Group Policy & MMC restictions

chund71 · External Since: Nov 15, 2006 Posts: 2

Hello.
I seem to have an odd issue regarding Group Policy and MMC snap-in
which I cannot get my head around. Any help would be highly
appreciated. I've searched the Google groups and found 2 similar
postings from a couple of years back but they don't have any replies
Sad

We're running a small isolated 2003 AD system (1 server) and have a
number of XP pro desktops for an accountancy team. We want give the
manager the ability to reset passwords so he doesn't have to call
support to come out.

The system has a simple user policy that restricts users from running
MMC snap-ins unless explicitly enabled using "Restrict users to the
explicitly permitted list of snap-ins" set to enabled. This prevents
users from running any MMCs and works great.

I have created a new group policy object and filtered it by a group
which sets the AD users and computers snap-in to enabled, and added the
manager into the group.

We then created a new MMC and added in the AD Users and
computers snap-in with a filtered view. We saved the MMC and tested it,

but seem to be getting a weird error:
"The snap-in below, referenced in this document has been restricted
by
policy. Contact your administrator for details.
Folder. "

If you click the OK button the MMC loads up fine.
I cannot find any references to "Folder" in the group policy or any
options in the snap-in listed as "Folder".

Please help as I'm stuck and my manager is getting at me as I'm new!

myweb · External Since: Sep 22, 2006 Posts: 90

Hello chund71.TakeThisOut@yahoo.co.uk,

It looks that the new policy will not be applied to your manager. Try to
create a new OU add the GPO to this OU and move the user to this OU.

Best regards

myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Hello.
> I seem to have an odd issue regarding Group Policy and MMC snap-in
> which I cannot get my head around. Any help would be highly
> appreciated. I've searched the Google groups and found 2 similar
> postings from a couple of years back but they don't have any replies
> Sad

> We're running a small isolated 2003 AD system (1 server) and have a
> number of XP pro desktops for an accountancy team. We want give the
> manager the ability to reset passwords so he doesn't have to call
> support to come out.
> The system has a simple user policy that restricts users from running
> MMC snap-ins unless explicitly enabled using "Restrict users to the
> explicitly permitted list of snap-ins" set to enabled. This prevents
> users from running any MMCs and works great.
>
> I have created a new group policy object and filtered it by a group
> which sets the AD users and computers snap-in to enabled, and added
> the manager into the group.
>
> We then created a new MMC and added in the AD Users and computers
> snap-in with a filtered view. We saved the MMC and tested it,
>
> but seem to be getting a weird error:
> "The snap-in below, referenced in this document has been restricted
> by
> policy. Contact your administrator for details.
> Folder. "
> If you click the OK button the MMC loads up fine.
> I cannot find any references to "Folder" in the group policy or any
> options in the snap-in listed as "Folder".
> Please help as I'm stuck and my manager is getting at me as I'm new!
>

myweb · External Since: Sep 22, 2006 Posts: 90

Hello chund71.DeleteThis@yahoo.co.uk,

Create a new OU add the new GPO to the OU move the user and test it this
way. The old policy is still active for the user, so move him out of this
OU and it should work.

Best regards

myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

> Hello.
> I seem to have an odd issue regarding Group Policy and MMC snap-in
> which I cannot get my head around. Any help would be highly
> appreciated. I've searched the Google groups and found 2 similar
> postings from a couple of years back but they don't have any replies
> Sad

> We're running a small isolated 2003 AD system (1 server) and have a
> number of XP pro desktops for an accountancy team. We want give the
> manager the ability to reset passwords so he doesn't have to call
> support to come out.
> The system has a simple user policy that restricts users from running
> MMC snap-ins unless explicitly enabled using "Restrict users to the
> explicitly permitted list of snap-ins" set to enabled. This prevents
> users from running any MMCs and works great.
>
> I have created a new group policy object and filtered it by a group
> which sets the AD users and computers snap-in to enabled, and added
> the manager into the group.
>
> We then created a new MMC and added in the AD Users and computers
> snap-in with a filtered view. We saved the MMC and tested it,
>
> but seem to be getting a weird error:
> "The snap-in below, referenced in this document has been restricted
> by
> policy. Contact your administrator for details.
> Folder. "
> If you click the OK button the MMC loads up fine.
> I cannot find any references to "Folder" in the group policy or any
> options in the snap-in listed as "Folder".
> Please help as I'm stuck and my manager is getting at me as I'm new!
>

Ralph · Joined: Oct 16, 2008 Posts: 1

Hi,

I know that this is an old topic but only just had this same problems, and thought I would post my findings for anyone in the future.

To get round this I found the GUID by saving the MSC file I created (as you did), and then reviewing it in Notepad.
I then created an admin template with the following in it:

CLASS USER

CATEGORY "Windows Components"
CATEGORY "Microsoft Management Console"
CATEGORY "Custom Settings"
POLICY "Microsoft Folder snap-in"
KEYNAME "Software\Policies\Microsoft\MMC\{C96401CC-0E17-11D3-885B-00C04F72C717}"
EXPLAIN "Permits or prohibits use of this snap-in."
VALUENAME "Restrict_Run"
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1
END POLICY
END CATEGORY
END CATEGORY
END CATEGORY

Add this template under USer Configuration / Administrative Templates in the appropriate GPO, and set the new policy to ENABLED.

GPUPDATE /force on the effected PC and the problem went away.

Hope this helps someone,
-Ralph