I need the ability to restrict a Help desk operator from gaining access to\nsome MMC snap-ins, but allow access to other "allowed" snap-ins.\n\nIn the group policy User Configuration\Administrative Components\Microsoft\nManagement Console I've set the Policy "Restrict users to the explicitly\npermitted list of snap-ins" to "enabled". Now the operator can't access the\nSMS snap-in.\n\nWe are running the current version of SMS and are in a 2003 AD domain (not\nmixed mode). I've checked for an SMS entry in the "Restricted/Permitted\nsnap-ins" and the "Extension snap-ins" - I don't see it. We have considered\nthe alternative of enabling all snap-ins and only explicitly denying the\nsnap-ins that the help desk shouldn't have access to. However, we were\nunable to find some of the snap-ins that we need to deny access to (DNS is\none of them).\n\nIs there a "registration" step we missed for the "missing" snap-ins, in\norder for the group policy to be able to "see" them? Or are we in a "can't\nget there from here" problem?\n\nUnfortunately we are still running Windows 2000 on some of our workstations,\notherwise I would have the help desk using the "remote assistance" program\nand continue with the GPO that we have in place.\n\nAny thoughts on how to tackle this problem?