I need the ability to restrict a Help desk operator from gaining access to
some MMC snap-ins, but allow access to other "allowed" snap-ins.
In the group policy User Configuration\Administrative Components\Microsoft
Management Console I've set the Policy "Restrict users to the explicitly
permitted list of snap-ins" to "enabled". Now the operator can't access the
We are running the current version of SMS and are in a 2003 AD domain (not
mixed mode). I've checked for an SMS entry in the "Restricted/Permitted
snap-ins" and the "Extension snap-ins" - I don't see it. We have considered
the alternative of enabling all snap-ins and only explicitly denying the
snap-ins that the help desk shouldn't have access to. However, we were
unable to find some of the snap-ins that we need to deny access to (DNS is
one of them).
Is there a "registration" step we missed for the "missing" snap-ins, in
order for the group policy to be able to "see" them? Or are we in a "can't
get there from here" problem?
Unfortunately we are still running Windows 2000 on some of our workstations,
otherwise I would have the help desk using the "remote assistance" program
and continue with the GPO that we have in place.
Any thoughts on how to tackle this problem?