Restrict users to the explicitly permitted list of snap-ins
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console
Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.
- If you enable this policy, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins.
- If you disable this policy or do not configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins.
To explicitly permit a snap-in, open the Restricted/Permitted snap-ins policy folder and then enable the policies representing the snap-in you want to permit. If a snap-in policy in the folder is disabled or not configured, the snap-in is prohibited.
To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins policy folder and then disable the policies representing the snap-ins you want to prohibit. If a snap-in policy in the folder is enabled or not configured, the snap-in is permitted.
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
If you enable this policy, and do not enable any policies in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins.