none
restrict admins from running console from anywhere but management servers

Answers

  • MMCSnapIns2.admx  
    Group Policy Management Editor  
    User  
    Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy  
    HKCU\Software\Policies\Microsoft\MMC\{C11D2F3B-E2F4-4e5b-824B-84A87AB0F666}!Restrict_Run  
    At least Windows Server 2008  
    This policy setting permits or prohibits the use of this snap-in.
    If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
    If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console.
    An error message is displayed stating that policy is prohibiting the use of this snap-in.
    If this policy setting is not configured the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.-- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled users cannot use any snap-in except those explicitly permitted.
    To explicitly permit use of this snap-in enable this policy setting.
    If this policy setting is not configured or disabled this snap-in is prohibited.-- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users can use any snap-in except those explicitly prohibited.
    To explicitly prohibit use of this snap-in disable this policy setting.
    If this policy setting is not configured or enabled the snap-in is permitted.
    When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC.
    Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.

    MMCSnapins.admx  
    Group Policy Management  
    User  
    Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy  
    HKCU\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}!Restrict_Run  
    At least Windows Server 2003 operating systems or Windows XP Professional with SP1  
    This policy setting permits or prohibits the use of this snap-in.
    If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
    If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console.
    An error message is displayed stating that policy is prohibiting the use of this snap-in.
    If this policy setting is not configured the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled users cannot use any snap-in except those explicitly permitted.
    To explicitly permit use of this snap-in enable this policy setting.
    If this policy setting is not configured or disabled this snap-in is prohibited. -- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users can use any snap-in except those explicitly prohibited.
    To explicitly prohibit use of this snap-in disable this policy setting.
    If this policy setting is not configured or enabled the snap-in is permitted.
    When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC.
    Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.


    MMCSnapins.admx  
    Group Policy Object Editor  
    User  
    Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy  
    HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}!Restrict_Run  
    At least Windows 2000  
    This policy setting permits or prohibits the use of this snap-in.
    If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
    If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console.
    An error message is displayed stating that policy is prohibiting the use of this snap-in.
    If this policy setting is not configured the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled users cannot use any snap-in except those explicitly permitted.
    To explicitly permit use of this snap-in enable this policy setting.
    If this policy setting is not configured or disabled this snap-in is prohibited. -- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users can use any snap-in except those explicitly prohibited.
    To explicitly prohibit use of this snap-in disable this policy setting.
    If this policy setting is not configured or enabled the snap-in is permitted.
    When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC.
    Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.

    MMC.admx  
    Restrict users to the explicitly permitted list of snap-ins  
    User  
    Windows Components\Microsoft Management Console  
    HKCU\Software\Policies\Microsoft\MMC!RestrictToPermittedSnapins  
    At least Windows 2000  
    Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.-- 
    If you enable this setting all snap-ins are prohibited except those that you explicitly permit.
    Use this setting if you plan to prohibit use of most snap-ins.   
    To explicitly permit a snap-in open the Restricted/Permitted snap-ins setting folder and enable the settings representing the snap-in you want to permit.
    If a snap-in setting in the folder is disabled or not configured the snap-in is prohibited.-- 
    If you disable this setting or do not configure it all snap-ins are permitted except those that you explicitly prohibit.
    Use this setting if you plan to permit use of most snap-ins.   
    To explicitly prohibit a snap-in open the Restricted/Permitted snap-ins setting folder and then disable the settings representing the snap-ins you want to prohibit.
    If a snap-in setting in the folder is enabled or not configured the snap-in is permitted.
    When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC.
    Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.
    Note: If you enable this setting and you do not enable any settings in the Restricted/Permitted snap-ins folder users cannot use any MMC snap-ins.


    Don [doesn't work for MSFT, and they're probably glad about that ;]



    Monday, January 04, 2016 10:55 PM
  • Thanks Don, would it work for specific consoles like SCOM ? SCCM ?

    ConfigMgr2007 console does use MMC, so as Martin says, if you can identify the GUID for that, it should work.
    You may find the GUID by looking into:
    C:\PROGRAM FILES (X86)\MICROSOFT CONFIGURATION MANAGER CONSOLE\AdminUI\

    ConfigMgr2012 console does not use MMC, so this method will not help restrict that.

    I'm not familiar with the OpsMgr console details, sorry.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, January 06, 2016 12:12 AM

All replies

  • MMCSnapIns2.admx  
    Group Policy Management Editor  
    User  
    Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy  
    HKCU\Software\Policies\Microsoft\MMC\{C11D2F3B-E2F4-4e5b-824B-84A87AB0F666}!Restrict_Run  
    At least Windows Server 2008  
    This policy setting permits or prohibits the use of this snap-in.
    If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
    If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console.
    An error message is displayed stating that policy is prohibiting the use of this snap-in.
    If this policy setting is not configured the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.-- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled users cannot use any snap-in except those explicitly permitted.
    To explicitly permit use of this snap-in enable this policy setting.
    If this policy setting is not configured or disabled this snap-in is prohibited.-- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users can use any snap-in except those explicitly prohibited.
    To explicitly prohibit use of this snap-in disable this policy setting.
    If this policy setting is not configured or enabled the snap-in is permitted.
    When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC.
    Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.

