The Microsoft Management Console (MMC) is an administrative framework that provides a unified interface for management applications. As such, MMC is primarily used by administrators but might also be used by those who have been delegated some administrative privileges. Just about every administrative tool on the Administrative Tools menu is an MMC console that includes add-in components, called snap-ins, to provide the necessary administrative functionality.
Note
Microsoft Management Console can be customized to include custom menus, command shortcuts, special administration views, and more. Once you’ve created a custom console, you can distribute it to your administrators and to users to whom you’ve delegated administration privileges. See Microsoft Windows Server 2003 Inside Out (Microsoft Press, 2004) for details.
Group Policy provides several ways to control access to consoles and snap-ins, with the goal of enhancing security by preventing users, delegated administrators, and even other administrators from performing actions they shouldn’t. For example, you might not want any member of the Customer Services OU to be able to work with directory trusts or access the Certificate Authority. You can configure the GPO for the Customer Services OU to prevent users (and administrators) whose accounts are in this OU from accessing the Active Directory Domains And Trusts and Certification Authority snap-ins. Any attempt by users or administrators in this OU to access these snap-ins will then fail.
Group Policy settings for MMC are found under User ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Management Console. Using the policies found here, you can:
Prevent users in a site, domain, or OU from creating new consoles or adding and removing snap-ins in existing consoles
Designate specific snap-ins as permitted or prohibited
Require explicit permission to access any and all snap-ins
The sections that follow examine each of these configuration options.
Microsoft Management Consoles can run in either user mode or author mode. In user mode, you can make use of snap-ins already included but you cannot add snap-ins. In author mode, you can create custom consoles or add snap-ins to existing consoles.
To prevent users in a site, domain, or OU from creating new consoles or adding and removing snap-ins in existing consoles, double-click Restrict The User From Entering Author Mode, select Enabled, and then click OK. This policy is found under User ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Management Console.
In Group Policy, you can designate specific snap-ins as prohibited or permitted for use. When a snap-in is prohibited, it cannot be added to custom consoles and is not displayed in any consoles in which it is included. When a snap-in is explicitly permitted for use, any authorized user can work with the snap-in. As long as you do not block author mode, any authorized user can also add the snap-in to custom consoles.
Every available snap-in has a related policy setting in the Restricted/Permitted Snap-ins folder under User ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Management Console. To explicitly permit a snap-in, double-click the related policy setting and then select Enabled. To explicitly prohibit a snap-in, double-click the related policy setting and then select Disabled. If you’ve previously enabled Restrict Users Using Only Explicit Permitted Snap-ins, all snap-ins are prohibited by default, and you must enable the related setting for a snap-in to explicitly permit its use.
Another option for configuring snap-in use is to restrict access to all snap-ins by default and allow access only to snap-ins that have been explicitly permitted for use. To do this, double-click Restrict Users To The Explicitly Permitted List Of Snap-ins under User ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Management Console. In the Policy Setting dialog box, select Enabled and then click OK.
Although the Restrict Users To The Explicitly Permitted List Of Snap-ins policy setting is fairly straightforward to configure, you shouldn’t enable it without considerable planning beforehand. Here are some guidelines to follow:
Rarely restrict access at domain level. You should rarely, if ever, restrict access to all snap-ins at the domain level. If you do this without first explicitly permitting snap-ins, you might block yourself and all other administrators from performing essential administration tasks through the built-in administrator tools and any custom consoles your organization uses.
Carefully select OUs to restrict. You should carefully select the OUs for which you want to require explicit permission to use snap-ins. Before you restrict snap-in usage, you should determine which snap-ins will be permitted for use and then explicitly permit their use. Explicitly permitting snap-ins is necessary to ensure that administrators and anyone else authorized to work with snap-ins can perform essential tasks.