To restrict access to a permitted list of snap-ins for a domain

1. Open Active Directory Users and Computers.
2. In the console tree, right-click the organizational unit for which you want to configure policy, and then click Properties.
3. On the Group Policy tab, click Edit.

   The Group Policy Object Editor appears.

4. In the console tree, click Microsoft Management Console.

   Where?

   • PolicyName Policy
   • User Configuration
   • Administrative Templates
   • Windows Components
   • Microsoft Management Console
5. In the details pane, double-click Restrict users to the explicitly permitted list of snap-ins.
6. On the Policy tab, do one of the following:
   • To permit the user to access snap-ins that are not explicitly restricted, click Not Configured or Disabled.
   • To restrict the user from accessing any snap-in that is not explicitly permitted, click Enabled.

Notes

• To open Active Directory Users and Computers, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
• Active Directory applies only in a network where Group Policy Object Editor has been configured. You must be a domain Administrator, or have administrative credentials, and use a computer configured as a domain controller to configure Group Policy Object Editor for a domain.
• If you enable this policy, only permitted snap-ins appear in the list of available snap-ins in the Add Standalone Snap-in dialog box in MMC.
• For more information, click the Explain tab in the Restrict users to the explicitly permitted list of snap-ins properties dialog box, and see Help.

Related Topics