    MMCSnapins.admx  
    Group Policy Management  
    User  
    Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy  
    HKCU\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}!Restrict_Run  
    At least Windows Server 2003 operating systems or Windows XP Professional with SP1  
    This policy setting permits or prohibits the use of this snap-in.
    If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
    If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console.
    An error message is displayed stating that policy is prohibiting the use of this snap-in.
    If this policy setting is not configured the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled users cannot use any snap-in except those explicitly permitted.
    To explicitly permit use of this snap-in enable this policy setting.
    If this policy setting is not configured or disabled this snap-in is prohibited. -- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users can use any snap-in except those explicitly prohibited.
    To explicitly prohibit use of this snap-in disable this policy setting.
    If this policy setting is not configured or enabled the snap-in is permitted.
    When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC.
    Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.


    MMCSnapins.admx  
    Group Policy Object Editor  
    User  
    Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy  
    HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}!Restrict_Run  
    At least Windows 2000  
    This policy setting permits or prohibits the use of this snap-in.
    If you enable this policy setting the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console.
    If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console.
    An error message is displayed stating that policy is prohibiting the use of this snap-in.
    If this policy setting is not configured the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited. -- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled users cannot use any snap-in except those explicitly permitted.
    To explicitly permit use of this snap-in enable this policy setting.
    If this policy setting is not configured or disabled this snap-in is prohibited. -- 
    If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users can use any snap-in except those explicitly prohibited.
    To explicitly prohibit use of this snap-in disable this policy setting.
    If this policy setting is not configured or enabled the snap-in is permitted.
    When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC.
    Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.

    MMC.admx  
    Restrict users to the explicitly permitted list of snap-ins  
    User  
    Windows Components\Microsoft Management Console  
    HKCU\Software\Policies\Microsoft\MMC!RestrictToPermittedSnapins  
    At least Windows 2000  
    Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.-- 
    If you enable this setting all snap-ins are prohibited except those that you explicitly permit.
    Use this setting if you plan to prohibit use of most snap-ins.   
    To explicitly permit a snap-in open the Restricted/Permitted snap-ins setting folder and enable the settings representing the snap-in you want to permit.
    If a snap-in setting in the folder is disabled or not configured the snap-in is prohibited.-- 
    If you disable this setting or do not configure it all snap-ins are permitted except those that you explicitly prohibit.
    Use this setting if you plan to permit use of most snap-ins.   
    To explicitly prohibit a snap-in open the Restricted/Permitted snap-ins setting folder and then disable the settings representing the snap-ins you want to prohibit.
    If a snap-in setting in the folder is enabled or not configured the snap-in is permitted.
    When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC.
    Also when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.
    Note: If you enable this setting and you do not enable any settings in the Restricted/Permitted snap-ins folder users cannot use any MMC snap-ins.


    Don [doesn't work for MSFT, and they're probably glad about that ;]



    Monday, January 04, 2016 10:55 PM
  • Thanks Don, would it work for specific consoles like SCOM ? SCCM ?

    How do we disable for everyone except specific users accessing those consoles from specific servers ?

    Monday, January 04, 2016 11:05 PM
  • > Thanks Don, would it work for specific consoles like SCOM ? SCCM ?
     
    Yes if you manage to identify the GUID of these consoles.
     
    > How do we disable for everyone except specific users accessing those
    > consoles from specific servers ?
     
    Loopback (merge or replace) or Group Policy Preferences with Item Level
    Targeting.
     
    Tuesday, January 05, 2016 1:19 PM
  • Is there a step by step I can follow to test ?
    Tuesday, January 05, 2016 5:43 PM
  • Thanks Don, would it work for specific consoles like SCOM ? SCCM ?

    ConfigMgr2007 console does use MMC, so as Martin says, if you can identify the GUID for that, it should work.
    You may find the GUID by looking into:
    C:\PROGRAM FILES (X86)\MICROSOFT CONFIGURATION MANAGER CONSOLE\AdminUI\

    ConfigMgr2012 console does not use MMC, so this method will not help restrict that.

    I'm not familiar with the OpsMgr console details, sorry.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Wednesday, January 06, 2016 12:12 AM
  • Thanks Don. I found the GUID. I am more interested in SCOM at this point.


    Wednesday, January 06, 2016 12:16 AM
  • Hi,

    I agree with Don that SCOM may need other ways to restrict access.

    Have you tried to create user roles to restrict Access to SCOM, then give permissions to these SCOM user roles?

    You could take a look links as below for more reference:
    https://technet.microsoft.com/en-us/library/bb735424.aspx?f=255&MSPPError=-2147217396
    http://blogs.technet.com/b/kevinholman/archive/2012/02/17/security-in-operations-manager-some-perspectives-and-typical-customer-scenarios.aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 20, 2016 5:27 AM
    Moderator