Administrator May Be Unable to Edit Group Policy in Windows 2000 Domain

Article translations Article translations
Article ID: 263166 - View products that this article applies to.
This article was previously published under Q263166
Expand all | Collapse all

SYMPTOMS

If you are an administrator, you may be unable to modify Group Policy in a Windows 2000 domain. In addition, if you attempt to start any tool located in Administrative Tools (including Group Policy Editor or saved custom consoles for Microsoft Management Console), the following error message may be displayed:
The snapin below, referenced in this document has been restricted by policy. Contact your administrator for details.
toolname
You may be able to run Mmc.exe, but you cannot add some snap-ins (they are not listed).

CAUSE

This behavior occurs because your user account is restricted with Group Policy. Depending on how the policy is configured, users with Administrator permissions may not be able to start Group Policy Editor (which is a Microsoft Management Console (MMC) snap-in) to modify Group Policy to allow access.

This behavior can occur if the following Group Policy is enabled at the domain level (for example, in the Default Domain Group Policy) without permitting the use of the Group Policy snap-in:
Restrict Users to the explicitly permitted list of snap-ins
(User Configuration\Administrative Templates\Windows Components\Microsoft Management Console)
You may also be unable to modify Group Policy if the Group Policy snap-in is disabled explicitly with one or both of the following Group Policies:
Group Policy snap-in
(User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy)

Administrative Templates (User)
(User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy)

RESOLUTION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows

To temporarily allow the use of the Group Policy snap-in, use the following steps:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following registry key:
    HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC
  3. Locate the RestrictToPermittedSnapins value and change it to 0.
  4. Quit Registry Editor.
  5. Try to start Group Policy Editor.
If you perform these steps and you still receive an error message when you attempt to use Group Policy Editor, use the following steps:
  1. Start Registry Editor (Regedt32.exe).
  2. Locate the following registry key:
    HKEY_CURRENT_USER\Software\Policies\Microsoft\MMC
  3. Change the Restrict_Run value to 0 in the following keys if they exist:
    {8FC0B734-A0E1-11D1-A7D3-0000F87571E3}

    {0F6B957E-509E-11D1-A7CC-0000F87571E3}
  4. Quit Registry Editor.
  5. Try to start Group Policy Editor.

STATUS

This behavior is by design.

MORE INFORMATION

The registry modifications described in this article are only temporary until Group Policy is reapplied (on a domain controller this is every 5 minutes by default).

To edit the policy that restricts access to Group Policy Editor, an administrator needs to be able to gain access to the Group Policy snap-in and the Administrative Templates under User Configuration. These items have the following Class IDs:
Administrative Templates(Users)
{0F6B957E-509E-11D1-A7CC-0000F87571E3}

Group Policy snap-in
{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}

Properties

Article ID: 263166 - Last Review: March 1, 2007 - Revision: 2.3
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
Keywords: 
kbenv kberrmsg kbprb KB263166

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com