Controlling MMC usage by using local Group Policy

To control MMC usage by using local Group Policy
  1. Open MMC 3.0.

  2. On the File menu, click Add/Remove Snap-in.

  3. In the Available snap-ins list, click the Group Policy editor, and then click Add.

  4. In the Select Group Policy Object wizard, use the default setting, Local Computer, in the Group Policy Object field.

  5. Click Finish to close the Select Group Policy Object wizard.

  6. By default, all available snap-in extensions are enabled. If you want to enable only certain extensions, highlight the snap-in in the Selected snap-ins list, and then click Edit Extensions.

  7. By default, snap-ins load as child objects of the Console Root node. Click Advanced to modify this behavior and allow you to choose a different parent snap-in.

  8. In the Add or Remove Snap-ins dialog box, click OK.

  9. Before closing the new console, perform any of these procedures:

Restricting access to author mode in MMC

To restrict access to author mode in MMC
  1. In the tree, click Microsoft Management Console.

    You will find it in the following path: PolicyName Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console.

  2. In the results pane, double-click Restrict the user from entering author mode.

  3. On the Setting tab, do one of the following:

    • To allow the user to use author mode in MMC, click Not Configured or Disabled.

    • To restrict the user from using author mode in MMC, click Enabled.

  4. Click OK.

Note

When Restrict the user from entering author mode has been enabled, any attempt to reaccess the console results in a message indicating that access is blocked to the snap-in console in author mode. Users with administrator credentials can regain access to author mode by using the Search command and typing gpedit.msc, which opens the Group Policy editor for local computer policy. Next, browse to Microsoft Management Console as described in the procedure "To restrict access to author mode in MMC" above, double-click Restrict the user from entering author mode in the results pane, and then click either Not Configured or Disabled.

Restricting access to a permitted list of snap-ins

To restrict access to a permitted list of snap-ins
  1. In the tree, click Microsoft Management Console.

    You will find it in the following path: PolicyName Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console.

  2. In the results pane, double-click Restrict users to the explicitly permitted list of snap-ins.

  3. On the Setting tab, do one of the following:

    • To permit the user to access snap-ins that are not explicitly restricted, click Not Configured or Disabled.

    • To restrict the user from accessing any snap-in that is not explicitly permitted, click Enabled.

  4. Click OK.

Note

If you enable this policy, only permitted snap-ins appear in the list of available snap-ins in the Add Standalone Snap-in dialog box in MMC.

Permitting or restrict access to a snap-in

To permit or restrict access to a snap-in
  1. In the tree, click Restricted/Permitted snap-ins.

    You will find it in the following path: PolicyName Policy\User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins.

  2. In the results pane, double-click the snap-in that you want to permit or restrict, and then do one of the following:

    • To enable the user to access this snap-in (unless the user is restricted by the Restrict users to the explicitly permitted list of snap-ins policy), click Not Configured.

    • To permit the user to access this snap-in, click Enabled.

    • To restrict the user from accessing this snap-in, click Disabled.

  3. Click OK.

Notes
  • To open MMC, click Start, click in the Start Search text box, type mmc, and then press ENTER.
  • For more information about any of these settings, click the Explain tab in the dialog box for the Group Policy setting you are selecting, and see Help.
  • These features apply only in a network where the Group Policy editor has been configured; a system administrator must enable the Group Policy editor. The Group Policy editor is not available in Windows XP Home Edition.

See Also