Microsoft KB Archive/271135

= Windows 2000 Microsoft Management Console and Snap-in Restrictions =

Article ID: 271135

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q271135



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
This article discusses the Microsoft Management Console (MMC) and snap-in restrictions for a Microsoft Windows 2000-based computer.

When you attempt to run an MMC snap-in, you may receive the following error message:

The snap-in below, referenced in this document has been restricted by policy.

Contact your administrator for details.

Or, MMC starts, but the list of available snap-ins is missing or limited.



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

NOTE: The following registry information is for informational and troubleshooting purposes only. The supported method for altering the behavior of MMC and snap-ins is by means of the Group or Local Policy tool.

The current values that can be placed on the MMC and the snap-ins are at the following registry location:

HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC

RestrictAuthorMode Registry Key
This registry key can prevent users from opening the MMC in Author mode, from opening console files in Author mode, and from opening any console files that open in Author mode by default.

The registry key stores the setting of the &quot;Restrict the user from entering author mode&quot; Group Policy. Group Policy adds an entry with a value of 1 to the registry when you enable the policy. If you disable the policy, Group Policy sets the value to 0. If you set the policy to &quot;Not Configured&quot;, Group Policy deletes the entry from the registry and the system behaves as though the value is 0.

Value = 0 (or not in registry) The policy is disabled or not configured. Users can open the MMC in Author mode.

Value = 1 The policy is enabled. Users cannot open the MMC in Author mode.

When the value of this entry is 1, users cannot open a blank MMC console window from the Start menu or from a command prompt and users cannot create console files or add or remove snap-ins. Also, because they cannot open author-mode console files, they cannot use the tools that the files contain.

However, while this value is 1, users can open MMC user-mode console files, such as those on the Administrative Tools menu in Microsoft Windows 2000 Server.

RestrictToPermittedSnapins Registry Key
This registry key selectively permits or prohibits the use of Microsoft Management Console (MMC) snap-ins.

The registry key stores the setting of the &quot;Restrict users to the explicitly permitted list of snap-ins&quot; Group Policy. Group Policy adds an entry with a value of 1 to the registry when you enable the policy. If you disable the policy, Group Policy sets the value to 0. If you set the policy to &quot;Not Configured&quot;, Group Policy deletes the entry from the registry and the system behaves as though the value is 0.

Value = 0 (or not in registry): The policy is disabled or not configured. All snap-ins are permitted, except those explicitly prohibited. Snap-ins are explicitly prohibited when the value of Restrict_Run in the  subkey for that snap-in is 0. (If the Restrict_Run entry for that snap-in is not in the registry or if its value is 1, the snap-in is permitted.)

Value = 1: The policy is enabled. All snap-ins are prohibited, except those explicitly permitted. Snap-ins are explicitly permitted when the value of Restrict_Run in the  subkey for that snap-in is set to 1. (If the Restrict_Run entry for that snap-in is not in the registry or if its value is 0, the snap-in is prohibited.)

A value of 1 prohibits users from running any snap-ins, except those you explicitly permit them to use. Use this value if you plan to prohibit use of all or most snap-ins. A value of 0 (the default value) enables users to run all snap-ins, except those that you explicitly prohibit. Use this value if you plan to permit use of all or most snap-ins.

The following is a description of the snap-ins, snap-in extensions, and Group Policy components for MMC. The MMC class ID's (CLSID) are at the following registry location:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Mmc\ \Restrict_Run

To enable or to disable any of the following snap-ins, snap-in extensions, or Group Policy components, set the \Restrict_Run value to 0 (permit use) or to 1 (prohibit use).

Restrict_Run Registry Key
This registry key stores the setting of a policy in the Restricted/Permitted snap-ins folders in Group Policy. Each policy in the folder represents a snap-in, a snap-in extension, or a Group Policy component. When you enable a policy in the folder, Group Policy adds the Restrict_Run entry to the  subkey for the named snap-in or component and sets its value to 1.

If you disable the policy, Group Policy adds the Restrict_Run entry and sets its value to 0. If you set the policy to &quot;Not configured&quot;, Group Policy deletes the entry from the registry.

By default, users can use all of the snap-ins. However, you can prohibit access to a particular snap-in by disabling its policy in the Restricted/Permitted snap-ins Group Policy folder. When you disable the policy, Group Policy sets the value of Restrict_Run to 0. As a result, the system does not run that snap-in.

If you restrict users to the explicitly permitted list of snap-ins policy, users cannot run any snap-ins unless the value of Restrict_Run is 1. All other snap-ins are prohibited. To add Restrict_Run to the registry with a value of 1, enable the policy for that snap-in in the Restricted/Permitted snap-ins folder.

Snap-ins

 * Active Directory Users and Computers

{E355E538-1C2E-11D0-8C37-00C04FD8FE93}
 * Active Directory Domains and Trusts

{EBC53A38-A23F-11D0-B09B-00C04FD8DCA6}
 * Active Directory Sites and Services

{D967F824-9968-11D0-B936-00C04FD8D5B0}
 * Certificates

{53D6AB1D-2488-11D1-A28C-00C04FB94F17}
 * Component Services

{C9BC92DF-5B9A-11D1-8F00-00C04FC2C17B}
 * Computer Management

{58221C67-EA27-11CF-ADCF-00AA00A80033}
 * Device Manager

{90087284-d6d6-11d0-8353-00a0c90640bf}
 * Disk Management

{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D}
 * Disk Defragmenter

{43668E21-2636-11D1-A1CE-0080C88593A5}
 * Distributed File System

{677A2D94-28D9-11D1-A95B-008048918FB1}
 * Event Viewer

{975797FC-4E2A-11D0-B702-00C04FD8DBF7}
 * FAX Service

{753EDB4D-2E1B-11D1-9064-00A0C90AB504}
 * Indexing Service

{95AD72F0-44CE-11D0-AE29-00AA004B9986}
 * Internet Authentication Service (IAS)

