Article ID: 271135 - View products that this article applies to.
This article was previously published under Q271135
This article discusses the Microsoft Management Console (MMC) and snap-in restrictions for a Microsoft Windows 2000-based computer.
When you attempt to run an MMC snap-in, you may receive the following error message:
Or, MMC starts, but the list of available snap-ins is missing or limited.
The snap-in below, referenced in this document has been restricted by policy.
Contact your administrator for details. snap-in name
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/322756/ )How to back up and restore the registry in Windows
NOTE: The following registry information is for informational and troubleshooting purposes only. The supported method for altering the behavior of MMC and snap-ins is by means of the Group or Local Policy tool.
The current values that can be placed on the MMC and the snap-ins are at the following registry location:
RestrictAuthorMode Registry KeyThis registry key can prevent users from opening the MMC in Author mode, from opening console files in Author mode, and from opening any console files that open in Author mode by default.
The registry key stores the setting of the "Restrict the user from entering author mode" Group Policy. Group Policy adds an entry with a value of 1 to the registry when you enable the policy. If you disable the policy, Group Policy sets the value to 0. If you set the policy to "Not Configured", Group Policy deletes the entry from the registry and the system behaves as though the value is 0.
Value = 0 (or not in registry) The policy is disabled or not configured. Users can open the MMC in Author mode.
Value = 1 The policy is enabled. Users cannot open the MMC in Author mode.
When the value of this entry is 1, users cannot open a blank MMC console window from the Start menu or from a command prompt and users cannot create console files or add or remove snap-ins. Also, because they cannot open author-mode console files, they cannot use the tools that the files contain.
However, while this value is 1, users can open MMC user-mode console files, such as those on the Administrative Tools menu in Microsoft Windows 2000 Server.
RestrictToPermittedSnapins Registry KeyThis registry key selectively permits or prohibits the use of Microsoft Management Console (MMC) snap-ins.
The registry key stores the setting of the "Restrict users to the explicitly permitted list of snap-ins" Group Policy. Group Policy adds an entry with a value of 1 to the registry when you enable the policy. If you disable the policy, Group Policy sets the value to 0. If you set the policy to "Not Configured", Group Policy deletes the entry from the registry and the system behaves as though the value is 0.
Value = 0 (or not in registry): The policy is disabled or not configured. All snap-ins are permitted, except those explicitly prohibited. Snap-ins are explicitly prohibited when the value of Restrict_Run in the Class ID subkey for that snap-in is 0. (If the Restrict_Run entry for that snap-in is not in the registry or if its value is 1, the snap-in is permitted.)
Value = 1: The policy is enabled. All snap-ins are prohibited, except those explicitly permitted. Snap-ins are explicitly permitted when the value of Restrict_Run in the Class ID subkey for that snap-in is set to 1. (If the Restrict_Run entry for that snap-in is not in the registry or if its value is 0, the snap-in is prohibited.)
A value of 1 prohibits users from running any snap-ins, except those you explicitly permit them to use. Use this value if you plan to prohibit use of all or most snap-ins. A value of 0 (the default value) enables users to run all snap-ins, except those that you explicitly prohibit. Use this value if you plan to permit use of all or most snap-ins.
The following is a description of the snap-ins, snap-in extensions, and Group Policy components for MMC. The MMC class ID's (CLSID) are at the following registry location:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Mmc\CLSID\Restrict_RunTo enable or to disable any of the following snap-ins, snap-in extensions, or Group Policy components, set the CLSID\Restrict_Run value to 0 (permit use) or to 1 (prohibit use).
Restrict_Run Registry KeyThis registry key stores the setting of a policy in the Restricted/Permitted snap-ins folders in Group Policy. Each policy in the folder represents a snap-in, a snap-in extension, or a Group Policy component. When you enable a policy in the folder, Group Policy adds the Restrict_Run entry to the Class ID subkey for the named snap-in or component and sets its value to 0.
If you disable the policy, Group Policy adds the Restrict_Run entry and sets its value to 1. If you set the policy to "Not configured", Group Policy deletes the entry from the registry.
By default, users can use all of the snap-ins. However, you can prohibit access to a particular snap-in by disabling its policy in the Restricted/Permitted snap-ins Group Policy folder. When you disable the policy, Group Policy sets the value of Restrict_Run to 1. As a result, the system does not run that snap-in.
If you restrict users to the explicitly permitted list of snap-ins policy, users cannot run any snap-ins unless the value of Restrict_Run is 0. All other snap-ins are prohibited. To add Restrict_Run to the registry with a value of 0, enable the policy for that snap-in in the Restricted/Permitted snap-ins folder.
Group Policy Components
(http://support.microsoft.com/kb/201341/EN-US/ )Delegation of Administration Using Microsoft Management Console
(http://support.microsoft.com/kb/230263/EN-US/ )How to Create Custom MMC Snap-in Tools
(http://support.microsoft.com/kb/263166/EN-US/ )Administrator May Be Unable to Edit Group Policy in Windows 2000
Article ID: 271135 - Last Review: March 1, 2007 - Revision: 2.5