Control MMC Usage by Using Domain-Wide Group Policy
Applies To: Windows 7, Windows 8, Windows Server 2008 R2, Windows Server 2012, Windows Vista
Controlling MMC usage by using domain-wide Group Policy
You must be a member of the Domain Administrators group to modify domain-wide Group Policy.
To control MMC usage by using domain-wide Group Policy
Open Active Directory Users and Computers.
The Active Directory Users and Computers snap-in is available only on computers configured as Active Directory domain controllers. To open Active Directory Users and Computers, click Start , point to Administrative Tools , and then click Active Directory Users and Computers .
In the tree, right-click the organizational unit for which you want to configure policy, and then click Properties .
On the Group Policy tab, click Edit .
The Group Policy editor opens.
Before closing the Active Directory Users and Computers snap-in, perform any of the following procedures:
Restricting access to author mode in MMC for a domain
Restricting access to a permitted list of snap-ins for a domain
Permitting or restricting access to a snap-in for a domain
Restricting access to author mode in MMC for a domain
To restrict access to author mode in MMC for a domain
In the tree, click Microsoft Management Console .
The Microsoft Management Console object is found in the following path: PolicyName Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console.
In the results pane, double-click Restrict the user from entering author mode .
On the Policy tab, do one of the following:
To allow the user to use author mode in MMC, click Not Configured or Disabled .
To restrict the user from using author mode in MMC, click Enabled .
Click OK .
Restricting access to a permitted list of snap-ins for a domain
To restrict access to a permitted list of snap-ins for a domain
In the tree, click Microsoft Management Console .
The Microsoft Management Console object is found in the following path: PolicyName Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console.
In the results pane, double-click Restrict users to the explicitly permitted list of snap-ins .
On the Policy tab, do one of the following:
To permit the user to access snap-ins that are not explicitly restricted, click Not Configured or Disabled .
To restrict the user from accessing any snap-in that is not explicitly permitted, click Enabled .
Click OK .
Note
If you enable this policy, only permitted snap-ins appear in the list of available snap-ins in the Add Standalone Snap-in dialog box in MMC.
Permitting or restricting access to a snap-in for a domain
To permit or restrict access to a snap-in for a domain
- In the tree, click Restricted/Permitted snap-ins .
The Restricted/Permitted snap-ins object is found in the following path: PolicyName Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins.
In the results pane, double-click the snap-in that you want to permit or restrict, and then do one of the following:
To enable the user to access this snap-in (unless the user is restricted by the Restrict users to the explicitly permitted list of snap-ins policy), click Not Configured .
To permit the user to access this snap-in, click Enabled .
To restrict the user from accessing this snap-in, click Disabled .
Click OK .
Note
When you restrict or explicitly permit access to a snap-in, the snap-in is added to a list of restricted or permitted snap-ins. The restricted list takes precedence over the permitted list, so that if the same snap-in exists on both lists, access to the snap-in is restricted.
Additional Information
Active Directory applies only in a network where the Group Policy editor has been configured. You must be a domain administrator, or have equivalent rights, and use a computer configured as a domain controller to configure the Group Policy editor for a domain.
For more information about any of these settings, click the Explain tab in the dialog box for the Group Policy setting you are selecting, and see Help.