{8F8F8DC0-5713-11D1-9551-0060B0576642}
 * Internet Information Services

{A841B6C2-7577-11D0-BB1F-00A0C922E79C}
 * IP Security

{DEA8AFA0-CC85-11d0-9CE2-0080C7221EBD}
 * Local Users and Groups

{5D6179C8-17EC-11D1-9AA9-00C04FD8FE93}
 * Performance Logs and Alerts

{7478EF61-8C46-11d1-8D99-00A0C913CAD4}
 * QoS Admission Control

{FD57D297-4FD9-11D1-854E-00C04FC31FD3}
 * Removable Storage Management

{3CB6973D-3E6F-11D0-95DB-00A024D77700}
 * Routing and Remote Access

{1AA7F839-C7F5-11D0-A376-00C04FC9DA04}
 * Security Configuration and Analysis

{011BE22D-E453-11D1-945A-00C04FB984F9}
 * Security Templates

{5ADF5BF6-E452-11D1-945A-00C04FB984F9}
 * Services

{58221C66-EA27-11CF-ADCF-00AA00A80033}
 * Shared Folders

{58221C65-EA27-11CF-ADCF-00AA00A80033}
 * System Information

{45ac8c63-23e2-11d1-a696-00c04fd58bc3}
 * Telephony

{E26D02A0-4C1F-11D1-9AA1-00C04FC3357A}
 * Terminal Services Configuration

{B91B6008-32D2-11D2-9888-00A0C925F917}
 * WMI Control

{5C659257-E236-11D2-8899-00104B2AFB46}

Snap-in Extensions

 * AppleTalk Routing

{1AA7F83C-C7F5-11D0-A376-00C04FC9DA04}
 * Certification Authority

{3F276EB4-70EE-11D1-8A0F-00C04FB93753}
 * Connection Sharing (NAT)

{C2FE450B-D6C2-11D0-A37B-00C04FC9DA04}
 * DCOM Configuration Extension

{9EC88934-C774-11d1-87F4-00C04FC2C17B}
 * Device Manager

{74246bfc-4c96-11d0-abef-0020af6b0b7a}
 * DHCP Relay Management

{C2FE4502-D6C2-11D0-A37B-00C04FC9DA04}
 * Event Viewer

{394C052E-B830-11D0-9A86-00C04FD8DBF7}
 * IAS Logging

{2E19B602-48EB-11d2-83CA-00104BCA42CF}
 * IGMP Routing

{C2FE4508-D6C2-11D0-A37B-00C04FC9DA04}
 * IP Routing

{C2FE4500-D6C2-11D0-A37B-00C04FC9DA04}
 * IPX RIP Routing

{90810502-38F1-11D1-9345-00C04FC9DA04}
 * IPX Routing

{90810500-38F1-11D1-9345-00C04FC9DA04}
 * IPX SAP Routing

{90810504-38F1-11D1-9345-00C04FC9DA04}
 * Logical and Mapped Drives

{6E8E0081-19CD-11D1-AD91-00AA00B8E05A}
 * OSPF Routing

{C2FE4506-D6C2-11D0-A37B-00C04FC9DA04}
 * Public Key Policies

{34AB8E82-C27E-11D1-A6C0-00C04FB94F17}
 * RAS Dialin - User Node

{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}
 * Remote Access

{5880CD5C-8EC0-11d1-9570-0060B0576642}
 * Removable Storage

{243E20B0-48ED-11D2-97DA-00A024D77700}
 * RIP Routing

{C2FE4504-D6C2-11D0-A37B-00C04FC9DA04}
 * Routing

{DAB1A262-4FD7-11D1-842C-00C04FB6C218}
 * Send Console Message

{B1AFF7D0-0C49-11D1-BB12-00C04FC9A3A3}
 * Service Dependencies

{BD95BA60-2E26-AAD1-AD99-00AA00B8E05A}
 * SMTP Protocol

{03f1f940-a0f2-11d0-bb77-00aa00a1eab7}
 * SNMP

{7AF60DD3-4979-11D1-8A6C-00C04FC33566}
 * System Properties

{0F3621F1-23C6-11D1-AD97-00AA00B88E5A}

Group Policy Components

 * Group Policy snap-in

{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}
 * Group Policy Tab for Active Directory Tools

{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}
 * Administrative Templates (Computer)

{0F6B957D-509E-11D1-A7CC-0000F87571E3}
 * Administrative Templates (User)

{0F6B957E-509E-11D1-A7CC-0000F87571E3}
 * Folder Redirection

{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}
 * Internet Explorer Maintenance

{FC715823-C5FB-11D1-9EEF-00A0C90347FF}
 * Remote Installation Services

{3060E8CE-7020-11D2-842D-00C04FA372D4}
 * Scripts (Logon/Logoff)

{40B66650-4972-11D1-A7CA-0000F87571E3}
 * Scripts (Startup/Shutdown)

{40B6664F-4972-11D1-A7CA-0000F87571E3}
 * Security Settings

{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}
 * Software Installation (Computer)

{942A8E4F-A261-11D1-A760-00C04FB9603F}
 * Software Installation (User)

{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}

For additional information about MMC Customization, click the article numbers below to view the articles in the Microsoft Knowledge Base:

201341 Delegation of Administration Using Microsoft Management Console

230263 How to Create Custom MMC Snap-in Tools

263166 Administrator May Be Unable to Edit Group Policy in Windows 2000

Keywords: kbgpo kbinfo KB271135

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.