Control MMC Usage by Using Domain-Wide Group Policy

Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012, Windows Vista

Controlling MMC usage by using domain-wide Group Policy

You must be a member of the Domain Administrators group to modify domain-wide Group Policy.

To control MMC usage by using domain-wide Group Policy

  1. Open Active Directory Users and Computers.

    The Active Directory Users and Computers snap-in is available only on computers configured as Active Directory domain controllers. To open Active Directory Users and Computers, click Start , point to Administrative Tools , and then click Active Directory Users and Computers .

  2. In the tree, right-click the organizational unit for which you want to configure policy, and then click Properties .

  3. On the Group Policy tab, click Edit .

    The Group Policy editor opens.

  4. Before closing the Active Directory Users and Computers snap-in, perform any of the following procedures:

    • Restricting access to author mode in MMC for a domain

    • Restricting access to a permitted list of snap-ins for a domain

    • Permitting or restricting access to a snap-in for a domain

Restricting access to author mode in MMC for a domain

To restrict access to author mode in MMC for a domain

  1. In the tree, click Microsoft Management Console .

    The Microsoft Management Console object is found in the following path: PolicyName Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console.

  2. In the results pane, double-click Restrict the user from entering author mode .

  3. On the Policy tab, do one of the following:

    • To allow the user to use author mode in MMC, click Not Configured or Disabled .

    • To restrict the user from using author mode in MMC, click Enabled .

  4. Click OK .

Restricting access to a permitted list of snap-ins for a domain

To restrict access to a permitted list of snap-ins for a domain

  1. In the tree, click Microsoft Management Console .

    The Microsoft Management Console object is found in the following path: PolicyName Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console.

  2. In the results pane, double-click Restrict users to the explicitly permitted list of snap-ins .

  3. On the Policy tab, do one of the following:

    • To permit the user to access snap-ins that are not explicitly restricted, click Not Configured or Disabled .

    • To restrict the user from accessing any snap-in that is not explicitly permitted, click Enabled .

  4. Click OK .

Note

If you enable this policy, only permitted snap-ins appear in the list of available snap-ins in the Add Standalone Snap-in dialog box in MMC.

Permitting or restricting access to a snap-in for a domain

To permit or restrict access to a snap-in for a domain

  • In the tree, click Restricted/Permitted snap-ins .

The Restricted/Permitted snap-ins object is found in the following path: PolicyName Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins.

  1. In the results pane, double-click the snap-in that you want to permit or restrict, and then do one of the following:

    • To enable the user to access this snap-in (unless the user is restricted by the Restrict users to the explicitly permitted list of snap-ins policy), click Not Configured .

    • To permit the user to access this snap-in, click Enabled .

    • To restrict the user from accessing this snap-in, click Disabled .

  2. Click OK .

Note

When you restrict or explicitly permit access to a snap-in, the snap-in is added to a list of restricted or permitted snap-ins. The restricted list takes precedence over the permitted list, so that if the same snap-in exists on both lists, access to the snap-in is restricted.

Additional Information

  • Active Directory applies only in a network where the Group Policy editor has been configured. You must be a domain administrator, or have equivalent rights, and use a computer configured as a domain controller to configure the Group Policy editor for a domain.

  • For more information about any of these settings, click the Explain tab in the dialog box for the Group Policy setting you are selecting, and see Help.

See Also

Concepts

Open MMC 3.0