Some snap-ins not displaying in "Restricted/Permitted snap-ins"

Discussion in 'Active Directory' started by David, Jan 18, 2008.

  1. David

    David Guest

    I need the ability to restrict a Help desk operator from gaining access to
    some MMC snap-ins, but allow access to other "allowed" snap-ins.

    In the group policy User Configuration\Administrative Components\Microsoft
    Management Console I've set the Policy "Restrict users to the explicitly
    permitted list of snap-ins" to "enabled". Now the operator can't access the
    SMS snap-in.

    We are running the current version of SMS and are in a 2003 AD domain (not
    mixed mode). I've checked for an SMS entry in the "Restricted/Permitted
    snap-ins" and the "Extension snap-ins" - I don't see it. We have considered
    the alternative of enabling all snap-ins and only explicitly denying the
    snap-ins that the help desk shouldn't have access to. However, we were
    unable to find some of the snap-ins that we need to deny access to (DNS is
    one of them).

    Is there a "registration" step we missed for the "missing" snap-ins, in
    order for the group policy to be able to "see" them? Or are we in a "can't
    get there from here" problem?

    Unfortunately we are still running Windows 2000 on some of our workstations,
    otherwise I would have the help desk using the "remote assistance" program
    and continue with the GPO that we have in place.

    Any thoughts on how to tackle this problem?
    David, Jan 18, 2008
    1. Advertisements

  2. David

    David Guest

    To anyone interested..... I created a custom ADM template to use in group
    policy to restrict/allow based on the CLSID (used the system.adm as an
    David, Jan 23, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.