Some snap-ins not displaying in "Restricted/Permitted snap-ins"

Some snap-ins not displaying in "Restricted/Permitted snap-ins"

Post by RGF2aW » Sat, 19 Jan 2008 22:37:00

I need the ability to restrict a Help desk operator from gaining access to
some MMC snap-ins, but allow access to other "allowed" snap-ins.

In the group policy User Configuration\Administrative Components\Microsoft
Management Console I've set the Policy "Restrict users to the explicitly
permitted list of snap-ins" to "enabled". Now the operator can't access the
SMS snap-in.

We are running the current version of SMS and are in a 2003 AD domain (not
mixed mode). I've checked for an SMS entry in the "Restricted/Permitted
snap-ins" and the "Extension snap-ins" - I don't see it. We have considered
the alternative of enabling all snap-ins and only explicitly denying the
snap-ins that the help desk shouldn't have access to. However, we were
unable to find some of the snap-ins that we need to deny access to (DNS is
one of them).

Is there a "registration" step we missed for the "missing" snap-ins, in
order for the group policy to be able to "see" them? Or are we in a "can't
get there from here" problem?

Unfortunately we are still running Windows 2000 on some of our workstations,
otherwise I would have the help desk using the "remote assistance" program
and continue with the GPO that we have in place.

Any thoughts on how to tackle this problem?

Some snap-ins not displaying in "Restricted/Permitted snap-ins"

Post by RGF2aW » Thu, 24 Jan 2008 11:11:06

To anyone interested..... I created a custom ADM template to use in group
policy to restrict/allow based on the CLSID (used the system.adm as an