disable Periodic Check for Internet Explorer software

updates

Enabled

Do not allow users to enable or disable add-ons

Enabled

Security Zones: Do not allow users to add/delete sites

Enabled

Security Zones: Do not allow users to change policies

Enabled

Turn off Crash Detection

Enabled

Windows Components/Internet Explorer/Internet Control Panel

Policy

Setting

Disable the Advanced page

Enabled

Disable the Connections page

Enabled

Disable the Content page

Enabled

Disable the Programs page

Enabled

Windows Components/Internet Information Services

Policy

Setting

Prevent IIS installation

Enabled

Windows Components/NetMeeting

Policy

Setting

Disable remote Desktop Sharing

Enabled

Windows Components/Security Center

Policy

Setting

Turn on Security Center (Domain PCs only)

Enabled

Windows Components/Windows Installer

Policy

Setting

Prohibit non-administrators from applying vendor signed

updates

Enabled

Prohibit removal of updates

Enabled

Prohibit User Installs

Enabled

User Install Behavior:

Hide User Installs

Windows Components/Windows Media Player

Customizing the Microsoft Management Console 03-2007.doc

Page 43 of 43

Copyright © 2005 Curators of the University of Missouri

Policy

Setting

Do Not Show First Use Dialog Boxes

Enabled

Prevent Automatic Updates

Enabled

Prevent Desktop Shortcut Creation

Enabled

Prevent Quick Launch Toolbar Shortcut Creation

Enabled

Windows Components/Windows Messenger

Policy

Setting

Do not allow Windows Messenger to be run

Enabled

Do not automatically start Windows Messenger initially

Enabled

User Configuration (Disabled)

No settings defined.