Developer Forum

I need the ability to restrict a Help desk operator from gaining access to
some MMC snap-ins, but allow access to other "allowed" snap-ins.

In the group policy User Configuration\Administrative Components\Microsoft
Management Console I've set the Policy "Restrict users to the explicitly
permitted list of snap-ins" to "enabled". Now the operator can't access the
SMS snap-in.

We are running the current version of SMS and are in a 2003 AD domain (not
mixed mode). I've checked for an SMS entry in the "Restricted/Permitted
snap-ins" and the "Extension snap-ins" - I don't see it. We have considered
the alternative of enabling all snap-ins and only explicitly denying the
snap-ins that the help desk shouldn't have access to. However, we were
unable to find some of the snap-ins that we need to deny access to (DNS is
one of them).

Is there a "registration" step we missed for the "missing" snap-ins, in
order for the group policy to be able to "see" them? Or are we in a "can't
get there from here" problem?

Unfortunately we are still running Windows 2000 on some of our workstations,
otherwise I would have the help desk using the "remote assistance" program
and continue with the GPO that we have in place.

Any thoughts on how to tackle this problem?

To anyone interested..... I created a custom ADM template to use in group
policy to restrict/allow based on the CLSID (used the system.adm as an
example).